April 3, 2018
OpenID Presentations at April 2018 OpenID Workshop and IIW

OpenID logoI gave the following presentations at the Monday, April 2, 2018 OpenID Workshop at Oracle:

I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 3, 2018:

March 29, 2018
OpenID Certification wins the 2018 Identity Innovation Award

OpenID Certified logoI’m thrilled that the OpenID Certification program has won the 2018 Identity Innovation Award at the IDnext conference. See the award announcement by the OpenID Foundation for more details.

The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to IDnext for recognizing the impact of the OpenID Certification program!

Also, see the IDnext press release announcing the award and its description of the opinion of the award committee:

The significant global impact of the OpenID Certification program was a reason for its selection for the Identity Innovation Award. It recognizes that the innovative use of self-certification, with freely available testing tools, has resulted in substantial participation in the certification program, improving the security, quality, and interoperability of OpenID Connect implementations worldwide.

Identity Innovation Award

Identity Innovation Award Presentation

Finally, here’s the presentation that I gave at the IDnext conference making the case for the award (pptx) (pdf).

March 28, 2018
What Does Logout Mean?

OAuth logoDigital identity systems almost universally support end-users logging into applications and many also support logging out of them. But while login is reasonable well understood, there are many different kinds of semantics for “logout” in different use cases and a wide variety of mechanisms for effecting logouts.

I led a discussion on the topic “What Does Logout Mean?” at the 2018 OAuth Security Workshop in Trento, Italy, which was held the week before IETF 101, to explore this topic. The session was intentionally a highly interactive conversation, gathering information from the experts at the workshop to expand our collective understanding of the topic. Brock Allen – a practicing application security architect (and MVP for ASP.NET/IIS) – significantly contributed to the materials used to seed the discussion. And Nat Sakimura took detailed notes to record what we learned during the discussion.

Feedback on the discussion was uniformly positive. It seemed that all the participants learned things about logout use cases, mechanisms, and limitations that they previously hadn’t previously considered.

Materials related to the session are:

March 23, 2018
JWT BCP draft adding Nested JWT guidance

OAuth logoThe JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to add guidance on how to explicitly type Nested JWTs. Thanks to Brian Campbell for suggesting the addition.

The specification is available at:

An HTML-formatted version is also available at:

March 20, 2018
W3C Web Authentication (WebAuthn) specification has achieved Candidate Recommendation (CR) status

W3C logoThe W3C Web Authentication (WebAuthn) specification is now a W3C Candidate Recommendation (CR). See the specification at https://www.w3.org/TR/2018/CR-webauthn-20180320/ and my blog post announcing this result for the WebAuthn working group at https://www.w3.org/blog/webauthn/2018/03/20/candidate-recommendation/.

This milestone represents a huge step towards enabling logins to occur using privacy-preserving public/private key pairs securely held by authenticators, rather than passwords. Its contents have been informed by what we learned during several rounds of interop testing by multiple browser and authenticator vendors. The Web Authentication spec has also progressed in parallel with and been kept in sync with the FIDO2 Client To Authenticator Protocol (CTAP) specification, so that they work well together.

March 19, 2018
CBOR Web Token (CWT) spec for the RFC Editor

IETF logoOne more clarification to the CBOR Web Token (CWT) specification has been made to address a comment by IESG member Adam Roach. This version is being sent to the RFC Editor in preparation for its publication as an RFC. The change was:

  • Added section references when the terms “NumericDate” and “StringOrURI” are used, as suggested by Adam Roach.

Special thanks to Security Area Director Kathleen Moriarty for helping get this across the finish line!

The specification is available at:

An HTML-formatted version is also available at:

March 16, 2018
CBOR Web Token (CWT) spec addressing IESG comments

IETF logoThe CBOR Web Token (CWT) specification has been updated to address comments received from Internet Engineering Steering Group (IESG) members. Changes were:

  • Cleaned up the descriptions of the numeric ranges of claim keys being registered in the registration template for the “CBOR Web Token (CWT) Claims” registry, as suggested by Adam Roach.
  • Clarified the relationships between the JWT and CWT “NumericDate” and “StringOrURI” terms, as suggested by Adam Roach.
  • Eliminated unnecessary uses of the word “type”, as suggested by Adam Roach.
  • Added the text “IANA must only accept registry updates from the Designated Experts and should direct all requests for registration to the review mailing list” from RFC 7519, as suggested by Amanda Baber of IANA, which is also intended to address Alexey Melnikov’s comment.
  • Removed a superfluous comma, as suggested by Warren Kumari.
  • Acknowledged additional reviewers.

