May 19, 2017
Thirty years ago today… and at last I knew Pittsburgh

This appeared in the Columbus Dispatch on Tuesday, May 19, 1987 on page B1…

“I didn’t expect to win,” said Sheila Richter of Minneapolis after taking top honors, or dishonors, in an annual bad writing contest that drew more than 10,000 entries. “I knew my entry was dreadful, but I didn’t know it was that dreadful.” Richter, who works at the University of Minnesota, wins a personal computer and “whatever public humiliation may come her way,” said Scott Rice, an English professor at San Jose State University and founder of the Bulwer-Lytton Fiction Contest. Richter’s winning entry reads: “The notes blatted skyward as the sun rose over the Canada geese, feathered rumps mooning the day, webbed appendages frantically pedaling unseen bicycles in their search for sustenance, driven by cruel Nature’s maxim, ‘ya wanna eat, ya gotta work,’ and at last I knew Pittsburgh.”

May 18, 2017
Clarified Security Considerations in Using RSA Algorithms with COSE Messages

IETF logoA slightly updated version of the “Using RSA Algorithms with COSE Messages” specification has been published in preparation for IETF last call. Changes were:

  • Clarified the Security Considerations in ways suggested by Kathleen Moriarty.
  • Acknowledged reviewers.

The specification is available at:

An HTML-formatted version is also available at:

May 11, 2017
Strong Authentication and Token Binding Presentations at EIC 2017

EIC logoI gave two presentations at the 2017 European Identity and Cloud Conference (EIC) on progress we’re making in creating and deploying important new identity and security standards. The presentations were:

  • Strong Authentication using Asymmetric Keys on Devices Controlled by You: This presentation is about the new authentication experiences enabled by the W3C Web Authentication (WebAuthn) and FIDO 2.0 Client To Authenticator Protocol (CTAP) specifications. It describes the progress being made on the standards and shows some example user experiences logging in using authenticators. Check it out in PowerPoint or PDF.
  • Token Binding Standards and Applications: Securing what were previously bearer tokens: This presentation is about how data structures such as browser cookies, ID Tokens, and access tokens can be cryptographically bound to the TLS channels on which they are transported, making them no longer bearer tokens. It describes the state of the Token Binding standards (IETF, OAuth, and OpenID) and provides data on implementations and deployments to date. This presentation was a collaboration with Brian Campbell of Ping Identity. Check it out in PowerPoint or PDF.

Mike presenting at EIC 2017
(Photo from

May 5, 2017
Fifth working draft of W3C Web Authentication Specification

W3C logoThe W3C Web Authentication working group has published the fifth working draft of the W3C Web Authentication specification. It has a new title that’s more reflective of what it enables: “Web Authentication: An API for accessing Public Key Credentials”. Among other changes, the draft is now aligned with the W3C Credential Management API. Numerous issues were resolved and many improvements in the process of creating this release.

While not a candidate recommendation, this version is informally intended by the working group to be an Implementer’s Draft, which will be used for experimenting with implementations of the API.

April 20, 2017
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

IETF logoWith the CBOR Web Token (CWT) specification nearing completion, which provides the CBOR equivalent of JWTs, I thought that it was also time to introduce the CBOR equivalent of RFC 7800, “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)”, so that applications using CWTs will have a standard representation for proof-of-possession keys. I know that PoP keys are important to ACE applications, for instance. I therefore took RFC 7800 and produced the CBOR/CWT equivalent of it.

The specification is available at:

An HTML-formatted version is also available at:

April 13, 2017
CBOR Web Token (CWT) specification correcting inconsistencies in examples

IETF logoA revised CBOR Web Token (CWT) draft has been published that corrects inconsistencies in the examples. Thanks to Jim Schaad for validating the examples and pointing out the inconsistencies and to Samuel Erdtman for fixing them. As before, people are highly encouraged to validate the updated examples.

The specification is available at:

An HTML-formatted version is also available at:

March 28, 2017
OpenID Connect Logout Implementer’s Drafts Approved

As announced by the OpenID Foundation, the OpenID membership has approved Implementer’s Drafts of the three OpenID Connect logout specifications. That means that developers and deployers can now count on the intellectual property protections that come with being Implementer’s Drafts.

