Tech-invite3GPPspecsGlossariesIETFRFCsGroupsSIPABNFsWorld Map

RFC 7049


Concise Binary Object Representation (CBOR)

Part 2 of 3, p. 20 to 39
Prev RFC Part       Next RFC Part


prevText      Top      Up      ToC       Page 20 
3.  Creating CBOR-Based Protocols

   Data formats such as CBOR are often used in environments where there
   is no format negotiation.  A specific design goal of CBOR is to not
   need any included or assumed schema: a decoder can take a CBOR item
   and decode it with no other knowledge.

   Of course, in real-world implementations, the encoder and the decoder
   will have a shared view of what should be in a CBOR data item.  For
   example, an agreed-to format might be "the item is an array whose
   first value is a UTF-8 string, second value is an integer, and
   subsequent values are zero or more floating-point numbers" or "the
   item is a map that has byte strings for keys and contains at least
   one pair whose key is 0xab01".

   This specification puts no restrictions on CBOR-based protocols.  An
   encoder can be capable of encoding as many or as few types of values
   as is required by the protocol in which it is used; a decoder can be
   capable of understanding as many or as few types of values as is
   required by the protocols in which it is used.  This lack of
   restrictions allows CBOR to be used in extremely constrained

   This section discusses some considerations in creating CBOR-based
   protocols.  It is advisory only and explicitly excludes any language
   from RFC 2119 other than words that could be interpreted as "MAY" in
   the sense of RFC 2119.

3.1.  CBOR in Streaming Applications

   In a streaming application, a data stream may be composed of a
   sequence of CBOR data items concatenated back-to-back.  In such an
   environment, the decoder immediately begins decoding a new data item
   if data is found after the end of a previous data item.

   Not all of the bytes making up a data item may be immediately
   available to the decoder; some decoders will buffer additional data
   until a complete data item can be presented to the application.
   Other decoders can present partial information about a top-level data
   item to an application, such as the nested data items that could
   already be decoded, or even parts of a byte string that hasn't
   completely arrived yet.

Top      Up      ToC       Page 21 
   Note that some applications and protocols will not want to use
   indefinite-length encoding.  Using indefinite-length encoding allows
   an encoder to not need to marshal all the data for counting, but it
   requires a decoder to allocate increasing amounts of memory while
   waiting for the end of the item.  This might be fine for some
   applications but not others.

3.2.  Generic Encoders and Decoders

   A generic CBOR decoder can decode all well-formed CBOR data and
   present them to an application.  CBOR data is well-formed if it uses
   the initial bytes, as well as the byte strings and/or data items that
   are implied by their values, in the manner defined by CBOR, and no
   extraneous data follows (Appendix C).

   Even though CBOR attempts to minimize these cases, not all well-
   formed CBOR data is valid: for example, the format excludes simple
   values below 32 that are encoded with an extension byte.  Also,
   specific tags may make semantic constraints that may be violated,
   such as by including a tag in a bignum tag or by following a byte
   string within a date tag.  Finally, the data may be invalid, such as
   invalid UTF-8 strings or date strings that do not conform to
   [RFC3339].  There is no requirement that generic encoders and
   decoders make unnatural choices for their application interface to
   enable the processing of invalid data.  Generic encoders and decoders
   are expected to forward simple values and tags even if their specific
   codepoints are not registered at the time the encoder/decoder is
   written (Section 3.5).

   Generic decoders provide ways to present well-formed CBOR values,
   both valid and invalid, to an application.  The diagnostic notation
   (Section 6) may be used to present well-formed CBOR values to humans.

   Generic encoders provide an application interface that allows the
   application to specify any well-formed value, including simple values
   and tags unknown to the encoder.

3.3.  Syntax Errors

   A decoder encountering a CBOR data item that is not well-formed
   generally can choose to completely fail the decoding (issue an error
   and/or stop processing altogether), substitute the problematic data
   and data items using a decoder-specific convention that clearly
   indicates there has been a problem, or take some other action.

Top      Up      ToC       Page 22 
3.3.1.  Incomplete CBOR Data Items

   The representation of a CBOR data item has a specific length,
   determined by its initial bytes and by the structure of any data
   items enclosed in the data items.  If less data is available, this
   can be treated as a syntax error.  A decoder may also implement
   incremental parsing, that is, decode the data item as far as it is
   available and present the data found so far (such as in an event-
   based interface), with the option of continuing the decoding once
   further data is available.

