May 16, 2018
OpenID Presentations at May 2018 European Identity and Cloud Conference (EIC)

OpenID logoI gave the following presentations during the OpenID workshop at the May 2018 European Identity and Cloud Conference (EIC):

May 9, 2018
Security Event Token (SET) updates addressing IESG feedback

IETF logoWe’ve updated the Security Event Token (SET) specification to address feedback received from Internet Engineering Steering Group (IESG) members. We’ve actually published three versions in quick succession in preparation for tomorrow’s evaluation by the IESG.

Draft -11 incorporated feedback from Security Area Director Eric Rescorla and IANA Designated Expert Ned Freed. Changes were:

  • Clarified “iss” claim language about the SET issuer versus the security subject issuer.
  • Changed a “SHOULD” to a “MUST” in the “sub” claim description to be consistent with the Requirements for SET Profiles section.
  • Described the use of the “events” claim to prevent attackers from passing off other kinds of JWTs as SETs.
  • Stated that SETs are to be signed by an issuer that is trusted to do so for the use case.
  • Added quotes in the phrase ‘”token revoked” SET to be issued’ in the Timing Issues section.
  • Added section number references to the media type and media type suffix registrations.
  • Changed the encodings of the media type and media type suffix registrations to binary (since no line breaks are allowed).
  • Replaced a “TBD” in the media type registration with descriptive text.
  • Acknowledged Eric Rescorla and Ned Freed.

Draft -12 incorporated feedback from Adam Roach, Alexey Melnikov, and Alissa Cooper. Changes were:

  • Removed unused references to RFC 7009 and RFC 7517.
  • Corrected name of RFC 8055 in Section 4.3 to “Session Initiation Protocol (SIP) Via Header Field Parameter to Indicate Received Realm”.
  • Added normative references for base64url and UTF-8.
  • Section 5.1 – Changed SHOULD to MUST in “personally identifiable information MUST be encrypted using JWE [RFC7516] or …”.
  • Section 5.2 – Changed “MUST consider” to “must consider”.
  • Acknowledged Adam Roach, Alexey Melnikov, and Alissa Cooper.

Draft -13 incorporated feedback from Martin Vigoureaux. Changes were:

  • Changed a non-normative “MAY” to “may” in Section 1.1.
  • Acknowledged Martin Vigoureux and Mirja Kühlewind.

The specification is available at:

An HTML-formatted version is also available at:

May 9, 2018
JWT BCP updates addressing WGLC feedback

OAuth logoThe JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to address the Working Group Last Call (WGLC) feedback received. Thanks to Neil Madden for his numerous comments and to Carsten Bormann and Brian Campbell for their reviews.

Assuming the chairs concur, the next step should be to request publication.

The specification is available at:

An HTML-formatted version is also available at:

May 8, 2018
“CBOR Web Token (CWT)” is now RFC 8392

IETF logoThe “CBOR Web Token (CWT)” specification is now RFC 8392 – an IETF standard. The abstract for the specification is:

CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.

Special thanks to Erik Wahlström for starting this work and to Samuel Erdtman for doing most of the heavy lifting involved in creating correct and useful CBOR and COSE examples.

Next up – finishing “Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)”, which provides the CWT equivalent of “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” [RFC 7800].

May 7, 2018
On our journey to deprecate the password: Public Implementation Draft of FIDO2 Client to Authenticator Protocol (CTAP) specification

FIDO logoI’m pleased to report that a public Implementation Draft of the FIDO2 Client to Authenticator Protocol (CTAP) specification has been published. This specification enables FIDO2 clients, such as browsers implementing the W3C Web Authentication (WebAuthn) specification, to perform authentication using pairwise public/private key pairs securely held by authenticators speaking the CTAP protocol (rather than passwords). Use of three transports for communicating with authenticators is specified in the CTAP specification: USB Human Interface Device (USB HID), Near Field Communication (NFC), and Bluetooth Smart/Bluetooth Low Energy Technology (BLE).

This specification was developed in parallel with WebAuthn, including having a number of common authors. This CTAP version is aligned with the WebAuthn Candidate Recommendation (CR) version.

The CTAP Implementation Draft is available at:

Congratulations to the members of the FIDO2 working group for reaching this important milestone. This is a major step in our journey to deprecate the password!

