Secure Patterns for Internet CrEdentials M. Prorock Internet-Draft mesur.io Intended status: Informational 5 November 2024 Expires: 9 May 2025 SPICE Traceability CWT Claims draft-prorock-spice-cwt-traceability-claims-00 Abstract This document proposes additional claims for CBOR Web Tokens (CWT) to support traceability of physical goods across supply chains, focusing on items such as bills of lading, transport modes, and container manifests. These claims aim to standardize the encoding of essential logistics and transport metadata, facilitating enhanced transparency and accountability in global supply chains. About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://mprorock.github.io/draft-prorock-spice-cwt-traceability- claims/draft-prorock-spice-cwt-traceability-claims.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-prorock-spice-cwt- traceability-claims/. Discussion of this document takes place on the Secure Patterns for Internet CrEdentials mailing list (mailto:spice@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/spice/. Subscribe at https://www.ietf.org/mailman/listinfo/spice/. Source for this draft and an issue tracker can be found at https://github.com/mprorock/draft-prorock-spice-cwt-traceability- claims. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Prorock Expires 9 May 2025 [Page 1] Internet-Draft SPICE Traceability CWT Claims November 2024 Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 9 May 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 3.1. 4. IANA Considerations . . . . . . . . . . . . . . . . . 4 3.2. CBOR Web Token (CWT) Claims . . . . . . . . . . . . . . . 4 3.2.1. Goods Identifier . . . . . . . . . . . . . . . . . . 4 3.2.2. Shipment ID . . . . . . . . . . . . . . . . . . . . . 4 3.2.3. Bill of Lading Number . . . . . . . . . . . . . . . . 4 3.2.4. Transport Mode . . . . . . . . . . . . . . . . . . . 4 3.2.5. Container ID . . . . . . . . . . . . . . . . . . . . 5 3.2.6. Origin Location . . . . . . . . . . . . . . . . . . . 5 3.2.7. Destination Location . . . . . . . . . . . . . . . . 5 3.2.8. Carrier ID . . . . . . . . . . . . . . . . . . . . . 5 3.2.9. Estimated Delivery Date . . . . . . . . . . . . . . . 5 3.2.10. Customs Declaration Number . . . . . . . . . . . . . 6 3.2.11. Commodity Description . . . . . . . . . . . . . . . . 6 3.2.12. HS Code . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.13. Gross Weight . . . . . . . . . . . . . . . . . . . . 6 3.2.14. Temperature Min Requirement . . . . . . . . . . . . . 6 3.2.15. Temperature Max Requirement . . . . . . . . . . . . . 7 3.2.16. Last Known Location . . . . . . . . . . . . . . . . . 7 3.2.17. Tariff Code . . . . . . . . . . . . . . . . . . . . . 7 3.2.18. Country of Origin . . . . . . . . . . . . . . . . . . 7 3.2.19. Customs Value . . . . . . . . . . . . . . . . . . . . 7 3.2.20. Currency Code . . . . . . . . . . . . . . . . . . . . 8 Prorock Expires 9 May 2025 [Page 2] Internet-Draft SPICE Traceability CWT Claims November 2024 3.2.21. Import/Export License Number . . . . . . . . . . . . 8 3.2.22. Sanctions Reference . . . . . . . . . . . . . . . . . 8 3.2.23. Legal Jurisdiction . . . . . . . . . . . . . . . . . 8 3.2.24. Importer Code . . . . . . . . . . . . . . . . . . . . 8 3.2.25. Exporter Code . . . . . . . . . . . . . . . . . . . . 9 3.2.26. Incoterms . . . . . . . . . . . . . . . . . . . . . . 9 3.2.27. Regulatory Compliance Codes . . . . . . . . . . . . . 9 3.2.28. Additional Documents Required . . . . . . . . . . . . 9 3.2.29. Freight Charges . . . . . . . . . . . . . . . . . . . 9 3.2.30. Insurance Charges . . . . . . . . . . . . . . . . . . 10 3.2.31. Packing Costs . . . . . . . . . . . . . . . . . . . . 10 3.2.32. Place of Loading . . . . . . . . . . . . . . . . . . 10 3.2.33. Place of Discharge . . . . . . . . . . . . . . . . . 10 3.2.34. Consignee Information . . . . . . . . . . . . . . . . 10 3.2.35. Consignor Information . . . . . . . . . . . . . . . . 11 3.2.36. Customs Declaration Date . . . . . . . . . . . . . . 11 4. Normative References . . . . . . . . . . . . . . . . . . . . 