in Index   Prev   Next

RFC 7049

Concise Binary Object Representation (CBOR)

Pages: 54
Obsoleted by:  8949
Part 2 of 3 – Pages 20 to 39
First   Prev   Next

Top   ToC   RFC7049 - Page 20   prevText

3. Creating CBOR-Based Protocols

Data formats such as CBOR are often used in environments where there is no format negotiation. A specific design goal of CBOR is to not need any included or assumed schema: a decoder can take a CBOR item and decode it with no other knowledge. Of course, in real-world implementations, the encoder and the decoder will have a shared view of what should be in a CBOR data item. For example, an agreed-to format might be "the item is an array whose first value is a UTF-8 string, second value is an integer, and subsequent values are zero or more floating-point numbers" or "the item is a map that has byte strings for keys and contains at least one pair whose key is 0xab01". This specification puts no restrictions on CBOR-based protocols. An encoder can be capable of encoding as many or as few types of values as is required by the protocol in which it is used; a decoder can be capable of understanding as many or as few types of values as is required by the protocols in which it is used. This lack of restrictions allows CBOR to be used in extremely constrained environments. This section discusses some considerations in creating CBOR-based protocols. It is advisory only and explicitly excludes any language from RFC 2119 other than words that could be interpreted as "MAY" in the sense of RFC 2119.

3.1. CBOR in Streaming Applications

In a streaming application, a data stream may be composed of a sequence of CBOR data items concatenated back-to-back. In such an environment, the decoder immediately begins decoding a new data item if data is found after the end of a previous data item. Not all of the bytes making up a data item may be immediately available to the decoder; some decoders will buffer additional data until a complete data item can be presented to the application. Other decoders can present partial information about a top-level data item to an application, such as the nested data items that could already be decoded, or even parts of a byte string that hasn't completely arrived yet.
Top   ToC   RFC7049 - Page 21
   Note that some applications and protocols will not want to use
   indefinite-length encoding.  Using indefinite-length encoding allows
   an encoder to not need to marshal all the data for counting, but it
   requires a decoder to allocate increasing amounts of memory while
   waiting for the end of the item.  This might be fine for some
   applications but not others.

3.2. Generic Encoders and Decoders

A generic CBOR decoder can decode all well-formed CBOR data and present them to an application. CBOR data is well-formed if it uses the initial bytes, as well as the byte strings and/or data items that are implied by their values, in the manner defined by CBOR, and no extraneous data follows (Appendix C). Even though CBOR attempts to minimize these cases, not all well- formed CBOR data is valid: for example, the format excludes simple values below 32 that are encoded with an extension byte. Also, specific tags may make semantic constraints that may be violated, such as by including a tag in a bignum tag or by following a byte string within a date tag. Finally, the data may be invalid, such as invalid UTF-8 strings or date strings that do not conform to [RFC3339]. There is no requirement that generic encoders and decoders make unnatural choices for their application interface to enable the processing of invalid data. Generic encoders and decoders are expected to forward simple values and tags even if their specific codepoints are not registered at the time the encoder/decoder is written (Section 3.5). Generic decoders provide ways to present well-formed CBOR values, both valid and invalid, to an application. The diagnostic notation (Section 6) may be used to present well-formed CBOR values to humans. Generic encoders provide an application interface that allows the application to specify any well-formed value, including simple values and tags unknown to the encoder.

3.3. Syntax Errors

A decoder encountering a CBOR data item that is not well-formed generally can choose to completely fail the decoding (issue an error and/or stop processing altogether), substitute the problematic data and data items using a decoder-specific convention that clearly indicates there has been a problem, or take some other action.
Top   ToC   RFC7049 - Page 22

3.3.1. Incomplete CBOR Data Items

The representation of a CBOR data item has a specific length, determined by its initial bytes and by the structure of any data items enclosed in the data items. If less data is available, this can be treated as a syntax error. A decoder may also implement incremental parsing, that is, decode the data item as far as it is available and present the data found so far (such as in an event- based interface), with the option of continuing the decoding once further data is available. Examples of incomplete data items include: o A decoder expects a certain number of array or map entries but instead encounters the end of the data. o A decoder processes what it expects to be the last pair in a map and comes to the end of the data. o A decoder has just seen a tag and then encounters the end of the data. o A decoder has seen the beginning of an indefinite-length item but encounters the end of the data before it sees the "break" stop code.