May 2, 2018
Additional RSA Algorithms for COSE Messages Registered by W3C WebAuthn

W3C logoThe WebAuthn working group has published the “COSE Algorithms for Web Authentication (WebAuthn)” specification, which registers COSE algorithm identifiers for RSASSA-PKCS1-v1_5 signature algorithms with SHA-2 and SHA-1 hash algorithms. RSASSA-PKCS1-v1_5 with SHA-256 is used by several kinds of authenticators. RSASSA-PKCS1-v1_5 with SHA-1, while deprecated, is used by some Trusted Platform Modules (TPMs). See https://www.iana.org/assignments/cose/cose.xhtml#algorithms for the actual IANA registrations.

Thanks to John Fontana, Jeff Hodges, Tony Nadalin, Jim Schaad, Göran Selander, Wendy Seltzer, Sean Turner, and Samuel Weiler for their roles in registering these algorithm identifiers.

The specification is available at:

An HTML-formatted version is also available at:

May 1, 2018
Security Event Token (SET) spec addressing additional SecDir review comments

IETF logoAn updated Security Event Token (SET) specification has published to address recent review comments received. Changes were:

  • Incorporated wording improvements resulting from Russ Housley’s additional SecDir comments.
  • Registered +jwt structured syntax suffix.

The specification is available at:

An HTML-formatted version is also available at:

April 24, 2018
Late-breaking changes to OAuth Token Exchange syntax

OAuth logoThe syntax of two JWT claims registered by the OAuth Token Exchange specification has been changed as a result of developer feedback. Developers pointed out that the OAuth Token Introspection specification [RFC 7662] uses a “scope” string to represent scope values, whereas Token Exchange was defining an array-valued “scp” claim to represent scope values. The former also uses a “client_id” element to represent OAuth Client ID values, whereas the latter was using a “cid” claim for the same purpose.

After consulting with the working group, the OAuth Token Exchange claim names have been changed to “scope” and “client_id”. Thanks to Torsten Lodderstedt for pointing out the inconsistencies and to Brian Campbell for seeking consensus and making the updates.

The specification is available at:

An HTML-formatted version is also available at:

April 23, 2018
OAuth Device Flow spec addressing Area Director comments

OAuth logoThe OAuth 2.0 Device Flow for Browserless and Input Constrained Devices specification has been updated to address feedback by Security Area Director Eric Rescorla about the potential of a confused deputy attack. Thanks to John Bradley for helping work out the response to Eric and to William Denniss for reviewing and publishing the changes to the draft.

The specification is available at:

An HTML-formatted version is also available at:

April 17, 2018
Security Event Token (SET) spec addressing Area Director review comments

IETF logoThe Security Event Token (SET) specification has been updated to address Area Director review comments from Benjamin Kaduk. Thanks for the thorough and useful review, as always, Ben.

The specification is available at:

An HTML-formatted version is also available at:

April 4, 2018
Security Event Token (SET) spec addressing SecDir review comments

IETF logoA new draft of the Security Event Token (SET) specification has published that addresses comments from Russ Housley, who reviewed the spec for the IETF Security Directorate (SecDir). Changes were:

  • Incorporated wording improvements resulting from Russ Housley’s SecDir comments.
  • Acknowledged individuals who made significant contributions.

The specification is available at:

An HTML-formatted version is also available at:

April 3, 2018
OpenID Presentations at April 2018 OpenID Workshop and IIW

OpenID logoI gave the following presentations at the Monday, April 2, 2018 OpenID Workshop at Oracle:

I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 3, 2018:

March 29, 2018
OpenID Certification wins the 2018 Identity Innovation Award

OpenID Certified logoI’m thrilled that the OpenID Certification program has won the 2018 Identity Innovation Award at the IDnext conference. See the award announcement by the OpenID Foundation for more details.

The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to IDnext for recognizing the impact of the OpenID Certification program!

Also, see the IDnext press release announcing the award and its description of the opinion of the award committee:

The significant global impact of the OpenID Certification program was a reason for its selection for the Identity Innovation Award. It recognizes that the innovative use of self-certification, with freely available testing tools, has resulted in substantial participation in the certification program, improving the security, quality, and interoperability of OpenID Connect implementations worldwide.

Identity Innovation Award

Identity Innovation Award Presentation

Finally, here’s the presentation that I gave at the IDnext conference making the case for the award (pptx) (pdf).

March 28, 2018
What Does Logout Mean?

OAuth logoDigital identity systems almost universally support end-users logging into applications and many also support logging out of them. But while login is reasonable well understood, there are many different kinds of semantics for “logout” in different use cases and a wide variety of mechanisms for effecting logouts.

I led a discussion on the topic “What Does Logout Mean?” at the 2018 OAuth Security Workshop in Trento, Italy, which was held the week before IETF 101, to explore this topic. The session was intentionally a highly interactive conversation, gathering information from the experts at the workshop to expand our collective understanding of the topic. Brock Allen – a practicing application security architect (and MVP for ASP.NET/IIS) – significantly contributed to the materials used to seed the discussion. And Nat Sakimura took detailed notes to record what we learned during the discussion.

