Mike Jones: self-issued

Musings on Digital Identity

Author: Mike Jones Page 18 of 33

Building the Internet's missing identity layer

JOSE -40 drafts intended for the RFC Editor

By

On January 13, 2015

In Cryptography, JSON, Specifications

IETF logoThe document shepherd Karen O’Donoghue and I completed a review of all the IESG comments in the IETF data tracker today in preparation for the drafts going to the RFC Editor. This set of drafts addresses all the remaining comments that we thought should be dealt with in the final documents. The only changes were:

  • Clarified the definitions of UTF8(STRING) and ASCII(STRING).
  • Stated that “line breaks are for display purposes only” in places where this disclaimer was needed and missing.
  • Updated the WebCrypto reference to refer to the W3C Candidate Recommendation.

Unless additional issues are identified soon, these should be the drafts that go to the RFC Editor.

The specifications are available at:

HTML formatted versions are available at:

JOSE -39 drafts incorporating an additional registry field

By

On December 30, 2014

In Cryptography, JSON, Specifications

IETF logoThese drafts incorporate this additional registry field in the JSON Web Signature and Encryption Algorithms registry, based on a comment by Stephen Farrell, with input from Jim Schaad and Kathleen Moriarty:

Algorithm Analysis Documents(s):

References to publication(s) in well-known cryptographic conferences, by national standards bodies, or by other authoritative sources analyzing the cryptographic soundness of the algorithm to be registered. The designated experts may require convincing evidence of the cryptographic soundness of a new algorithm to be provided with the registration request unless the algorithm is being registered as Deprecated or Prohibited. Having gone through working group and IETF review, the initial registrations made by this document are exempt from the need to provide this information.

This addition is in the document:

An HTML formatted version is also available at:

JOSE -38 and JWT -32 drafts addressing the last of the IESG review comments

By

On December 9, 2014

In Claims, Cryptography, JSON, Specifications

IETF logoSlightly updated JSON Object Signing and Encryption (JOSE) and JSON Web Token (JWT) drafts have been published that address the last of the IESG review comments, which were follow-up comments by Stephen Farrell and Pete Resnick. All DISCUSS comments had already been addressed by the previous drafts. The one normative change is that implementations must now discard RSA private keys with an “oth” parameter when the implementation does not support private keys with more than two primes. The remaining changes were editorial improvements suggested by Pete.

The specifications are available at:

HTML formatted versions are available at:

A JSON-Based Identity Protocol Suite

By

On November 21, 2014

In Claims, Cryptography, Documentation, JSON, OAuth, OpenID, Specifications

quillMy article A JSON-Based Identity Protocol Suite has been published in the Fall 2014 issue of Information Standards Quarterly, with this citation page. This issue on Identity Management was guest-edited by Andy Dale. The article’s abstract is:

Achieving interoperable digital identity systems requires agreement on data representations and protocols among the participants. While there are several suites of successful interoperable identity data representations and protocols, including Kerberos, X.509, SAML 2.0, WS-*, and OpenID 2.0, they have used data representations that have limited or no support in browsers, mobile devices, and modern Web development environments, such as ASN.1, XML, or custom data representations. A new set of open digital identity standards have emerged that utilize JSON data representations and simple REST-based communication patterns. These protocols and data formats are intentionally designed to be easy to use in browsers, mobile devices, and modern Web development environments, which typically include native JSON support. This paper surveys a number of these open JSON-based digital identity protocols and discusses how they are being used to provide practical interoperable digital identity solutions.

This article is actually a follow-on progress report to my April 2011 position paper The Emerging JSON-Based Identity Protocol Suite. While standards can seem to progress slowly at times, comparing the two makes clear just how much has been accomplished in this time and shows that what was a prediction in 2011 is now a reality in widespread use.

JOSE -37 and JWT -31 drafts addressing remaining IESG review comments

By

On November 19, 2014

In Claims, Cryptography, JSON, Specifications

IETF logoThese JOSE and JWT drafts contain updates intended to address the remaining outstanding IESG review comments by Pete Resnick, Stephen Farrell, and Richard Barnes, other than one that Pete may still provide text for. Algorithm names are now restricted to using only ASCII characters, the TLS requirements language has been refined, the language about integrity protecting header parameters used in trust decisions has been augmented, we now say what to do when an RSA private key with “oth” is encountered but not supported, and we now talk about JWSs with invalid signatures being considered invalid, rather than them being rejected. Also, added the CRT parameter values to example JWK RSA private key representations.