Special thanks to Security Area Director Kathleen Moriarty for helping get this across the finish line!

The specification is available at:

An HTML-formatted version is also available at:

March 6, 2018
W3C Web Authentication (WebAuthn) specification almost a Candidate Recommendation (CR)

W3C logoThe eighth working draft of the W3C Web Authentication (WebAuthn) specification has been published. The WebAuthn working group plans to submit this draft for approval by the W3C Director (Tim Berners-Lee) to become a W3C Candidate Recommendation (CR), after a few days’ review by the working group.

This milestone represents a huge step towards enabling logins to occur using public/private key pairs securely held by authenticators, rather than passwords. Its contents have been informed by what we learned during several rounds of interop testing by multiple browser and authenticator vendors. The Web Authentication spec has also progressed in parallel with and been kept in sync with the FIDO 2 Client To Authenticator Protocol (CTAP) specification, so that they work well together.

March 5, 2018
CBOR Web Token (CWT) draft addressing IETF last call comments

IETF logoThe CBOR Web Token (CWT) specification has been updated to address IETF last call comments received to date, including GenArt, SecDir, Area Director, and additional shepherd comments. Changes were:

  • Clarified the registration criteria applied to different ranges of Claim Key values, as suggested by Kathleen Moriarty and Dan Romascanu.
  • No longer describe the syntax of CWT claims as being the same as that of the corresponding JWT claims, as suggested by Kyle Rose.
  • Added guidance about the selection of the Designated Experts, as suggested by Benjamin Kaduk.
  • Acknowledged additional reviewers.

The specification is available at:

An HTML-formatted version is also available at:

March 4, 2018
OAuth Authorization Server Metadata spec addressing additional IESG feedback

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to address additional IESG feedback. The only change was to clarify the meaning of “case-insensitive”, as suggested by Alexey Melnikov.

The specification is available at:

An HTML-formatted version is also available at:

March 3, 2018
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec with a few improvements

IETF logoA few local improvements have been made to the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification. Changes were:

  • Changed “typically” to “often” when describing ways of performing proof of possession.
  • Changed b64 to hex encoding in an example.
  • Changed to using the RFC 8174 boilerplate instead of the RFC 2119 boilerplate.

Thanks to Samuel Erdtman for sharing the editing.

The specification is available at:

An HTML-formatted version is also available at:

February 28, 2018
Security Event Token (SET) spec addressing 2nd WGLC and shepherd comments

IETF logoA new draft of the Security Event Token (SET) specification has published that addresses review comments from the second Working Group Last Call and shepherd comments from Yaron Sheffer. Changes were:

  • Changed “when the event was issued” to “when the SET was issued” in the “iat” description, as suggested by Annabelle Backman.
  • Applied editorial improvements that improve the consistency of the specification that were suggested by Annabelle Backman, Marius Scurtescu, and Yaron Sheffer.

The specification is available at:

An HTML-formatted version is also available at:

February 27, 2018
OAuth Authorization Server Metadata spec addressing IESG feedback

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to address feedback received from IESG members. Changes were:

  • Revised the transformation between the issuer identifier and the authorization server metadata location to conform to BCP 190, as suggested by Adam Roach.
  • Defined the characters allowed in registered metadata names and values, as suggested by Alexey Melnikov.
  • Changed to using the RFC 8174 boilerplate instead of the RFC 2119 boilerplate, as suggested by Ben Campbell.
  • Acknowledged additional reviewers.

The specification is available at:

An HTML-formatted version is also available at:

February 2, 2018
CBOR Web Token (CWT) draft addressing shepherd review comments

IETF logoThe CBOR Web Token (CWT) specification has been updated to address the shepherd comments by Benjamin Kaduk. Changes were:

  • Updated the RFC 5226 reference to RFC 8126.
  • Made the IANA registration criteria consistent across sections.
  • Stated that registrations for the limited set of values between -256 and 255 and strings of length 1 are to be restricted to claims with general applicability.
  • Changed the “Reference” field name to “Description of Semantics” in the CBOR Tag registration request.
  • Asked the RFC Editor whether it is possible to preserve the non-ASCII spellings of the names Erik Wahlström and Göran Selander in the final specification.

