



Network Working Group                                          O. Hinton
Internet-Draft                                                 Bitwarden
Intended status: Informational                               R. Léveillé
Expires: 25 June 2026                                          1Password
                                                        22 December 2025


                   Registries for Credential Exchange
                  draft-hinton-credential-exchange-00

Abstract

   This specification defines IANA registries for Fido Alliance
   Credential Exchange Format (CXF) credential types and extension
   identifiers.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at https://Credential-
   Provider-SIG.github.io/Credential-Exchange-IANA/draft-hinton-
   credential-exchange.html.  Status information for this document may
   be found at https://datatracker.ietf.org/doc/draft-hinton-credential-
   exchange/.

   Source for this draft and an issue tracker can be found at
   https://github.com/Credential-Provider-SIG/Credential-Exchange-IANA.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 25 June 2026.






Hinton & Léveillé         Expires 25 June 2026                  [Page 1]

Internet-Draft     Registries for Credential Exchange      December 2025


Copyright Notice

   Copyright (c) 2025 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Notation and Conventions . . . . . . . . . .   3
   2.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
     2.1.  Credential Exchange Format Credential Type Identifier
           Registry  . . . . . . . . . . . . . . . . . . . . . . . .   3
       2.1.1.  Registering Credential Type Identifiers . . . . . . .   3
       2.1.2.  Registration Request Processing . . . . . . . . . . .   4
       2.1.3.  Initial Values in the Credential Type Identifiers
               Registry  . . . . . . . . . . . . . . . . . . . . . .   4
     2.2.  Credential Exchange Extension Identifiers Registry  . . .   4
       2.2.1.  Registering Extension Identifiers . . . . . . . . . .   4
       2.2.2.  Registration Request Processing . . . . . . . . . . .   5
       2.2.3.  Initial Values in the Credential Exchange Extension
               Identifiers Registry  . . . . . . . . . . . . . . . .   5
   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   4.  Normative References  . . . . . . . . . . . . . . . . . . . .   5
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   The FIDO Alliance’s credential exchange specifications define a
   standard format for transferring all types of credentials in a
   credential manager including passwords, passkeys and more in a manner
   that is secure by default.

   This specification establishes IANA registries for the Credential
   Exchange Format [CredentialExchangeFormat] credential types and
   extension identifiers.  The initial values for these registries are
   in the IANA Considerations section of the [CredentialExchangeFormat]
   specification.








Hinton & Léveillé         Expires 25 June 2026                  [Page 2]

Internet-Draft     Registries for Credential Exchange      December 2025


1.1.  Requirements Notation and Conventions

   The key words "*MUST*", "*MUST NOT*", "*REQUIRED*", "*SHALL*",
   "*SHALL NOT*", "*SHOULD*", "*SHOULD NOT*", "*RECOMMENDED*", "*NOT
   RECOMMENDED*", "*MAY*", and "*OPTIONAL*" in this document are to be
   interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only
   when, they appear in all capitals, as shown here.

2.  IANA Considerations

   This specification establishes two registries:

   *  The "Credential Exchange Credential Type Identifiers" registry
      (see Section 2.1)

   *  The "Credential Exchange Extension Identifiers" registry (see
      Section 2.2)

   Any additional processes established by the expert(s) after the
   publication of this document will be recorded on the registry web
   page at the discretion of the expert(s).

2.1.  Credential Exchange Format Credential Type Identifier Registry

   Credential Exchange Format credential type identifiers are JSON
   compatible strings defined in "Credential Types Registry"
   (https://fidoalliance.org/specs/cx/cxf-v1.0-ps-20250814.html#sctn-
   iana-credential-types-registry).  Credential type identifiers *MUST*
   be unique across all registered credential type identifiers.

2.1.1.  Registering Credential Type Identifiers

   Credential Exchange Format credential type identifiers are registered
   using the Specification Required policy (see Section 4.6 of
   [RFC8126]).

   The "Credential Exchange Format Credential Type Identifiers" registry
   is located at https://www.iana.org/assignments/credential-exchange
   (https://www.iana.org/assignments/credential-exchange).