11 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction This document defines a set of claims for CBOR Web Tokens (CWT) intended to enable the traceability of physical goods across various stages of transportation and storage. These claims capture critical information necessary for documenting the movement of goods in supply chains, thereby supporting regulatory compliance and operational efficiency. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Security Considerations These claims are designed to enhance transparency in supply chain tracking but should be handled securely to prevent unauthorized access to sensitive data. Confidentiality and integrity of these claims must be considered, particularly when shared across untrusted or unsecured networks. Use of selective disclosure techniques and careful consideration of data minimization requirements SHOULD be considered when using these claims. Prorock Expires 9 May 2025 [Page 3] Internet-Draft SPICE Traceability CWT Claims November 2024 3.1. 4. IANA Considerations 3.2. CBOR Web Token (CWT) Claims IANA is requested to add the following entries to the CWT claims registry (https://www.iana.org/assignments/cwt/cwt.xhtml). 3.2.1. Goods Identifier The following completed registration template per RFC8392 is provided: Name: product_id Label: TBD Value Type: text string Value Registry: (empty) Description: A unique identifier for the physical product(s) or shipment being tracked. May correspond to SKU, product ID, or batch number. Reference: RFC XXXX 3.2.2. Shipment ID The following completed registration template per RFC8392 is provided: Name: shipment_id Label: TBD Value Type: text string Value Registry: (empty) Description: Unique identifier assigned to a specific shipment. Reference: RFC XXXX 3.2.3. Bill of Lading Number The following completed registration template per RFC8392 is provided: Name: bill_of_lading_number Label: TBD Value Type: text string Value Registry: (empty) Description: Identifier for the bill of lading associated with the goods. Reference: RFC XXXX 3.2.4. Transport Mode The following completed registration template per RFC8392 is provided: Name: transport_mode Label: TBD Value Type: text string (recommended values: “air,” “sea,” “rail,” “truck”) Value Registry: (empty) Description: Mode of transport used for the shipment. Reference: RFC XXXX Prorock Expires 9 May 2025 [Page 4] Internet-Draft SPICE Traceability CWT Claims November 2024 3.2.5. Container ID The following completed registration template per RFC8392 is provided: Name: container_id Label: TBD Value Type: text string Value Registry: (empty) Description: Unique identifier for the container used in the shipment. Reference: RFC XXXX 3.2.6. Origin Location The following completed registration template per RFC8392 is provided: Name: origin_location Label: TBD Value Type: text string Value Registry: (empty) Description: Geographical origin of the goods, represented as a location code (e.g., ISO country code) or specific address. Reference: RFC XXXX 3.2.7. Destination Location The following completed registration template per RFC8392 is provided: Name: destination_location Label: TBD Value Type: text string Value Registry: (empty) Description: Final destination of the goods in the shipment. Reference: RFC XXXX 3.2.8. Carrier ID The following completed registration template per RFC8392 is provided: Name: carrier_id Label: TBD Value Type: text string Value Registry: (empty) Description: Identifier for the carrier or logistics provider responsible for the shipment. Reference: RFC XXXX 3.2.9. Estimated Delivery Date The following completed registration template per RFC8392 is provided: Name: estimated_delivery_date Label: TBD Value Type: text string (ISO8601 format) Value Registry: (empty) Description: Expected delivery date for the shipment. Reference: RFC XXXX Prorock Expires 9 May 2025 [Page 5] Internet-Draft SPICE Traceability CWT Claims November 2024 3.2.10. Customs Declaration Number The following completed registration template per RFC8392 is provided: Name: customs_declaration_number Label: TBD Value Type: text string Value Registry: (empty) Description: Identifier for the customs declaration associated with the shipment. Reference: RFC XXXX 3.2.11. Commodity Description The following completed registration template per