3.3.2. Malformed Indefinite-Length Items

Examples of malformed indefinite-length data items include: o Within an indefinite-length byte string or text, a decoder finds an item that is not of the appropriate major type before it finds the "break" stop code. o Within an indefinite-length map, a decoder encounters the "break" stop code immediately after reading a key (the value is missing). Another error is finding a "break" stop code at a point in the data where there is no immediately enclosing (unclosed) indefinite-length item.
Top   ToC   RFC7049 - Page 23

3.3.3. Unknown Additional Information Values

At the time of writing, some additional information values are unassigned and reserved for future versions of this document (see Section 5.2). Since the overall syntax for these additional information values is not yet defined, a decoder that sees an additional information value that it does not understand cannot continue parsing.

3.4. Other Decoding Errors

A CBOR data item may be syntactically well-formed but present a problem with interpreting the data encoded in it in the CBOR data model. Generally speaking, a decoder that finds a data item with such a problem might issue a warning, might stop processing altogether, might handle the error and make the problematic value available to the application as such, or take some other type of action. Such problems might include: Duplicate keys in a map: Generic decoders (Section 3.2) make data available to applications using the native CBOR data model. That data model includes maps (key-value mappings with unique keys), not multimaps (key-value mappings where multiple entries can have the same key). Thus, a generic decoder that gets a CBOR map item that has duplicate keys will decode to a map with only one instance of that key, or it might stop processing altogether. On the other hand, a "streaming decoder" may not even be able to notice (Section 3.7). Inadmissible type on the value following a tag: Tags (Section 2.4) specify what type of data item is supposed to follow the tag; for example, the tags for positive or negative bignums are supposed to be put on byte strings. A decoder that decodes the tagged data item into a native representation (a native big integer in this example) is expected to check the type of the data item being tagged. Even decoders that don't have such native representations available in their environment may perform the check on those tags known to them and react appropriately. Invalid UTF-8 string: A decoder might or might not want to verify that the sequence of bytes in a UTF-8 string (major type 3) is actually valid UTF-8 and react appropriately.
Top   ToC   RFC7049 - Page 24

3.5. Handling Unknown Simple Values and Tags

A decoder that comes across a simple value (Section 2.3) that it does not recognize, such as a value that was added to the IANA registry after the decoder was deployed or a value that the decoder chose not to implement, might issue a warning, might stop processing altogether, might handle the error by making the unknown value available to the application as such (as is expected of generic decoders), or take some other type of action. A decoder that comes across a tag (Section 2.4) that it does not recognize, such as a tag that was added to the IANA registry after the decoder was deployed or a tag that the decoder chose not to implement, might issue a warning, might stop processing altogether, might handle the error and present the unknown tag value together with the contained data item to the application (as is expected of generic decoders), might ignore the tag and simply present the contained data item only to the application, or take some other type of action.

3.6. Numbers

For the purposes of this specification, all number representations for the same numeric value are equivalent. This means that an encoder can encode a floating-point value of 0.0 as the integer 0. It, however, also means that an application that expects to find integer values only might find floating-point values if the encoder decides these are desirable, such as when the floating-point value is more compact than a 64-bit integer. An application or protocol that uses CBOR might restrict the representations of numbers. For instance, a protocol that only deals with integers might say that floating-point numbers may not be used and that decoders of that protocol do not need to be able to handle floating-point numbers. Similarly, a protocol or application that uses CBOR might say that decoders need to be able to handle either type of number. CBOR-based protocols should take into account that different language environments pose different restrictions on the range and precision of numbers that are representable. For example, the JavaScript number system treats all numbers as floating point, which may result in silent loss of precision in decoding integers with more than 53 significant bits. A protocol that uses numbers should define its expectations on the handling of non-trivial numbers in decoders and receiving applications.
Top   ToC   RFC7049 - Page 25
   A CBOR-based protocol that includes floating-point numbers can
   restrict which of the three formats (half-precision, single-
   precision, and double-precision) are to be supported.  For an
   integer-only application, a protocol may want to completely exclude
   the use of floating-point values.