   Examples of incomplete data items include:

   o  A decoder expects a certain number of array or map entries but
      instead encounters the end of the data.

   o  A decoder processes what it expects to be the last pair in a map
      and comes to the end of the data.

   o  A decoder has just seen a tag and then encounters the end of the

   o  A decoder has seen the beginning of an indefinite-length item but
      encounters the end of the data before it sees the "break" stop

3.3.2.  Malformed Indefinite-Length Items

   Examples of malformed indefinite-length data items include:

   o  Within an indefinite-length byte string or text, a decoder finds
      an item that is not of the appropriate major type before it finds
      the "break" stop code.

   o  Within an indefinite-length map, a decoder encounters the "break"
      stop code immediately after reading a key (the value is missing).

   Another error is finding a "break" stop code at a point in the data
   where there is no immediately enclosing (unclosed) indefinite-length

Top      Up      ToC       Page 23 
3.3.3.  Unknown Additional Information Values

   At the time of writing, some additional information values are
   unassigned and reserved for future versions of this document (see
   Section 5.2).  Since the overall syntax for these additional
   information values is not yet defined, a decoder that sees an
   additional information value that it does not understand cannot
   continue parsing.

3.4.  Other Decoding Errors

   A CBOR data item may be syntactically well-formed but present a
   problem with interpreting the data encoded in it in the CBOR data
   model.  Generally speaking, a decoder that finds a data item with
   such a problem might issue a warning, might stop processing
   altogether, might handle the error and make the problematic value
   available to the application as such, or take some other type of

   Such problems might include:

   Duplicate keys in a map:  Generic decoders (Section 3.2) make data
      available to applications using the native CBOR data model.  That
      data model includes maps (key-value mappings with unique keys),
      not multimaps (key-value mappings where multiple entries can have
      the same key).  Thus, a generic decoder that gets a CBOR map item
      that has duplicate keys will decode to a map with only one
      instance of that key, or it might stop processing altogether.  On
      the other hand, a "streaming decoder" may not even be able to
      notice (Section 3.7).

   Inadmissible type on the value following a tag:  Tags (Section 2.4)
      specify what type of data item is supposed to follow the tag; for
      example, the tags for positive or negative bignums are supposed to
      be put on byte strings.  A decoder that decodes the tagged data
      item into a native representation (a native big integer in this
      example) is expected to check the type of the data item being
      tagged.  Even decoders that don't have such native representations
      available in their environment may perform the check on those tags
      known to them and react appropriately.

   Invalid UTF-8 string:  A decoder might or might not want to verify
      that the sequence of bytes in a UTF-8 string (major type 3) is
      actually valid UTF-8 and react appropriately.

Top      Up      ToC       Page 24 
3.5.  Handling Unknown Simple Values and Tags

   A decoder that comes across a simple value (Section 2.3) that it does
   not recognize, such as a value that was added to the IANA registry
   after the decoder was deployed or a value that the decoder chose not
   to implement, might issue a warning, might stop processing
   altogether, might handle the error by making the unknown value
   available to the application as such (as is expected of generic
   decoders), or take some other type of action.

   A decoder that comes across a tag (Section 2.4) that it does not
   recognize, such as a tag that was added to the IANA registry after
   the decoder was deployed or a tag that the decoder chose not to
   implement, might issue a warning, might stop processing altogether,
   might handle the error and present the unknown tag value together
   with the contained data item to the application (as is expected of
   generic decoders), might ignore the tag and simply present the
   contained data item only to the application, or take some other type
   of action.

3.6.  Numbers

   For the purposes of this specification, all number representations
   for the same numeric value are equivalent.  This means that an
   encoder can encode a floating-point value of 0.0 as the integer 0.
   It, however, also means that an application that expects to find
   integer values only might find floating-point values if the encoder
   decides these are desirable, such as when the floating-point value is
   more compact than a 64-bit integer.

   An application or protocol that uses CBOR might restrict the
   representations of numbers.  For instance, a protocol that only deals
   with integers might say that floating-point numbers may not be used
   and that decoders of that protocol do not need to be able to handle
   floating-point numbers.  Similarly, a protocol or application that
   uses CBOR might say that decoders need to be able to handle either
   type of number.

