Building the Internet's missing identity layer
The OAuth Authorization Server Metadata specification has been updated to address additional IESG feedback. The only change was to clarify the meaning of “case-insensitive”, as suggested by Alexey Melnikov.
The specification is available at:
An HTML-formatted version is also available at:
A few local improvements have been made to the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification. Changes were:
Thanks to Samuel Erdtman for sharing the editing.
The specification is available at:
An HTML-formatted version is also available at:
A new draft of the Security Event Token (SET) specification has published that addresses review comments from the second Working Group Last Call and shepherd comments from Yaron Sheffer. Changes were:
iat” description, as suggested by Annabelle Backman.The specification is available at:
An HTML-formatted version is also available at:
The OAuth Authorization Server Metadata specification has been updated to address feedback received from IESG members. Changes were:
The specification is available at:
An HTML-formatted version is also available at:
The CBOR Web Token (CWT) specification has been updated to address the shepherd comments by Benjamin Kaduk. Changes were:
Thanks to Ben for his careful review of the specification!
The specification is available at:
An HTML-formatted version is also available at:
The Security Event Token (SET) specification has been updated to simplify the definitions and usage of the “iat” (issued at) and “toe” (time of event) claims. The full set of changes made was:
iat” and “toe” claims in ways suggested by Annabelle Backman.Thanks to Annabelle Backman, Marius Scurtescu, Phil Hunt, and Dick Hardt for the discussions that led to these simplifications.
The specification is available at:
An HTML-formatted version is also available at:
A new CBOR Web Token (CWT) draft has been published that applies a correction to an example. The full list of changes is:
application/cwt media type registration.Thanks to Samuel Erdtman for validating all the examples once more and finding the issue with the signed and encrypted example. Thanks to Benjamin Kaduk for pointing out additional improvements that could be applied from the second WGLC comments.
The specification is available at:
An HTML-formatted version is also available at:
A new version of the Security Event Token (SET) specification has been published that incorporates clarifications suggested by working group members in discussions since IETF 100. Changes were:
No changes to the semantics of the specification were made.
The specification is available at:
An HTML-formatted version is also available at:
A new draft of the OAuth 2.0 Token Exchange specification has been published that addresses feedback from Security Area Director Eric Rescorla. The acknowledgements were also updated. Thanks to Brian Campbell for doing the editing for this version.
The specification is available at:
An HTML-formatted version is also available at:
A new CBOR Web Token (CWT) draft has been published that addresses comments received during the second working group last call. Thanks to Hannes Tschofenig, Esko Dijk, Ludwig Seitz, Carsten Bormann, and Benjamin Kaduk for their feedback. All changes made were clarifications or formatting improvements.
The specification is available at:
An HTML-formatted version is also available at:
The W3C Web Authentication working group has published the seventh working draft of the W3C Web Authentication (WebAuthn) specification. See the release page for a description of the changes since WD-06. The working group plans for the next version published to be a W3C Candidate Recommendation (CR). No breaking changes are expected between WD-07 and CR.
A new draft of the OAuth 2.0 Token Exchange specification has been published that adds token type URIs for SAML 1.1 and SAML 2.0 assertions. They were added in response to actual developer use cases. These parallel the existing token type URI for JWT tokens.
The specification is available at:
An HTML-formatted version is also available at:
The OAuth Authorization Server Metadata specification has been updated to incorporate feedback received during IETF last call. Thanks to Shwetha Bhandari, Brian Carpenter, Donald Eastlake, Dick Hardt, and Mark Nottingham for their reviews. See the Document History appendix for clarifications applied. No normative changes were made.
The specification is available at:
An HTML-formatted version is also available at:
Draft -01 of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification updates the examples to use CBOR diagnostic notation, thanks to Ludwig Seitz. A table summarizing the “cnf” names, keys, and value types was added, thanks to Samuel Erdtman. Finally, some of Jim Schaad’s feedback on -00 was addressed (with more to be addressed by the opening of IETF 100 in Singapore).
The specification is available at:
An HTML-formatted version is also available at:
A new CBOR Web Token (CWT) draft has been published that adds CBOR_Key values and Key IDs to examples. Thanks to Samuel Erdtman for working on the examples, as always. Thanks to Giridhar Mandyam for validating the examples!
I believe that it’s time to request publication, as there remain no known issues with the specification.
The specification is available at:
An HTML-formatted version is also available at:
The OAuth 2.0 Token Binding specification has been updated to enable Token Binding of JWT Authorization Grants and JWT Client Authentication. The discussion of phasing in Token Binding was improved and generalized. See the Document History section for other improvements applied.
The specification is available at:
An HTML-formatted version is also available at:
An update to the closely-related OpenID Connect Token Bound Authentication 1.0 specification was also simultaneously published. Its discussion of phasing in Token Binding was correspondingly updated.
The OpenID Connect Token Binding specification is available in HTML and text versions at:
Thanks to Brian Campbell for doing the bulk of the editing for both sets of revisions.
I gave the following presentations at the Monday, October 16, 2017 OpenID Workshop at PayPal:
I also gave the following “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 17th:
The initial working group draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been posted. It contains the same normative content as draft-jones-ace-cwt-proof-of-possession-01. The abstract of the specification is:
This specification describes how to declare in a CBOR Web Token (CWT) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. This specification provides equivalent functionality to “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” (RFC 7800), but using CBOR and CWTs rather than JSON and JWTs.
I look forward to working with my co-authors and the working group to hopefully complete this quickly!
The specification is available at:
An HTML-formatted version is also available at:
The “Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages” specification is now RFC 8230 – an IETF standard. The abstract for the specification is:
The CBOR Object Signing and Encryption (COSE) specification defines cryptographic message encodings using Concise Binary Object Representation (CBOR). This specification defines algorithm encodings and representations enabling RSA algorithms to be used for COSE messages. Encodings are specified for the use of RSA Probabilistic Signature Scheme (RSASSA-PSS) signatures, RSA Encryption Scheme – Optimal Asymmetric Encryption Padding (RSAES-OAEP) encryption, and RSA keys.
Some of these values are already being used by the sixth working draft of the W3C Web Authentication specification. In addition, the WebAuthn specification defines algorithm values for RSASSA-PKCS1-v1_5 signatures, which are used by TPMs, among other applications. The RSASSA-PKCS1-v1_5 signature algorithm values should also be registered shortly.
Thanks to Kathleen Moriarty for her Area Director sponsorship of the specification!
The OAuth Authorization Server Metadata specification has been updated to incorporate feedback from Security Area Director Eric Rescorla. Thanks to EKR for his useful review. A number of defaults and restrictions are now better specified.
The specification is available at:
An HTML-formatted version is also available at:
Powered by WordPress & Theme by Anders Norén