These are the first Implementer’s Drafts of these specifications:

  • Front-Channel Logout – Defines a front-channel logout mechanism that does not use an OP iframe on RP pages
  • Back-Channel Logout – Defines a logout mechanism that uses back-channel communication between the OP and RPs being logged out

Whereas, this is the fourth Implementer’s Draft of this specification:

  • Session Management – Defines how to manage OpenID Connect sessions, including postMessage-based logout functionality

Each of these protocols communicate logout requests from OpenID Providers to Relying Parties, but using different mechanisms that are appropriate for different use cases. See the Introduction sections of each of the specifications for descriptions of the mechanisms used and comparisons between them. All the specifications share a common mechanism for communicating logout requests from Relying Parties to OpenID Providers.

As expected, the reviews generated some great feedback on ways to make the specs clearer. I expect the working group to incorporate that feedback in future revisions.

March 13, 2017
AMR Values specification addressing Stephen Farrell’s comments

OAuth logoSecurity area director Stephen Farrell had asked us to make it as clear as possible to people who might be registering new “amr” values that names can identify families of closely-related authentication methods. This is now said right in the IANA Registration Template, so that people who might not have read the spec can’t miss it.

FYI, all the previous IESG DISCUSSes have now been cleared, so hopefully that means this is the last version to be published before the Authentication Method Reference Values specification becomes an RFC.

Thanks again to Stephen for his always-thorough reviews of the specification.

The specification is available at:

An HTML-formatted version is also available at:

March 13, 2017
OAuth Token Binding spec adding numerous examples and authorization code token binding

OAuth logoDraft -02 of the OAuth Token Binding specification adds example protocol messages for every distinct flow and also adds token binding for authorization codes. A lot of this is informed by implementation work that Brian Campbell has been doing, who did most of the heavy lifting for this draft. Working group members are requested to give the new text a read before IETF 98 in Chicago and to have a look at the updated open issues list. The descriptions of some of the flows were also clarified, thanks to William Denniss.

The specification is available at:

An HTML-formatted version is also available at:

March 13, 2017
Pre-Chicago OAuth Device Flow specification refinements

OAuth logoDraft -05 of the OAuth 2.0 Device Flow specification contains refinements resulting from additional reviews that have come in. This gets us ready for working group discussions at IETF 98 in Chicago. Noteworthy updates were:

  • Removed the “response_type” request parameter from the authorization request since it’s not going to the authorization endpoint.
  • Specified that parameters that are not understood must be ignored, which is standard practice for OAuth specs.
  • Added the option for the “user_code” value to be included in the request URI, facilitating QR code use cases.
  • Clarified the expiration semantics.

Thanks to William Denniss for coordinating these updates.

The specification is available at:

An HTML-formatted version is also available at:

March 10, 2017
OAuth Authorization Server Metadata spec incorporating WGLC feedback

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to incorporate the working group last call feedback received. Thanks to William Denniss and Hannes Tschofenig for their reviews. Use of the “https” scheme for the “jwks_uri” URL is now required. The precedence of signed metadata values over unsigned values was clarified. Unused references were removed.

The specification is available at:

An HTML-formatted version is also available at:

March 9, 2017
Cleaner version of Using RSA Algorithms with COSE Messages specification

IETF logoI’ve published an updated version of the “Using RSA Algorithms with COSE Messages” specification with a number of editorial improvements. Changes were:

  • Reorganized the security considerations.
  • Flattened the section structure.
  • Applied wording improvements suggested by Jim Schaad.

The specification is available at:

An HTML-formatted version is also available at:

March 2, 2017
CBOR Web Token (CWT) with better examples and a CBOR tag

IETF logoA new CBOR Web Token (CWT) draft is available with completely rewritten and much more useful examples, thanks to Samuel Erdtman. There are now examples of signed, MACed, encrypted, and nested CWTs that use all of the defined claims (and no claims not yet defined). A CBOR tag for CWTs is now also defined. People are highly encouraged to review the new examples and validate them.

The specification is available at:

An HTML-formatted version is also available at:

February 28, 2017
AMR Values specification addressing IESG comments

OAuth logoThe Authentication Method Reference Values specification has been updated to address feedback from the IESG. Identifiers are now restricted to using only printable JSON-friendly ASCII characters. All the “amr” value definitions now include specification references.