   CBOR-based protocols should take into account that different language
   environments pose different restrictions on the range and precision
   of numbers that are representable.  For example, the JavaScript
   number system treats all numbers as floating point, which may result
   in silent loss of precision in decoding integers with more than 53
   significant bits.  A protocol that uses numbers should define its
   expectations on the handling of non-trivial numbers in decoders and
   receiving applications.

Top      Up      ToC       Page 25 
   A CBOR-based protocol that includes floating-point numbers can
   restrict which of the three formats (half-precision, single-
   precision, and double-precision) are to be supported.  For an
   integer-only application, a protocol may want to completely exclude
   the use of floating-point values.

   A CBOR-based protocol designed for compactness may want to exclude
   specific integer encodings that are longer than necessary for the
   application, such as to save the need to implement 64-bit integers.
   There is an expectation that encoders will use the most compact
   integer representation that can represent a given value.  However, a
   compact application should accept values that use a longer-than-
   needed encoding (such as encoding "0" as 0b000_11101 followed by two
   bytes of 0x00) as long as the application can decode an integer of
   the given size.

3.7.  Specifying Keys for Maps

   The encoding and decoding applications need to agree on what types of
   keys are going to be used in maps.  In applications that need to
   interwork with JSON-based applications, keys probably should be
   limited to UTF-8 strings only; otherwise, there has to be a specified
   mapping from the other CBOR types to Unicode characters, and this
   often leads to implementation errors.  In applications where keys are
   numeric in nature and numeric ordering of keys is important to the
   application, directly using the numbers for the keys is useful.

   If multiple types of keys are to be used, consideration should be
   given to how these types would be represented in the specific
   programming environments that are to be used.  For example, in
   JavaScript objects, a key of integer 1 cannot be distinguished from a
   key of string "1".  This means that, if integer keys are used, the
   simultaneous use of string keys that look like numbers needs to be
   avoided.  Again, this leads to the conclusion that keys should be of
   a single CBOR type.

   Decoders that deliver data items nested within a CBOR data item
   immediately on decoding them ("streaming decoders") often do not keep
   the state that is necessary to ascertain uniqueness of a key in a
   map.  Similarly, an encoder that can start encoding data items before
   the enclosing data item is completely available ("streaming encoder")
   may want to reduce its overhead significantly by relying on its data
   source to maintain uniqueness.

   A CBOR-based protocol should make an intentional decision about what
   to do when a receiving application does see multiple identical keys
   in a map.  The resulting rule in the protocol should respect the CBOR
   data model: it cannot prescribe a specific handling of the entries

Top      Up      ToC       Page 26 
   with the identical keys, except that it might have a rule that having
   identical keys in a map indicates a malformed map and that the
   decoder has to stop with an error.  Duplicate keys are also
   prohibited by CBOR decoders that are using strict mode
   (Section 3.10).

   The CBOR data model for maps does not allow ascribing semantics to
   the order of the key/value pairs in the map representation.
   Thus, it would be a very bad practice to define a CBOR-based protocol
   in such a way that changing the key/value pair order in a map would
   change the semantics, apart from trivial aspects (cache usage, etc.).
   (A CBOR-based protocol can prescribe a specific order of
   serialization, such as for canonicalization.)

   Applications for constrained devices that have maps with 24 or fewer
   frequently used keys should consider using small integers (and those
   with up to 48 frequently used keys should consider also using small
   negative integers) because the keys can then be encoded in a single

3.8.  Undefined Values

   In some CBOR-based protocols, the simple value (Section 2.3) of
   Undefined might be used by an encoder as a substitute for a data item
   with an encoding problem, in order to allow the rest of the enclosing
   data items to be encoded without harm.

3.9.  Canonical CBOR

   Some protocols may want encoders to only emit CBOR in a particular
   canonical format; those protocols might also have the decoders check
   that their input is canonical.  Those protocols are free to define
   what they mean by a canonical format and what encoders and decoders
   are expected to do.  This section lists some suggestions for such

   If a protocol considers "canonical" to mean that two encoder
   implementations starting with the same input data will produce the
   same CBOR output, the following four rules would suffice:

   o  Integers must be as small as possible.