   A CBOR-based protocol designed for compactness may want to exclude
   specific integer encodings that are longer than necessary for the
   application, such as to save the need to implement 64-bit integers.
   There is an expectation that encoders will use the most compact
   integer representation that can represent a given value.  However, a
   compact application should accept values that use a longer-than-
   needed encoding (such as encoding "0" as 0b000_11101 followed by two
   bytes of 0x00) as long as the application can decode an integer of
   the given size.

3.7. Specifying Keys for Maps

The encoding and decoding applications need to agree on what types of keys are going to be used in maps. In applications that need to interwork with JSON-based applications, keys probably should be limited to UTF-8 strings only; otherwise, there has to be a specified mapping from the other CBOR types to Unicode characters, and this often leads to implementation errors. In applications where keys are numeric in nature and numeric ordering of keys is important to the application, directly using the numbers for the keys is useful. If multiple types of keys are to be used, consideration should be given to how these types would be represented in the specific programming environments that are to be used. For example, in JavaScript objects, a key of integer 1 cannot be distinguished from a key of string "1". This means that, if integer keys are used, the simultaneous use of string keys that look like numbers needs to be avoided. Again, this leads to the conclusion that keys should be of a single CBOR type. Decoders that deliver data items nested within a CBOR data item immediately on decoding them ("streaming decoders") often do not keep the state that is necessary to ascertain uniqueness of a key in a map. Similarly, an encoder that can start encoding data items before the enclosing data item is completely available ("streaming encoder") may want to reduce its overhead significantly by relying on its data source to maintain uniqueness. A CBOR-based protocol should make an intentional decision about what to do when a receiving application does see multiple identical keys in a map. The resulting rule in the protocol should respect the CBOR data model: it cannot prescribe a specific handling of the entries
Top   ToC   RFC7049 - Page 26
   with the identical keys, except that it might have a rule that having
   identical keys in a map indicates a malformed map and that the
   decoder has to stop with an error.  Duplicate keys are also
   prohibited by CBOR decoders that are using strict mode
   (Section 3.10).

   The CBOR data model for maps does not allow ascribing semantics to
   the order of the key/value pairs in the map representation.
   Thus, it would be a very bad practice to define a CBOR-based protocol
   in such a way that changing the key/value pair order in a map would
   change the semantics, apart from trivial aspects (cache usage, etc.).
   (A CBOR-based protocol can prescribe a specific order of
   serialization, such as for canonicalization.)

   Applications for constrained devices that have maps with 24 or fewer
   frequently used keys should consider using small integers (and those
   with up to 48 frequently used keys should consider also using small
   negative integers) because the keys can then be encoded in a single

3.8. Undefined Values

In some CBOR-based protocols, the simple value (Section 2.3) of Undefined might be used by an encoder as a substitute for a data item with an encoding problem, in order to allow the rest of the enclosing data items to be encoded without harm.

3.9. Canonical CBOR

Some protocols may want encoders to only emit CBOR in a particular canonical format; those protocols might also have the decoders check that their input is canonical. Those protocols are free to define what they mean by a canonical format and what encoders and decoders are expected to do. This section lists some suggestions for such protocols. If a protocol considers "canonical" to mean that two encoder implementations starting with the same input data will produce the same CBOR output, the following four rules would suffice: o Integers must be as small as possible. * 0 to 23 and -1 to -24 must be expressed in the same byte as the major type; * 24 to 255 and -25 to -256 must be expressed only with an additional uint8_t;
Top   ToC   RFC7049 - Page 27
      *  256 to 65535 and -257 to -65536 must be expressed only with an
         additional uint16_t;