   Registration requests consist of at least the following information:

   Credential type identifier:
      An identifier meeting the requirements given in Section 2.1.

   Description:
      A short description of the credential type.




Hinton & Léveillé         Expires 25 June 2026                  [Page 3]

Internet-Draft     Registries for Credential Exchange      December 2025


   Requires an additional payload:
      A "Y" or "N" value indicating whether the credential type requires
      an additional payload outside of the Credential Exchange Format
      JSON document.

   Specification Document(s):
      Reference to the document or documents that specify the credential
      type.

   Registrations MUST reference a freely available, stable
   specification, e.g., as described in Section 4.6 of [RFC8126].  This
   specification MUST include security and privacy considerations
   relevant to the credential type.

2.1.2.  Registration Request Processing

   As noted in Section 2.1.1, Credential Exchange Format credential type
   identifiers are registered using the Specification Required policy.

2.1.3.  Initial Values in the Credential Type Identifiers Registry

   The values listed in the "Credential Types Registry"
   (https://fidoalliance.org/specs/cx/cxf-v1.0-rd-20250313.html#sctn-
   iana-credential-types-registry) section of the
   [CredentialExchangeFormat] specification will be used to populate the
   initial values in the registry.  The Change Controller entry for each
   of those registrations is:

   Change Controller:
      Fido Alliance Technical Working Group (todo: email)

2.2.  Credential Exchange Extension Identifiers Registry

   Credential Exchange Format extension identifiers are JSON compatible
   strings defined in "Extension Registry"
   (https://fidoalliance.org/specs/cx/cxf-v1.0-ps-20250814.html#sctn-
   iana-extension-registry).  Extension identifiers *MUST* be unique
   across all registered extension identifiers.

2.2.1.  Registering Extension Identifiers

   Credential Exchange Format extension identifiers are registered using
   the Specification Required policy (see Section 4.6 of [RFC8126]).

   The "Credential Exchange Format Extension Identifiers" registry is
   located at https://www.iana.org/assignments/credential-exchange
   (https://www.iana.org/assignments/credential-exchange).




Hinton & Léveillé         Expires 25 June 2026                  [Page 4]

Internet-Draft     Registries for Credential Exchange      December 2025


   Registration requests consist of at least the following information:

   Extension name identifier:
      An identifier meeting the requirements given in Section 2.1.

   Description:
      A short description of the credential type.

   Requires an additional payload:
      A "Y" or "N" value indicating whether the credential type requires
      an additional payload outside of the Credential Exchange Format
      JSON document.

   Specification Document(s):
      Reference to the document or documents that specify the credential
      type.

   Registrations MUST reference a freely available, stable
   specification, e.g., as described in Section 4.6 of [RFC8126].  This
   specification MUST include security and privacy considerations
   relevant to the extension.

2.2.2.  Registration Request Processing

   As noted in Section 2.2.1, Credential Exchange Format extension
   identifiers are registered using the Specification Required policy.

2.2.3.  Initial Values in the Credential Exchange Extension Identifiers
        Registry

   The values listed in the "Extension Registry"
   (https://fidoalliance.org/specs/cx/cxf-v1.0-rd-20250313.html#sctn-
   iana-extension-registry) section of the [CredentialExchangeFormat]
   specification will be used to populate the initial values in the
   registry.  The Change Controller entry for each of those
   registrations is:

   Change Controller:
      Fido Alliance Technical Working Group (todo: email)

3.  Security Considerations

   See [CredentialExchangeFormat] for relevant security considerations.

4.  Normative References






Hinton & Léveillé         Expires 25 June 2026                  [Page 5]

Internet-Draft     Registries for Credential Exchange      December 2025


   [CredentialExchangeFormat]
              Fido Alliance, "Credential Exchange Format", 14 August
              2025, <https://fidoalliance.org/specs/cx/cxf-v1.0-ps-
              20250814.html>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/rfc/rfc8126>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

Authors' Addresses

   Oscar Hinton
   Bitwarden
   Email: ohinton@bitwarden.com


   René Léveillé
   1Password
   Email: rene.leveille@1password.com






















Hinton & Léveillé         Expires 25 June 2026                  [Page 6]