      *  0 to 23 and -1 to -24 must be expressed in the same byte as the
         major type;

      *  24 to 255 and -25 to -256 must be expressed only with an
         additional uint8_t;

Top      Up      ToC       Page 27 
      *  256 to 65535 and -257 to -65536 must be expressed only with an
         additional uint16_t;

      *  65536 to 4294967295 and -65537 to -4294967296 must be expressed
         only with an additional uint32_t.

   o  The expression of lengths in major types 2 through 5 must be as
      short as possible.  The rules for these lengths follow the above
      rule for integers.

   o  The keys in every map must be sorted lowest value to highest.
      Sorting is performed on the bytes of the representation of the key
      data items without paying attention to the 3/5 bit splitting for
      major types.  (Note that this rule allows maps that have keys of
      different types, even though that is probably a bad practice that
      could lead to errors in some canonicalization implementations.)
      The sorting rules are:

      *  If two keys have different lengths, the shorter one sorts

      *  If two keys have the same length, the one with the lower value
         in (byte-wise) lexical order sorts earlier.

   o  Indefinite-length items must be made into definite-length items.

   If a protocol allows for IEEE floats, then additional
   canonicalization rules might need to be added.  One example rule
   might be to have all floats start as a 64-bit float, then do a test
   conversion to a 32-bit float; if the result is the same numeric
   value, use the shorter value and repeat the process with a test
   conversion to a 16-bit float.  (This rule selects 16-bit float for
   positive and negative Infinity as well.)  Also, there are many
   representations for NaN.  If NaN is an allowed value, it must always
   be represented as 0xf97e00.

   CBOR tags present additional considerations for canonicalization.
   The absence or presence of tags in a canonical format is determined
   by the optionality of the tags in the protocol.  In a CBOR-based
   protocol that allows optional tagging anywhere, the canonical format
   must not allow them.  In a protocol that requires tags in certain
   places, the tag needs to appear in the canonical format.  A CBOR-
   based protocol that uses canonicalization might instead say that all
   tags that appear in a message must be retained regardless of whether
   they are optional.

Top      Up      ToC       Page 28 
3.10.  Strict Mode

   Some areas of application of CBOR do not require canonicalization
   (Section 3.9) but may require that different decoders reach the same
   (semantically equivalent) results, even in the presence of
   potentially malicious data.  This can be required if one application
   (such as a firewall or other protecting entity) makes a decision
   based on the data that another application, which independently
   decodes the data, relies on.

   Normally, it is the responsibility of the sender to avoid ambiguously
   decodable data.  However, the sender might be an attacker specially
   making up CBOR data such that it will be interpreted differently by
   different decoders in an attempt to exploit that as a vulnerability.
   Generic decoders used in applications where this might be a problem
   need to support a strict mode in which it is also the responsibility
   of the receiver to reject ambiguously decodable data.  It is expected
   that firewalls and other security systems that decode CBOR will only
   decode in strict mode.

   A decoder in strict mode will reliably reject any data that could be
   interpreted by other decoders in different ways.  It will reliably
   reject data items with syntax errors (Section 3.3).  It will also
   expend the effort to reliably detect other decoding errors
   (Section 3.4).  In particular, a strict decoder needs to have an API
   that reports an error (and does not return data) for a CBOR data item
   that contains any of the following:

   o  a map (major type 5) that has more than one entry with the same

   o  a tag that is used on a data item of the incorrect type

   o  a data item that is incorrectly formatted for the type given to
      it, such as invalid UTF-8 or data that cannot be interpreted with
      the specific tag that it has been tagged with

   A decoder in strict mode can do one of two things when it encounters
   a tag or simple value that it does not recognize:

   o  It can report an error (and not return data).

   o  It can emit the unknown item (type, value, and, for tags, the
      decoded tagged data item) to the application calling the decoder
      with an indication that the decoder did not recognize that tag or
      simple value.

Top      Up      ToC       Page 29 
   The latter approach, which is also appropriate for non-strict
   decoders, supports forward compatibility with newly registered tags
   and simple values without the requirement to update the encoder at
   the same time as the calling application.  (For this, the API for the
   decoder needs to have a way to mark unknown items so that the calling
   application can handle them in a manner appropriate for the program.)

   Since some of this processing may have an appreciable cost (in
   particular with duplicate detection for maps), support of strict mode
   is not a requirement placed on all CBOR decoders.