      *  65536 to 4294967295 and -65537 to -4294967296 must be expressed
         only with an additional uint32_t.

   o  The expression of lengths in major types 2 through 5 must be as
      short as possible.  The rules for these lengths follow the above
      rule for integers.

   o  The keys in every map must be sorted lowest value to highest.
      Sorting is performed on the bytes of the representation of the key
      data items without paying attention to the 3/5 bit splitting for
      major types.  (Note that this rule allows maps that have keys of
      different types, even though that is probably a bad practice that
      could lead to errors in some canonicalization implementations.)
      The sorting rules are:

      *  If two keys have different lengths, the shorter one sorts

      *  If two keys have the same length, the one with the lower value
         in (byte-wise) lexical order sorts earlier.

   o  Indefinite-length items must be made into definite-length items.

   If a protocol allows for IEEE floats, then additional
   canonicalization rules might need to be added.  One example rule
   might be to have all floats start as a 64-bit float, then do a test
   conversion to a 32-bit float; if the result is the same numeric
   value, use the shorter value and repeat the process with a test
   conversion to a 16-bit float.  (This rule selects 16-bit float for
   positive and negative Infinity as well.)  Also, there are many
   representations for NaN.  If NaN is an allowed value, it must always
   be represented as 0xf97e00.

   CBOR tags present additional considerations for canonicalization.
   The absence or presence of tags in a canonical format is determined
   by the optionality of the tags in the protocol.  In a CBOR-based
   protocol that allows optional tagging anywhere, the canonical format
   must not allow them.  In a protocol that requires tags in certain
   places, the tag needs to appear in the canonical format.  A CBOR-
   based protocol that uses canonicalization might instead say that all
   tags that appear in a message must be retained regardless of whether
   they are optional.
Top   ToC   RFC7049 - Page 28

3.10. Strict Mode

Some areas of application of CBOR do not require canonicalization (Section 3.9) but may require that different decoders reach the same (semantically equivalent) results, even in the presence of potentially malicious data. This can be required if one application (such as a firewall or other protecting entity) makes a decision based on the data that another application, which independently decodes the data, relies on. Normally, it is the responsibility of the sender to avoid ambiguously decodable data. However, the sender might be an attacker specially making up CBOR data such that it will be interpreted differently by different decoders in an attempt to exploit that as a vulnerability. Generic decoders used in applications where this might be a problem need to support a strict mode in which it is also the responsibility of the receiver to reject ambiguously decodable data. It is expected that firewalls and other security systems that decode CBOR will only decode in strict mode. A decoder in strict mode will reliably reject any data that could be interpreted by other decoders in different ways. It will reliably reject data items with syntax errors (Section 3.3). It will also expend the effort to reliably detect other decoding errors (Section 3.4). In particular, a strict decoder needs to have an API that reports an error (and does not return data) for a CBOR data item that contains any of the following: o a map (major type 5) that has more than one entry with the same key o a tag that is used on a data item of the incorrect type o a data item that is incorrectly formatted for the type given to it, such as invalid UTF-8 or data that cannot be interpreted with the specific tag that it has been tagged with A decoder in strict mode can do one of two things when it encounters a tag or simple value that it does not recognize: o It can report an error (and not return data). o It can emit the unknown item (type, value, and, for tags, the decoded tagged data item) to the application calling the decoder with an indication that the decoder did not recognize that tag or simple value.
Top   ToC   RFC7049 - Page 29
   The latter approach, which is also appropriate for non-strict
   decoders, supports forward compatibility with newly registered tags
   and simple values without the requirement to update the encoder at
   the same time as the calling application.  (For this, the API for the
   decoder needs to have a way to mark unknown items so that the calling
   application can handle them in a manner appropriate for the program.)

   Since some of this processing may have an appreciable cost (in
   particular with duplicate detection for maps), support of strict mode
   is not a requirement placed on all CBOR decoders.