Thanks to Ben for his careful review of the specification!

The specification is available at:

An HTML-formatted version is also available at:

February 2, 2018
Security Event Token (SET) spec simplifying claims usage

IETF logoThe Security Event Token (SET) specification has been updated to simplify the definitions and usage of the “iat” (issued at) and “toe” (time of event) claims. The full set of changes made was:

  • Simplified the definitions of the “iat” and “toe” claims in ways suggested by Annabelle Backman.
  • Added privacy considerations text suggested by Annabelle Backman.
  • Updated the RISC event example, courtesy of Marius Scurtescu.
  • Reordered the claim definitions to place the required claims first.
  • Changed to using the RFC 8174 boilerplate instead of the RFC 2119 boilerplate.

Thanks to Annabelle Backman, Marius Scurtescu, Phil Hunt, and Dick Hardt for the discussions that led to these simplifications.

The specification is available at:

An HTML-formatted version is also available at:

January 21, 2018
CBOR Web Token (CWT) draft correcting an example

IETF logoA new CBOR Web Token (CWT) draft has been published that applies a correction to an example. The full list of changes is:

  • Corrected the “iv” value in the signed and encrypted CWT example.
  • Mention CoAP in the application/cwt media type registration.
  • Changed references of the form “Section 4.1.1 of JWT <xref target="RFC7519"/>” to “Section 4.1.1 of <xref target="RFC7519"/>” so that rfcmarkup will generate correct external section reference links.
  • Updated Acknowledgements.

Thanks to Samuel Erdtman for validating all the examples once more and finding the issue with the signed and encrypted example. Thanks to Benjamin Kaduk for pointing out additional improvements that could be applied from the second WGLC comments.

The specification is available at:

An HTML-formatted version is also available at:

January 20, 2018
Security Event Token (SET) spec incorporating clarifications and a RISC example

IETF logoA new version of the Security Event Token (SET) specification has been published that incorporates clarifications suggested by working group members in discussions since IETF 100. Changes were:

  • Clarified that all “events” values must represent aspects of the same state change that occurred to the subject — not an aggregation of unrelated events about the subject.
  • Removed ambiguities about the roles of multiple “events” values and the responsibilities of profiling specifications for defining how and when they are used.
  • Corrected places where the term JWT was used when what was actually being discussed was the JWT Claims Set.
  • Addressed terminology inconsistencies. In particular, standardized on using the term “issuer” to align with JWT terminology and the “iss” claim. Previously the term “transmitter” was sometimes used and “issuer” was sometimes used. Likewise, standardized on using the term “recipient” instead of “receiver” for the same reasons.
  • Added a RISC event example, courtesy of Marius Scurtescu.
  • Applied wording clarifications suggested by Annabelle Backman and Yaron Sheffer.
  • Applied numerous grammar, syntax, and formatting corrections.

No changes to the semantics of the specification were made.

The specification is available at:

An HTML-formatted version is also available at:

January 19, 2018
OAuth Token Exchange spec addressing Area Director feedback

OAuth logoA new draft of the OAuth 2.0 Token Exchange specification has been published that addresses feedback from Security Area Director Eric Rescorla. The acknowledgements were also updated. Thanks to Brian Campbell for doing the editing for this version.

The specification is available at:

An HTML-formatted version is also available at:

December 17, 2017
CBOR Web Token (CWT) addressing 2nd WGLC comments

IETF logoA new CBOR Web Token (CWT) draft has been published that addresses comments received during the second working group last call. Thanks to Hannes Tschofenig, Esko Dijk, Ludwig Seitz, Carsten Bormann, and Benjamin Kaduk for their feedback. All changes made were clarifications or formatting improvements.

The specification is available at:

An HTML-formatted version is also available at:

December 5, 2017
Seventh working draft of W3C Web Authentication (WebAuthn) specification

W3C logoThe W3C Web Authentication working group has published the seventh working draft of the W3C Web Authentication (WebAuthn) specification. See the release page for a description of the changes since WD-06. The working group plans for the next version published to be a W3C Candidate Recommendation (CR). No breaking changes are expected between WD-07 and CR.

« Prev - Next »