   Some encoders will rely on their applications to provide input data
   in such a way that unambiguously decodable CBOR results.  A generic
   encoder also may want to provide a strict mode where it reliably
   limits its output to unambiguously decodable CBOR, independent of
   whether or not its application is providing API-conformant data.

4.  Converting Data between CBOR and JSON

   This section gives non-normative advice about converting between CBOR
   and JSON.  Implementations of converters are free to use whichever
   advice here they want.

   It is worth noting that a JSON text is a sequence of characters, not
   an encoded sequence of bytes, while a CBOR data item consists of
   bytes, not characters.

4.1.  Converting from CBOR to JSON

   Most of the types in CBOR have direct analogs in JSON.  However, some
   do not, and someone implementing a CBOR-to-JSON converter has to
   consider what to do in those cases.  The following non-normative
   advice deals with these by converting them to a single substitute
   value, such as a JSON null.

   o  An integer (major type 0 or 1) becomes a JSON number.

   o  A byte string (major type 2) that is not embedded in a tag that
      specifies a proposed encoding is encoded in base64url without
      padding and becomes a JSON string.

   o  A UTF-8 string (major type 3) becomes a JSON string.  Note that
      JSON requires escaping certain characters (RFC 4627, Section 2.5):
      quotation mark (U+0022), reverse solidus (U+005C), and the "C0
      control characters" (U+0000 through U+001F).  All other characters
      are copied unchanged into the JSON UTF-8 string.

   o  An array (major type 4) becomes a JSON array.

Top      Up      ToC       Page 30 
   o  A map (major type 5) becomes a JSON object.  This is possible
      directly only if all keys are UTF-8 strings.  A converter might
      also convert other keys into UTF-8 strings (such as by converting
      integers into strings containing their decimal representation);
      however, doing so introduces a danger of key collision.

   o  False (major type 7, additional information 20) becomes a JSON

   o  True (major type 7, additional information 21) becomes a JSON

   o  Null (major type 7, additional information 22) becomes a JSON

   o  A floating-point value (major type 7, additional information 25
      through 27) becomes a JSON number if it is finite (that is, it can
      be represented in a JSON number); if the value is non-finite (NaN,
      or positive or negative Infinity), it is represented by the
      substitute value.

   o  Any other simple value (major type 7, any additional information
      value not yet discussed) is represented by the substitute value.

   o  A bignum (major type 6, tag value 2 or 3) is represented by
      encoding its byte string in base64url without padding and becomes
      a JSON string.  For tag value 3 (negative bignum), a "~" (ASCII
      tilde) is inserted before the base-encoded value.  (The conversion
      to a binary blob instead of a number is to prevent a likely
      numeric overflow for the JSON decoder.)

   o  A byte string with an encoding hint (major type 6, tag value 21
      through 23) is encoded as described and becomes a JSON string.

   o  For all other tags (major type 6, any other tag value), the
      embedded CBOR item is represented as a JSON value; the tag value
      is ignored.

   o  Indefinite-length items are made definite before conversion.

4.2.  Converting from JSON to CBOR

   All JSON values, once decoded, directly map into one or more CBOR
   values.  As with any kind of CBOR generation, decisions have to be
   made with respect to number representation.  In a suggested

Top      Up      ToC       Page 31 
   o  JSON numbers without fractional parts (integer numbers) are
      represented as integers (major types 0 and 1, possibly major type
      6 tag value 2 and 3), choosing the shortest form; integers longer
      than an implementation-defined threshold (which is usually either
      32 or 64 bits) may instead be represented as floating-point
      values.  (If the JSON was generated from a JavaScript
      implementation, its precision is already limited to 53 bits

   o  Numbers with fractional parts are represented as floating-point
      values.  Preferably, the shortest exact floating-point
      representation is used; for instance, 1.5 is represented in a
      16-bit floating-point value (not all implementations will be
      capable of efficiently finding the minimum form, though).  There
      may be an implementation-defined limit to the precision that will
      affect the precision of the represented values.  Decimal
      representation should only be used if that is specified in a

   CBOR has been designed to generally provide a more compact encoding
   than JSON.  One implementation strategy that might come to mind is to
   perform a JSON-to-CBOR encoding in place in a single buffer.  This
   strategy would need to carefully consider a number of pathological
   cases, such as that some strings represented with no or very few
   escapes and longer (or much longer) than 255 bytes may expand when
   encoded as UTF-8 strings in CBOR.  Similarly, a few of the binary
   floating-point representations might cause expansion from some short
   decimal representations (1.1, 1e9) in JSON.  This may be hard to get
   right, and any ensuing vulnerabilities may be exploited by an

5.  Future Evolution of CBOR

   Successful protocols evolve over time.  New ideas appear,
   implementation platforms improve, related protocols are developed and
   evolve, and new requirements from applications and protocols are
   added.  Facilitating protocol evolution is therefore an important
   design consideration for any protocol development.