The specifications are available at:

HTML formatted versions are available at:

JWK Thumbprint spec adopted by JOSE working group

By

On November 11, 2014

In Cryptography, JSON, Specifications

IETF logoThe JSON Web Key (JWK) Thumbprint specification was adopted by the JOSE working group during IETF 91. The initial working group version is identical to the individual submission version incorporating feedback from IETF 90, other than the dates and document identifier.

JWK Thumbprints are used by the recently approved OpenID Connect Core 1.0 incorporating errata set 1 spec. JOSE working group co-chair Jim Schaad said during the working group meeting that he would move the document along fast.

The specification is available at:

An HTML formatted version is also available at:

JOSE -36 and JWT -30 drafts addressing additional IESG review comments

By

On October 24, 2014

In Claims, Cryptography, JSON, Specifications

IETF logoThese JOSE and JWT drafts incorporate resolutions to some previously unresolved IESG comments. The primary change was adding flattened JSON Serialization syntax for the single digital signature/MAC and single recipient cases. See http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-36#appendix-A.7 and http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-36#appendix-A.5 for examples. See the history entries for details on the few other changes. No breaking changes were made.

The specifications are available at:

HTML formatted versions are available at:

JOSE -35 and JWT -29 drafts addressing AppsDir review comments

By

On October 17, 2014

In Claims, Cryptography, JSON, Specifications

IETF logoI’ve posted updated JOSE and JWT drafts that address the Applications Area Directorate review comments. Thanks to Ray Polk and Carsten Bormann for their useful reviews. No breaking changes were made.

The specifications are available at:

HTML formatted versions are available at:

JOSE -34 and JWT -28 drafts addressing IESG review comments

By

On October 14, 2014

In Claims, Cryptography, JSON, Specifications

IETF logoUpdated JOSE and JWT specifications have been published that address the IESG review comments received. The one set of normative changes was to change the implementation requirements for RSAES-PKCS1-V1_5 from Required to Recommended- and for RSA-OAEP from Optional to Recommended+. Thanks to Richard Barnes, Alissa Cooper, Stephen Farrell, Brian Haberman, Ted Lemon, Barry Leiba, and Pete Resnick for their IESG review comments, plus thanks to Scott Brim and Russ Housley for additional Gen-ART review comments, and thanks to the working group members who helped respond to them. Many valuable clarifications resulted from your thorough reviews.

The specifications are available at:

HTML formatted versions are available at:

JOSE -33 and JWT -27 drafts addressing Stephen Kent’s JWK comments

By

On September 25, 2014

In Claims, Cryptography, JSON, Specifications

IETF logoUpdated JOSE and JWT drafts have been published that address JSON Web Key (JWK) secdir review comments by Stephen Kent that were inadvertently not addressed in the previous versions. Most of the changes were to the JWK draft. A few changes also had to be made across the other drafts to keep them in sync. I also added acknowledgements to several additional contributors. No breaking changes were made.

The specifications are available at:

Differences since the previous drafts can be viewed at:

HTML formatted versions are available at:

JOSE -32 and JWT -26 drafts addressing IETF Last Call comments

By

On September 23, 2014

In Claims, Cryptography, JSON, Specifications

IETF logoNew versions of the JSON Object Signing and Encryption (JOSE) and JSON Web Token (JWT) specifications have been published incorporating feedback received in IETF Last Call comments. Thanks to Russ Housley and Roni Even for their Gen-ART reviews, to Tero Kivinen, Scott Kelly, Stephen Kent, Charlie Kaufman, and Warren Kumari for their secdir reviews, to Tom Yu for his individual review, and to James Manger and Chuck Mortimore who provided feedback based on deployment experiences, as well as to the many JOSE and OAuth working group members who pitched in to discuss resolutions. Many clarifications resulted. No breaking changes were made.

The specifications are available at:

HTML formatted versions are available at:

General Availability of Microsoft OpenID Connect Identity Provider

By

On September 10, 2014

In Claims, JSON, OAuth, OpenID, Software

Microsoft has announced that the Azure Active Directory OpenID Connect Identity Provider has reached general availability. Read about it in Alex Simons’ release announcement. The OpenID Provider supports discovery of the provider configuration information as well as session management (logout). The team participated in public OpenID Connect interop testing prior to the release. Thanks to all of you who performed interop testing with us.