   Some encoders will rely on their applications to provide input data
   in such a way that unambiguously decodable CBOR results.  A generic
   encoder also may want to provide a strict mode where it reliably
   limits its output to unambiguously decodable CBOR, independent of
   whether or not its application is providing API-conformant data.

4. Converting Data between CBOR and JSON

This section gives non-normative advice about converting between CBOR and JSON. Implementations of converters are free to use whichever advice here they want. It is worth noting that a JSON text is a sequence of characters, not an encoded sequence of bytes, while a CBOR data item consists of bytes, not characters.

4.1. Converting from CBOR to JSON

Most of the types in CBOR have direct analogs in JSON. However, some do not, and someone implementing a CBOR-to-JSON converter has to consider what to do in those cases. The following non-normative advice deals with these by converting them to a single substitute value, such as a JSON null. o An integer (major type 0 or 1) becomes a JSON number. o A byte string (major type 2) that is not embedded in a tag that specifies a proposed encoding is encoded in base64url without padding and becomes a JSON string. o A UTF-8 string (major type 3) becomes a JSON string. Note that JSON requires escaping certain characters (RFC 4627, Section 2.5): quotation mark (U+0022), reverse solidus (U+005C), and the "C0 control characters" (U+0000 through U+001F). All other characters are copied unchanged into the JSON UTF-8 string. o An array (major type 4) becomes a JSON array.
Top   ToC   RFC7049 - Page 30
   o  A map (major type 5) becomes a JSON object.  This is possible
      directly only if all keys are UTF-8 strings.  A converter might
      also convert other keys into UTF-8 strings (such as by converting
      integers into strings containing their decimal representation);
      however, doing so introduces a danger of key collision.

   o  False (major type 7, additional information 20) becomes a JSON

   o  True (major type 7, additional information 21) becomes a JSON

   o  Null (major type 7, additional information 22) becomes a JSON

   o  A floating-point value (major type 7, additional information 25
      through 27) becomes a JSON number if it is finite (that is, it can
      be represented in a JSON number); if the value is non-finite (NaN,
      or positive or negative Infinity), it is represented by the
      substitute value.

   o  Any other simple value (major type 7, any additional information
      value not yet discussed) is represented by the substitute value.

   o  A bignum (major type 6, tag value 2 or 3) is represented by
      encoding its byte string in base64url without padding and becomes
      a JSON string.  For tag value 3 (negative bignum), a "~" (ASCII
      tilde) is inserted before the base-encoded value.  (The conversion
      to a binary blob instead of a number is to prevent a likely
      numeric overflow for the JSON decoder.)

   o  A byte string with an encoding hint (major type 6, tag value 21
      through 23) is encoded as described and becomes a JSON string.

   o  For all other tags (major type 6, any other tag value), the
      embedded CBOR item is represented as a JSON value; the tag value
      is ignored.

   o  Indefinite-length items are made definite before conversion.

4.2. Converting from JSON to CBOR

All JSON values, once decoded, directly map into one or more CBOR values. As with any kind of CBOR generation, decisions have to be made with respect to number representation. In a suggested conversion:
Top   ToC   RFC7049 - Page 31
   o  JSON numbers without fractional parts (integer numbers) are
      represented as integers (major types 0 and 1, possibly major type
      6 tag value 2 and 3), choosing the shortest form; integers longer
      than an implementation-defined threshold (which is usually either
      32 or 64 bits) may instead be represented as floating-point
      values.  (If the JSON was generated from a JavaScript
      implementation, its precision is already limited to 53 bits

   o  Numbers with fractional parts are represented as floating-point
      values.  Preferably, the shortest exact floating-point
      representation is used; for instance, 1.5 is represented in a
      16-bit floating-point value (not all implementations will be
      capable of efficiently finding the minimum form, though).  There
      may be an implementation-defined limit to the precision that will
      affect the precision of the represented values.  Decimal
      representation should only be used if that is specified in a