   For protocols that will use CBOR, CBOR provides some useful
   mechanisms to facilitate their evolution.  Best practices for this
   are well known, particularly from JSON format development of JSON-
   based protocols.  Therefore, such best practices are outside the
   scope of this specification.

   However, facilitating the evolution of CBOR itself is very well
   within its scope.  CBOR is designed to both provide a stable basis
   for development of CBOR-based protocols and to be able to evolve.

Top      Up      ToC       Page 32 
   Since a successful protocol may live for decades, CBOR needs to be
   designed for decades of use and evolution.  This section provides
   some guidance for the evolution of CBOR.  It is necessarily more
   subjective than other parts of this document.  It is also necessarily
   incomplete, lest it turn into a textbook on protocol development.

5.1.  Extension Points

   In a protocol design, opportunities for evolution are often included
   in the form of extension points.  For example, there may be a
   codepoint space that is not fully allocated from the outset, and the
   protocol is designed to tolerate and embrace implementations that
   start using more codepoints than initially allocated.

   Sizing the codepoint space may be difficult because the range
   required may be hard to predict.  An attempt should be made to make
   the codepoint space large enough so that it can slowly be filled over
   the intended lifetime of the protocol.

   CBOR has three major extension points:

   o  the "simple" space (values in major type 7).  Of the 24 efficient
      (and 224 slightly less efficient) values, only a small number have
      been allocated.  Implementations receiving an unknown simple data
      item may be able to process it as such, given that the structure
      of the value is indeed simple.  The IANA registry in Section 7.1
      is the appropriate way to address the extensibility of this
      codepoint space.

   o  the "tag" space (values in major type 6).  Again, only a small
      part of the codepoint space has been allocated, and the space is
      abundant (although the early numbers are more efficient than the
      later ones).  Implementations receiving an unknown tag can choose
      to simply ignore it or to process it as an unknown tag wrapping
      the following data item.  The IANA registry in Section 7.2 is the
      appropriate way to address the extensibility of this codepoint

   o  the "additional information" space.  An implementation receiving
      an unknown additional information value has no way to continue
      parsing, so allocating codepoints to this space is a major step.
      There are also very few codepoints left.

Top      Up      ToC       Page 33 
5.2.  Curating the Additional Information Space

   The human mind is sometimes drawn to filling in little perceived gaps
   to make something neat.  We expect the remaining gaps in the
   codepoint space for the additional information values to be an
   attractor for new ideas, just because they are there.

   The present specification does not manage the additional information
   codepoint space by an IANA registry.  Instead, allocations out of
   this space can only be done by updating this specification.

   For an additional information value of n >= 24, the size of the
   additional data typically is 2**(n-24) bytes.  Therefore, additional
   information values 28 and 29 should be viewed as candidates for
   128-bit and 256-bit quantities, in case a need arises to add them to
   the protocol.  Additional information value 30 is then the only
   additional information value available for general allocation, and
   there should be a very good reason for allocating it before assigning
   it through an update of this protocol.

6.  Diagnostic Notation

   CBOR is a binary interchange format.  To facilitate documentation and
   debugging, and in particular to facilitate communication between
   entities cooperating in debugging, this section defines a simple
   human-readable diagnostic notation.  All actual interchange always
   happens in the binary format.

   Note that this truly is a diagnostic format; it is not meant to be
   parsed.  Therefore, no formal definition (as in ABNF) is given in
   this document.  (Implementers looking for a text-based format for
   representing CBOR data items in configuration files may also want to
   consider YAML [YAML].)

   The diagnostic notation is loosely based on JSON as it is defined in
   RFC 4627, extending it where needed.

