Archive for May, 2016

May 31, 2016
First Public Working Draft of W3C Web Authentication Specification

W3C logoThe W3C Web Authentication Working Group today announced publication of the First Public Working Draft of the W3C Web Authentication specification. The abstract of the specification is:

This specification defines an API that enables web pages to access WebAuthn compliant strong cryptographic credentials through browser script. Conceptually, one or more credentials are stored on an authenticator, and each credential is scoped to a single Relying Party. Authenticators are responsible for ensuring that no operation is performed without the user’s consent. The user agent mediates access to credentials in order to preserve user privacy. Authenticators use attestation to provide cryptographic proof of their properties to the relying party. This specification also describes a functional model of a WebAuthn compliant authenticator, including its signature and attestation functionality.

This specification is derived from the November 12, 2015 member submission of FIDO 2.0 Platform Specifications. Content from the three submitted specifications has been merged into a single Web Authentication specification, also incorporating changes agreed to by the Web Authentication working group. The working group intends to continue making timely progress, planning to publish a Candidate Recommendation by September 2016.

May 20, 2016
Initial ACE working group CBOR Web Token (CWT) specification

IETF logoWe have created the initial working group version of the CBOR Web Token (CWT) specification based on draft-wahlstroem-ace-cbor-web-token-00, with no normative changes. The abstract of the specification is:

CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. CWT is a profile of the JSON Web Token (JWT) that is optimized for constrained devices. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value.

Changes requested during the call for adoption will be published in the -01 version but we first wanted to publish a clean -00 working group draft.

The specification is available at:

An HTML-formatted version is also available at:

May 16, 2016
OpenID Connect Discussions at EIC 2016

OpenID logoOn May 10, during the OpenID Workshop at the 2016 European Identity and Cloud (EIC) conference, I gave a status update on the OpenID Connect working group to the 46 workshop attendees, including continued progress with OpenID Certification. You can view the presentation in PowerPoint or PDF format.

While I was happy to report on the working group activities, what I really enjoyed about the workshop was hearing many of the attendees telling us about their deployments. They told us about several important OpenID Connect projects each in Europe, Australia, South America, North America, and Asia. Rather than coming to learn what OpenID Connect is, as in some past EIC workshops, people were coming to discuss what they’re doing. Very cool!