Thanks to Stephen Farrell, Alexey Melnikov, Ben Campbell, and Jari Arkko for their reviews.

The specification is available at:

An HTML-formatted version is also available at:

February 27, 2017
OAuth Device Flow specification nearly done

OAuth logoThe OAuth 2.0 Device Flow specification has been updated to flesh out some of the parts that were formerly missing or incomplete. Updates made were:

  • Updated the title to “OAuth 2.0 Device Flow for Browserless and Input Constrained Devices” to reflect the specificity of devices that use this flow.
  • User Instruction section expanded.
  • Security Considerations section added.
  • Usability Considerations section added.
  • Added OAuth 2.0 Authorization Server Metadata definition for the device authorization endpoint.

It’s my sense that this specification is now nearly done. I highly encourage those of you with device flow implementations to review this version with an eye towards ensuring that all the functionality needed for your use cases is present. For instance, I’d suggest comparing the error code definitions to your usage.

Thanks to William Denniss for producing these updates.

The specification is available at:

An HTML-formatted version is also available at:

February 14, 2017
OpenID Connect Relying Party Certification Launched

OpenID logoThanks to all who contributed to the launch of OpenID Connect Relying Party Certification! This is a major step in continuing to improve the interoperability and security of OpenID Connect implementations.

Roland Hedberg deserves huge credit for writing and deploying the testing tools. Roland eagerly interacted with developers as they “tested the tests”, promptly answering questions and iteratively developing the software to address issues that arose during the testing.

Hans Zandbelt and Edmund Jay also deserve huge thanks for being the earliest Relying Party testers. Because of their early feedback and perseverance, the process is now much easier for those that followed them.

As Don Thibeau wrote in the launch announcement, we were surprised by the speed of RP Certification adoption once we began the pilot phase – happening much more quickly than OpenID Provider certification did. I loved the feedback from developers, who told us that they understand the protocol better and have more secure implementations because of their certification participation. Let’s have more of that!

January 25, 2017
Candidate proposed OpenID Connect logout Implementer’s Drafts

Per discussions on the OpenID Connect working group calls, I have released candidate proposed Implementer’s Drafts for the three logout specs. The new versions are:

These drafts address the issues discussed on the calls and in the issue tracker. The changelogs can be viewed at these URLs:

Note that the Back-Channel Logout spec is compatible with the working group SecEvent spec

This note starts a one-week review period of these specifications by the working group. If blocking issues aren’t raised within a week, we will proceed with the formal review period preceding an OpenID Foundation Implementer’s Draft adoption vote.

January 24, 2017
“amr” Values specification addressing IETF last call comments

OAuth logoDraft -05 of the Authentication Method Reference Values specification addresses the IETF last call comments received. Changes were:

  • Specified characters allowed in “amr” values, reusing the IANA Considerations language on this topic from RFC 7638.
  • Added several individuals to the acknowledgements.

Thanks to Linda Dunbar, Catherine Meadows, and Paul Kyzivat for their reviews.

The specification is available at:

An HTML-formatted version is also available at:

January 19, 2017
OAuth Authorization Server Metadata decoupled from OAuth Protected Resource Metadata

OAuth logoThe IETF OAuth working group decided at IETF 97 to proceed with standardizing the OAuth Authorization Server Metadata specification, which is already in widespread use, and to stop work on the OAuth Protected Resource Metadata specification, which is more speculative. Accordingly, a new version of the AS Metadata spec has been published that removes its dependencies upon the Resource Metadata spec. In particular, the “protected_resources” AS Metadata element has been removed. Its definition has been moved to the Resource Metadata spec for archival purposes. Note that the Resource Metadata specification authors intend to let it expire unless the working group decides to resume work on it at some point in the future.

The specifications are available at:

HTML-formatted versions are also available at:

January 13, 2017
Media Type registration added to CBOR Web Token (CWT)

IETF logoThe CBOR Web Token (CWT) specification now registers the “application/cwt” media type, which accompanies the existing CoAP Content-Format ID registration for this media type. The description of nested CWTs, which uses this content type, was clarified. This draft also corrected some nits identified by Ludwig Seitz.

The specification is available at:

An HTML-formatted version is also available at:

Next »