   The notation borrows the JSON syntax for numbers (integer and
   floating point), True (>true<), False (>false<), Null (>null<), UTF-8
   strings, arrays, and maps (maps are called objects in JSON; the
   diagnostic notation extends JSON here by allowing any data item in
   the key position).  Undefined is written >undefined< as in
   JavaScript.  The non-finite floating-point numbers Infinity,
   -Infinity, and NaN are written exactly as in this sentence (this is
   also a way they can be written in JavaScript, although JSON does not
   allow them).  A tagged item is written as an integer number for the
   tag followed by the item in parentheses; for instance, an RFC 3339
   (ISO 8601) date could be notated as:

Top      Up      ToC       Page 34 

   or the equivalent relative time as


   Byte strings are notated in one of the base encodings, without
   padding, enclosed in single quotes, prefixed by >h< for base16, >b32<
   for base32, >h32< for base32hex, >b64< for base64 or base64url (the
   actual encodings do not overlap, so the string remains unambiguous).
   For example, the byte string 0x12345678 could be written h'12345678',
   b32'CI2FM6A', or b64'EjRWeA'.

   Unassigned simple values are given as "simple()" with the appropriate
   integer in the parentheses.  For example, "simple(42)" indicates
   major type 7, value 42.

6.1.  Encoding Indicators

   Sometimes it is useful to indicate in the diagnostic notation which
   of several alternative representations were actually used; for
   example, a data item written >1.5< by a diagnostic decoder might have
   been encoded as a half-, single-, or double-precision float.

   The convention for encoding indicators is that anything starting with
   an underscore and all following characters that are alphanumeric or
   underscore, is an encoding indicator, and can be ignored by anyone
   not interested in this information.  Encoding indicators are always

   A single underscore can be written after the opening brace of a map
   or the opening bracket of an array to indicate that the data item was
   represented in indefinite-length format.  For example, [_ 1, 2]
   contains an indicator that an indefinite-length representation was
   used to represent the data item [1, 2].

   An underscore followed by a decimal digit n indicates that the
   preceding item (or, for arrays and maps, the item starting with the
   preceding bracket or brace) was encoded with an additional
   information value of 24+n.  For example, 1.5_1 is a half-precision
   floating-point number, while 1.5_3 is encoded as double precision.
   This encoding indicator is not shown in Appendix A.  (Note that the
   encoding indicator "_" is thus an abbreviation of the full form "_7",
   which is not used.)

   As a special case, byte and text strings of indefinite length can be
   notated in the form (_ h'0123', h'4567') and (_ "foo", "bar").

Top      Up      ToC       Page 35 
7.  IANA Considerations

   IANA has created two registries for new CBOR values.  The registries
   are separate, that is, not under an umbrella registry, and follow the
   rules in [RFC5226].  IANA has also assigned a new MIME media type and
   an associated Constrained Application Protocol (CoAP) Content-Format

7.1.  Simple Values Registry

   IANA has created the "Concise Binary Object Representation (CBOR)
   Simple Values" registry.  The initial values are shown in Table 2.

   New entries in the range 0 to 19 are assigned by Standards Action.
   It is suggested that these Standards Actions allocate values starting
   with the number 16 in order to reserve the lower numbers for
   contiguous blocks (if any).

   New entries in the range 32 to 255 are assigned by Specification

7.2.  Tags Registry

   IANA has created the "Concise Binary Object Representation (CBOR)
   Tags" registry.  The initial values are shown in Table 3.

   New entries in the range 0 to 23 are assigned by Standards Action.
   New entries in the range 24 to 255 are assigned by Specification
   Required.  New entries in the range 256 to 18446744073709551615 are
   assigned by First Come First Served.  The template for registration
   requests is:

   o  Data item

   o  Semantics (short form)

   In addition, First Come First Served requests should include:

   o  Point of contact

   o  Description of semantics (URL)
      This description is optional; the URL can point to something like
      an Internet-Draft or a web page.

Top      Up      ToC       Page 36 
7.3.  Media Type ("MIME Type")

   The Internet media type [RFC6838] for CBOR data is application/cbor.

   Type name: application

   Subtype name: cbor

   Required parameters: n/a

   Optional parameters: n/a

   Encoding considerations:  binary

   Security considerations:  See Section 8 of this document

   Interoperability considerations: n/a

   Published specification: This document

   Applications that use this media type:  None yet, but it is expected
      that this format will be deployed in protocols and applications.