   CBOR has been designed to generally provide a more compact encoding
   than JSON.  One implementation strategy that might come to mind is to
   perform a JSON-to-CBOR encoding in place in a single buffer.  This
   strategy would need to carefully consider a number of pathological
   cases, such as that some strings represented with no or very few
   escapes and longer (or much longer) than 255 bytes may expand when
   encoded as UTF-8 strings in CBOR.  Similarly, a few of the binary
   floating-point representations might cause expansion from some short
   decimal representations (1.1, 1e9) in JSON.  This may be hard to get
   right, and any ensuing vulnerabilities may be exploited by an

5. Future Evolution of CBOR

Successful protocols evolve over time. New ideas appear, implementation platforms improve, related protocols are developed and evolve, and new requirements from applications and protocols are added. Facilitating protocol evolution is therefore an important design consideration for any protocol development. For protocols that will use CBOR, CBOR provides some useful mechanisms to facilitate their evolution. Best practices for this are well known, particularly from JSON format development of JSON- based protocols. Therefore, such best practices are outside the scope of this specification. However, facilitating the evolution of CBOR itself is very well within its scope. CBOR is designed to both provide a stable basis for development of CBOR-based protocols and to be able to evolve.
Top   ToC   RFC7049 - Page 32
   Since a successful protocol may live for decades, CBOR needs to be
   designed for decades of use and evolution.  This section provides
   some guidance for the evolution of CBOR.  It is necessarily more
   subjective than other parts of this document.  It is also necessarily
   incomplete, lest it turn into a textbook on protocol development.

5.1. Extension Points

In a protocol design, opportunities for evolution are often included in the form of extension points. For example, there may be a codepoint space that is not fully allocated from the outset, and the protocol is designed to tolerate and embrace implementations that start using more codepoints than initially allocated. Sizing the codepoint space may be difficult because the range required may be hard to predict. An attempt should be made to make the codepoint space large enough so that it can slowly be filled over the intended lifetime of the protocol. CBOR has three major extension points: o the "simple" space (values in major type 7). Of the 24 efficient (and 224 slightly less efficient) values, only a small number have been allocated. Implementations receiving an unknown simple data item may be able to process it as such, given that the structure of the value is indeed simple. The IANA registry in Section 7.1 is the appropriate way to address the extensibility of this codepoint space. o the "tag" space (values in major type 6). Again, only a small part of the codepoint space has been allocated, and the space is abundant (although the early numbers are more efficient than the later ones). Implementations receiving an unknown tag can choose to simply ignore it or to process it as an unknown tag wrapping the following data item. The IANA registry in Section 7.2 is the appropriate way to address the extensibility of this codepoint space. o the "additional information" space. An implementation receiving an unknown additional information value has no way to continue parsing, so allocating codepoints to this space is a major step. There are also very few codepoints left.
Top   ToC   RFC7049 - Page 33

5.2. Curating the Additional Information Space

The human mind is sometimes drawn to filling in little perceived gaps to make something neat. We expect the remaining gaps in the codepoint space for the additional information values to be an attractor for new ideas, just because they are there. The present specification does not manage the additional information codepoint space by an IANA registry. Instead, allocations out of this space can only be done by updating this specification. For an additional information value of n >= 24, the size of the additional data typically is 2**(n-24) bytes. Therefore, additional information values 28 and 29 should be viewed as candidates for 128-bit and 256-bit quantities, in case a need arises to add them to the protocol. Additional information value 30 is then the only additional information value available for general allocation, and there should be a very good reason for allocating it before assigning it through an update of this protocol.