RFC8392 is provided: Name: commodity_description Label: TBD Value Type: text string Value Registry: (empty) Description: Description of the commodity or goods being transported. Reference: RFC XXXX 3.2.12. HS Code The following completed registration template per RFC8392 is provided: Name: hs_code Label: TBD Value Type: text string Value Registry: (empty) Description: Harmonized System (HS) code for the goods. Reference: RFC XXXX 3.2.13. Gross Weight The following completed registration template per RFC8392 is provided: Name: gross_weight Label: TBD Value Type: integer Value Registry: (empty) Description: Gross weight of the shipment, in kilograms. Reference: RFC XXXX 3.2.14. Temperature Min Requirement The following completed registration template per RFC8392 is provided: Name: temperature_requirement_min Label: TBD Value Type: float Value Registry: (empty) Description: Minimum temperature (in Celsius) required for transport or storage of the goods. Reference: RFC XXXX Prorock Expires 9 May 2025 [Page 6] Internet-Draft SPICE Traceability CWT Claims November 2024 3.2.15. Temperature Max Requirement The following completed registration template per RFC8392 is provided: Name: temperature_requirement_max Label: TBD Value Type: float Value Registry: (empty) Description: Maximum temperature (in Celsius) required for transport or storage of the goods. Reference: RFC XXXX 3.2.16. Last Known Location The following completed registration template per RFC8392 is provided: Name: last_known_location Label: TBD Value Type: text string Value Registry: (empty) Description: Most recent location update for the goods. Reference: RFC XXXX 3.2.17. Tariff Code The following completed registration template per RFC8392 is provided: Name: tariff_code Label: TBD Value Type: text string Value Registry: (empty) Description: Tariff code applicable to the goods, including national tariff classifications or specific duty codes. Reference: RFC XXXX 3.2.18. Country of Origin The following completed registration template per RFC8392 is provided: Name: country_of_origin Label: TBD Value Type: text string (ISO 3166-1 alpha-2 country code) Value Registry: (empty) Description: The country where the goods were produced or manufactured. Reference: RFC XXXX 3.2.19. Customs Value The following completed registration template per RFC8392 is provided: Name: customs_value Label: TBD Value Type: float Value Registry: (empty) Description: Declared value of the goods for customs purposes, typically in the transaction currency. Reference: RFC XXXX Prorock Expires 9 May 2025 [Page 7] Internet-Draft SPICE Traceability CWT Claims November 2024 3.2.20. Currency Code The following completed registration template per RFC8392 is provided: Name: currency_code Label: TBD Value Type: text string (ISO 4217 currency code) Value Registry: (empty) Description: Currency code for the customs value and other monetary amounts, as per ISO 4217. Reference: RFC XXXX 3.2.21. Import/Export License Number The following completed registration template per RFC8392 is provided: Name: license_number Label: TBD Value Type: text string Value Registry: (empty) Description: License or permit number required for the import or export of the goods. Reference: RFC XXXX 3.2.22. Sanctions Reference The following completed registration template per RFC8392 is provided: Name: sanctions_reference Label: TBD Value Type: text string Value Registry: (empty) Description: Reference to applicable sanctions lists or regulations affecting the goods or involved parties. Reference: RFC XXXX 3.2.23. Legal Jurisdiction The following completed registration template per RFC8392 is provided: Name: legal_jurisdiction Label: TBD Value Type: text string Value Registry: (empty) Description: Legal jurisdiction(s) governing the transaction, represented as country codes or specific legal identifiers. Reference: RFC XXXX 3.2.24. Importer Code The following completed registration template per RFC8392 is provided: Name: importer_code Label: TBD Value Type: text string Value Registry: (empty) Description: Code identifying the importer, such as a VAT number or EORI number. Reference: RFC XXXX Prorock Expires 9 May 2025 [Page 8] Internet-Draft SPICE