Feedback on the discussion was uniformly positive. It seemed that all the participants learned things about logout use cases, mechanisms, and limitations that they previously hadn’t previously considered.

Materials related to the session are:

March 23, 2018
JWT BCP draft adding Nested JWT guidance

OAuth logoThe JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to add guidance on how to explicitly type Nested JWTs. Thanks to Brian Campbell for suggesting the addition.

The specification is available at:

An HTML-formatted version is also available at:

March 20, 2018
W3C Web Authentication (WebAuthn) specification has achieved Candidate Recommendation (CR) status

W3C logoThe W3C Web Authentication (WebAuthn) specification is now a W3C Candidate Recommendation (CR). See the specification at https://www.w3.org/TR/2018/CR-webauthn-20180320/ and my blog post announcing this result for the WebAuthn working group at https://www.w3.org/blog/webauthn/2018/03/20/candidate-recommendation/.

This milestone represents a huge step towards enabling logins to occur using privacy-preserving public/private key pairs securely held by authenticators, rather than passwords. Its contents have been informed by what we learned during several rounds of interop testing by multiple browser and authenticator vendors. The Web Authentication spec has also progressed in parallel with and been kept in sync with the FIDO2 Client To Authenticator Protocol (CTAP) specification, so that they work well together.

March 19, 2018
CBOR Web Token (CWT) spec for the RFC Editor

IETF logoOne more clarification to the CBOR Web Token (CWT) specification has been made to address a comment by IESG member Adam Roach. This version is being sent to the RFC Editor in preparation for its publication as an RFC. The change was:

  • Added section references when the terms “NumericDate” and “StringOrURI” are used, as suggested by Adam Roach.

Special thanks to Security Area Director Kathleen Moriarty for helping get this across the finish line!

The specification is available at:

An HTML-formatted version is also available at:

March 16, 2018
CBOR Web Token (CWT) spec addressing IESG comments

IETF logoThe CBOR Web Token (CWT) specification has been updated to address comments received from Internet Engineering Steering Group (IESG) members. Changes were:

  • Cleaned up the descriptions of the numeric ranges of claim keys being registered in the registration template for the “CBOR Web Token (CWT) Claims” registry, as suggested by Adam Roach.
  • Clarified the relationships between the JWT and CWT “NumericDate” and “StringOrURI” terms, as suggested by Adam Roach.
  • Eliminated unnecessary uses of the word “type”, as suggested by Adam Roach.
  • Added the text “IANA must only accept registry updates from the Designated Experts and should direct all requests for registration to the review mailing list” from RFC 7519, as suggested by Amanda Baber of IANA, which is also intended to address Alexey Melnikov’s comment.
  • Removed a superfluous comma, as suggested by Warren Kumari.
  • Acknowledged additional reviewers.

Special thanks to Security Area Director Kathleen Moriarty for helping get this across the finish line!

The specification is available at:

An HTML-formatted version is also available at:

March 6, 2018
W3C Web Authentication (WebAuthn) specification almost a Candidate Recommendation (CR)

W3C logoThe eighth working draft of the W3C Web Authentication (WebAuthn) specification has been published. The WebAuthn working group plans to submit this draft for approval by the W3C Director (Tim Berners-Lee) to become a W3C Candidate Recommendation (CR), after a few days’ review by the working group.

This milestone represents a huge step towards enabling logins to occur using public/private key pairs securely held by authenticators, rather than passwords. Its contents have been informed by what we learned during several rounds of interop testing by multiple browser and authenticator vendors. The Web Authentication spec has also progressed in parallel with and been kept in sync with the FIDO 2 Client To Authenticator Protocol (CTAP) specification, so that they work well together.

March 5, 2018
CBOR Web Token (CWT) draft addressing IETF last call comments

IETF logoThe CBOR Web Token (CWT) specification has been updated to address IETF last call comments received to date, including GenArt, SecDir, Area Director, and additional shepherd comments. Changes were:

  • Clarified the registration criteria applied to different ranges of Claim Key values, as suggested by Kathleen Moriarty and Dan Romascanu.
  • No longer describe the syntax of CWT claims as being the same as that of the corresponding JWT claims, as suggested by Kyle Rose.
  • Added guidance about the selection of the Designated Experts, as suggested by Benjamin Kaduk.
  • Acknowledged additional reviewers.

The specification is available at:

An HTML-formatted version is also available at:

« Prev - Next »