6. Diagnostic Notation

CBOR is a binary interchange format. To facilitate documentation and debugging, and in particular to facilitate communication between entities cooperating in debugging, this section defines a simple human-readable diagnostic notation. All actual interchange always happens in the binary format. Note that this truly is a diagnostic format; it is not meant to be parsed. Therefore, no formal definition (as in ABNF) is given in this document. (Implementers looking for a text-based format for representing CBOR data items in configuration files may also want to consider YAML [YAML].) The diagnostic notation is loosely based on JSON as it is defined in RFC 4627, extending it where needed. The notation borrows the JSON syntax for numbers (integer and floating point), True (>true<), False (>false<), Null (>null<), UTF-8 strings, arrays, and maps (maps are called objects in JSON; the diagnostic notation extends JSON here by allowing any data item in the key position). Undefined is written >undefined< as in JavaScript. The non-finite floating-point numbers Infinity, -Infinity, and NaN are written exactly as in this sentence (this is also a way they can be written in JavaScript, although JSON does not allow them). A tagged item is written as an integer number for the tag followed by the item in parentheses; for instance, an RFC 3339 (ISO 8601) date could be notated as:
Top   ToC   RFC7049 - Page 34

   or the equivalent relative time as


   Byte strings are notated in one of the base encodings, without
   padding, enclosed in single quotes, prefixed by >h< for base16, >b32<
   for base32, >h32< for base32hex, >b64< for base64 or base64url (the
   actual encodings do not overlap, so the string remains unambiguous).
   For example, the byte string 0x12345678 could be written h'12345678',
   b32'CI2FM6A', or b64'EjRWeA'.

   Unassigned simple values are given as "simple()" with the appropriate
   integer in the parentheses.  For example, "simple(42)" indicates
   major type 7, value 42.

6.1. Encoding Indicators

Sometimes it is useful to indicate in the diagnostic notation which of several alternative representations were actually used; for example, a data item written >1.5< by a diagnostic decoder might have been encoded as a half-, single-, or double-precision float. The convention for encoding indicators is that anything starting with an underscore and all following characters that are alphanumeric or underscore, is an encoding indicator, and can be ignored by anyone not interested in this information. Encoding indicators are always optional. A single underscore can be written after the opening brace of a map or the opening bracket of an array to indicate that the data item was represented in indefinite-length format. For example, [_ 1, 2] contains an indicator that an indefinite-length representation was used to represent the data item [1, 2]. An underscore followed by a decimal digit n indicates that the preceding item (or, for arrays and maps, the item starting with the preceding bracket or brace) was encoded with an additional information value of 24+n. For example, 1.5_1 is a half-precision floating-point number, while 1.5_3 is encoded as double precision. This encoding indicator is not shown in Appendix A. (Note that the encoding indicator "_" is thus an abbreviation of the full form "_7", which is not used.) As a special case, byte and text strings of indefinite length can be notated in the form (_ h'0123', h'4567') and (_ "foo", "bar").
Top   ToC   RFC7049 - Page 35

7. IANA Considerations

IANA has created two registries for new CBOR values. The registries are separate, that is, not under an umbrella registry, and follow the rules in [RFC5226]. IANA has also assigned a new MIME media type and an associated Constrained Application Protocol (CoAP) Content-Format entry.

7.1. Simple Values Registry

IANA has created the "Concise Binary Object Representation (CBOR) Simple Values" registry. The initial values are shown in Table 2. New entries in the range 0 to 19 are assigned by Standards Action. It is suggested that these Standards Actions allocate values starting with the number 16 in order to reserve the lower numbers for contiguous blocks (if any). New entries in the range 32 to 255 are assigned by Specification Required.

7.2. Tags Registry

IANA has created the "Concise Binary Object Representation (CBOR) Tags" registry. The initial values are shown in Table 3. New entries in the range 0 to 23 are assigned by Standards Action. New entries in the range 24 to 255 are assigned by Specification Required. New entries in the range 256 to 18446744073709551615 are assigned by First Come First Served. The template for registration requests is: o Data item o Semantics (short form) In addition, First Come First Served requests should include: o Point of contact o Description of semantics (URL) This description is optional; the URL can point to something like an Internet-Draft or a web page.
Top   ToC   RFC7049 - Page 36