Traceability CWT Claims November 2024 3.2.25. Exporter Code The following completed registration template per RFC8392 is provided: Name: exporter_code Label: TBD Value Type: text string Value Registry: (empty) Description: Code identifying the exporter, such as a VAT number or EORI number. Reference: RFC XXXX 3.2.26. Incoterms The following completed registration template per RFC8392 is provided: Name: incoterms Label: TBD Value Type: text string Value Registry: (empty) Description: International commercial terms defining responsibilities between buyer and seller, e.g., "FOB," "CIF." Reference: RFC XXXX 3.2.27. Regulatory Compliance Codes The following completed registration template per RFC8392 is provided: Name: regulatory_compliance_codes Label: TBD Value Type: array of text strings Value Registry: (empty) Description: Codes indicating compliance with specific regulations or standards (e.g., safety certifications, environmental standards). Reference: RFC XXXX 3.2.28. Additional Documents Required The following completed registration template per RFC8392 is provided: Name: additional_documents_required Label: TBD Value Type: array of text strings Value Registry: (empty) Description: List of additional documents required for customs clearance, such as certificates of origin or inspection reports. Reference: RFC XXXX 3.2.29. Freight Charges The following completed registration template per RFC8392 is provided: Name: freight_charges Label: TBD Value Type: float Value Registry: (empty) Description: Transportation costs associated with the shipment, used for customs valuation. Reference: RFC XXXX Prorock Expires 9 May 2025 [Page 9] Internet-Draft SPICE Traceability CWT Claims November 2024 3.2.30. Insurance Charges The following completed registration template per RFC8392 is provided: Name: insurance_charges Label: TBD Value Type: float Value Registry: (empty) Description: Insurance costs for the shipment, used in determining customs value. Reference: RFC XXXX 3.2.31. Packing Costs The following completed registration template per RFC8392 is provided: Name: packing_costs Label: TBD Value Type: float Value Registry: (empty) Description: Costs associated with packing the goods, relevant for customs valuation. Reference: RFC XXXX 3.2.32. Place of Loading The following completed registration template per RFC8392 is provided: Name: place_of_loading Label: TBD Value Type: text string Value Registry: (empty) Description: Location where the goods were loaded for shipment, often a port or warehouse. Reference: RFC XXXX 3.2.33. Place of Discharge The following completed registration template per RFC8392 is provided: Name: place_of_discharge Label: TBD Value Type: text string Value Registry: (empty) Description: Location where the goods are scheduled to be unloaded. Reference: RFC XXXX 3.2.34. Consignee Information The following completed registration template per RFC8392 is provided: Name: consignee_information Label: TBD Value Type: map Value Registry: (empty) Description: Information about the consignee, including name, address, and contact details. Reference: RFC XXXX Prorock Expires 9 May 2025 [Page 10] Internet-Draft SPICE Traceability CWT Claims November 2024 3.2.35. Consignor Information The following completed registration template per RFC8392 is provided: Name: consignor_information Label: TBD Value Type: map Value Registry: (empty) Description: Information about the consignor, including name, address, and contact details. Reference: RFC XXXX 3.2.36. Customs Declaration Date The following completed registration template per RFC8392 is provided: Name: customs_declaration_date Label: TBD Value Type: text string (ISO8601 date format) Value Registry: (empty) Description: Date when the customs declaration was made. Reference: RFC XXXX 4. Normative References [BCP205] Best Current Practice 205, . At the time of writing, this BCP comprises the following: Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, May 2018, . Acknowledgments TODO acknowledge. Author's Address Prorock Expires 9 May 2025 [Page 11] Internet-Draft SPICE Traceability CWT Claims November 2024 Michael Prorock mesur.io Email: mprorock@mesur.io Prorock Expires 9 May 2025 [Page 12]