   Additional information:
      Magic number(s): n/a
      File extension(s): .cbor
      Macintosh file type code(s): n/a

   Person & email address to contact for further information:
      Carsten Bormann

   Intended usage: COMMON

   Restrictions on usage: none

      Carsten Bormann <>

   Change controller:
      The IESG <>

Top      Up      ToC       Page 37 
7.4.  CoAP Content-Format

   Media Type: application/cbor

   Encoding: -

   Id: 60

   Reference: [RFC7049]

7.5.  The +cbor Structured Syntax Suffix Registration

   Name: Concise Binary Object Representation (CBOR)

   +suffix: +cbor

   References: [RFC7049]

   Encoding Considerations: CBOR is a binary format.

   Interoperability Considerations: n/a

   Fragment Identifier Considerations:
      The syntax and semantics of fragment identifiers specified for
      +cbor SHOULD be as specified for "application/cbor".  (At
      publication of this document, there is no fragment identification
      syntax defined for "application/cbor".)

      The syntax and semantics for fragment identifiers for a specific
      "xxx/yyy+cbor" SHOULD be processed as follows:

      For cases defined in +cbor, where the fragment identifier resolves
      per the +cbor rules, then process as specified in +cbor.

      For cases defined in +cbor, where the fragment identifier does not
      resolve per the +cbor rules, then process as specified in

      For cases not defined in +cbor, then process as specified in

   Security Considerations:  See Section 8 of this document

      Apps Area Working Group (

Top      Up      ToC       Page 38 
   Author/Change Controller:
      The Apps Area Working Group.
      The IESG has change control over this registration.

8.  Security Considerations

   A network-facing application can exhibit vulnerabilities in its
   processing logic for incoming data.  Complex parsers are well known
   as a likely source of such vulnerabilities, such as the ability to
   remotely crash a node, or even remotely execute arbitrary code on it.
   CBOR attempts to narrow the opportunities for introducing such
   vulnerabilities by reducing parser complexity, by giving the entire
   range of encodable values a meaning where possible.

   Resource exhaustion attacks might attempt to lure a decoder into
   allocating very big data items (strings, arrays, maps) or exhaust the
   stack depth by setting up deeply nested items.  Decoders need to have
   appropriate resource management to mitigate these attacks.  (Items
   for which very large sizes are given can also attempt to exploit
   integer overflow vulnerabilities.)

   Applications where a CBOR data item is examined by a gatekeeper
   function and later used by a different application may exhibit
   vulnerabilities when multiple interpretations of the data item are
   possible.  For example, an attacker could make use of duplicate keys
   in maps and precision issues in numbers to make the gatekeeper base
   its decisions on a different interpretation than the one that will be
   used by the second application.  Protocols that are used in a
   security context should be defined in such a way that these multiple
   interpretations are reliably reduced to a single one.  To facilitate
   this, encoder and decoder implementations used in such contexts
   should provide at least one strict mode of operation (Section 3.10).

9.  Acknowledgements

   CBOR was inspired by MessagePack.  MessagePack was developed and
   promoted by Sadayuki Furuhashi ("frsyuki").  This reference to
   MessagePack is solely for attribution; CBOR is not intended as a
   version of or replacement for MessagePack, as it has different design
   goals and requirements.

   The need for functionality beyond the original MessagePack
   Specification became obvious to many people at about the same time
   around the year 2012.  BinaryPack is a minor derivation of
   MessagePack that was developed by Eric Zhang for the binaryjs
   project.  A similar, but different, extension was made by Tim Caswell

Top      Up      ToC       Page 39 
   for his msgpack-js and msgpack-js-browser projects.  Many people have
   contributed to the recent discussion about extending MessagePack to
   separate text string representation from byte string representation.

   The encoding of the additional information in CBOR was inspired by
   the encoding of length information designed by Klaus Hartke for CoAP.

   This document also incorporates suggestions made by many people,
   notably Dan Frost, James Manger, Joe Hildebrand, Keith Moore, Matthew
   Lepinski, Nico Williams, Phillip Hallam-Baker, Ray Polk, Tim Bray,
   Tony Finch, Tony Hansen, and Yaron Sheffer.

(page 39 continued on part 3)

Next RFC Part