7.3. Media Type ("MIME Type")

The Internet media type [RFC6838] for CBOR data is application/cbor. Type name: application Subtype name: cbor Required parameters: n/a Optional parameters: n/a Encoding considerations: binary Security considerations: See Section 8 of this document Interoperability considerations: n/a Published specification: This document Applications that use this media type: None yet, but it is expected that this format will be deployed in protocols and applications. Additional information: Magic number(s): n/a File extension(s): .cbor Macintosh file type code(s): n/a Person & email address to contact for further information: Carsten Bormann Intended usage: COMMON Restrictions on usage: none Author: Carsten Bormann <> Change controller: The IESG <>
Top   ToC   RFC7049 - Page 37

7.4. CoAP Content-Format

Media Type: application/cbor Encoding: - Id: 60 Reference: [RFC7049]

7.5. The +cbor Structured Syntax Suffix Registration

Name: Concise Binary Object Representation (CBOR) +suffix: +cbor References: [RFC7049] Encoding Considerations: CBOR is a binary format. Interoperability Considerations: n/a Fragment Identifier Considerations: The syntax and semantics of fragment identifiers specified for +cbor SHOULD be as specified for "application/cbor". (At publication of this document, there is no fragment identification syntax defined for "application/cbor".) The syntax and semantics for fragment identifiers for a specific "xxx/yyy+cbor" SHOULD be processed as follows: For cases defined in +cbor, where the fragment identifier resolves per the +cbor rules, then process as specified in +cbor. For cases defined in +cbor, where the fragment identifier does not resolve per the +cbor rules, then process as specified in "xxx/yyy+cbor". For cases not defined in +cbor, then process as specified in "xxx/yyy+cbor". Security Considerations: See Section 8 of this document Contact: Apps Area Working Group (
Top   ToC   RFC7049 - Page 38
   Author/Change Controller:
      The Apps Area Working Group.
      The IESG has change control over this registration.

8. Security Considerations

A network-facing application can exhibit vulnerabilities in its processing logic for incoming data. Complex parsers are well known as a likely source of such vulnerabilities, such as the ability to remotely crash a node, or even remotely execute arbitrary code on it. CBOR attempts to narrow the opportunities for introducing such vulnerabilities by reducing parser complexity, by giving the entire range of encodable values a meaning where possible. Resource exhaustion attacks might attempt to lure a decoder into allocating very big data items (strings, arrays, maps) or exhaust the stack depth by setting up deeply nested items. Decoders need to have appropriate resource management to mitigate these attacks. (Items for which very large sizes are given can also attempt to exploit integer overflow vulnerabilities.) Applications where a CBOR data item is examined by a gatekeeper function and later used by a different application may exhibit vulnerabilities when multiple interpretations of the data item are possible. For example, an attacker could make use of duplicate keys in maps and precision issues in numbers to make the gatekeeper base its decisions on a different interpretation than the one that will be used by the second application. Protocols that are used in a security context should be defined in such a way that these multiple interpretations are reliably reduced to a single one. To facilitate this, encoder and decoder implementations used in such contexts should provide at least one strict mode of operation (Section 3.10).

9. Acknowledgements

CBOR was inspired by MessagePack. MessagePack was developed and promoted by Sadayuki Furuhashi ("frsyuki"). This reference to MessagePack is solely for attribution; CBOR is not intended as a version of or replacement for MessagePack, as it has different design goals and requirements. The need for functionality beyond the original MessagePack Specification became obvious to many people at about the same time around the year 2012. BinaryPack is a minor derivation of MessagePack that was developed by Eric Zhang for the binaryjs project. A similar, but different, extension was made by Tim Caswell
Top   ToC   RFC7049 - Page 39
   for his msgpack-js and msgpack-js-browser projects.  Many people have
   contributed to the recent discussion about extending MessagePack to
   separate text string representation from byte string representation.

   The encoding of the additional information in CBOR was inspired by
   the encoding of length information designed by Klaus Hartke for CoAP.

   This document also incorporates suggestions made by many people,
   notably Dan Frost, James Manger, Joe Hildebrand, Keith Moore, Matthew
   Lepinski, Nico Williams, Phillip Hallam-Baker, Ray Polk, Tim Bray,
   Tony Finch, Tony Hansen, and Yaron Sheffer.

(page 39 continued on part 3)

Next Section