Working Group Draft for OAuth 2.0 Act-As and On-Behalf-Of

By

On August 21, 2014

In Claims, JSON, OAuth, Specifications

OAuth logoThere’s now an OAuth working group draft of the OAuth 2.0 Token Exchange specification, which provides Act-As and On-Behalf-Of functionality for OAuth 2.0. This functionality is deliberately modelled on the same functionality present in WS-Trust.

Here’s a summary of the two concepts in a nutshell: Act-As indicates that the requestor wants a token that contains claims about two distinct entities: the requestor and an external entity represented by the token in the act_as parameter. On-Behalf-Of indicates that the requestor wants a token that contains claims only about one entity: the external entity represented by the token in the on_behalf_of parameter.

This draft is identical to the previously announced token exchange draft, other than that is a working group document, rather than an individual submission.

This specification is available at:

An HTML formatted version is also available at:

Microsoft JWT and OpenID Connect RP libraries updated

By

On August 20, 2014

In Claims, Cryptography, JSON, OAuth, OpenID, Software

This morning Microsoft released updated versions of its JSON Web Token (JWT) library and its OpenID Connect RP library as part of today’s Katana project release. See the Microsoft.Owin.Security.Jwt and Microsoft.Owin.Security.OpenIdConnect packages in the Katana project’s package list. These are .NET 4.5 code under an Apache 2.0 license.

For more background on Katana, you can see this post on Katana design principles and this post on using claims in Web applications. For more on the JWT code, see this post on the previous JWT handler release.

Thanks to Brian Campbell of Ping Identity for performing OpenID Connect interop testing with us prior to the release.

The Increasing Importance of Proof-of-Possession to the Web

By

On August 14, 2014

In Claims, Cryptography, Documentation, Events, JSON, OAuth, Specifications

W3C logoMy submission to the W3C Workshop on Authentication, Hardware Tokens and Beyond was accepted for presentation. I’ll be discussing The Increasing Importance of Proof-of-Possession to the Web. The abstract of my position paper is:

A number of different initiatives and organizations are now defining new ways to use proof-of-possession in several kinds of Web protocols. These range from cookies that can’t be stolen and reused, identity assertions only usable by a particular party, password-less login, to proof of eligibility to participate. While each of these developments is important in isolation, the pattern of all of them concurrently emerging now demonstrates the increasing importance of proof-of-possession to the Web.

It should be a quick and hopefully worthwhile read. I’m looking forward to discussing it with many of you at the workshop!

OAuth Dynamic Client Registration specs addressing remaining WGLC comments

By

On August 5, 2014

In Claims, OAuth, Specifications

OAuth logoAn updated OAuth Dynamic Client Registration spec has been published that finished applying clarifications requested during working group last call (WGLC). The proposed changes were discussed during the OAuth working group meeting at IETF 90 in Toronto. See the History section for details on the changes made.

The OAuth Dynamic Client Registration Management was also updated to change it from being Standards Track to Experimental.

The updated specifications are available at:

HTML formatted versions are also available at:

OAuth Assertions specs describing Privacy Considerations

By

On July 23, 2014

In Claims, Cryptography, JSON, OAuth, Specifications

OAuth logoBrian Campbell updated the OAuth Assertions specifications to add Privacy Considerations sections, responding to area director feedback. Thanks, Brian!

The specifications are available at:

HTML formatted versions are also available at:

JWK Thumbprint spec incorporating feedback from IETF 90

By

On July 23, 2014

In Cryptography, JSON, Specifications

IETF logoI’ve updated the JSON Web Key (JWK) Thumbprint specification to incorporate the JOSE working group feedback on the -00 draft from IETF 90. The two changes were:

  • Said that the result is undefined if characters requiring escaping are needed in the hash input.
  • Added instructions for representing integer numeric values in the hash input.

If a canonical JSON representation standard is ever adopted, this specification could be revised to use it, resulting in unambiguous definitions for those values (which are unlikely to ever occur in JWKs) as well. (Defining a complete canonical JSON representation is very much out of scope for this work!)

The specification is available at:

An HTML formatted version is also available at:

JWT Proof-of-Possession draft updated for IETF 90

By

On July 4, 2014

In Claims, JSON, OAuth, Specifications

OAuth logoIn preparation for IETF 90 in Toronto, I’ve updated the JWT Proof-of-Possession specification. The changes are mostly editorial in nature, plus a few changes that hadn’t received adequate review prior to inclusion in the -01 draft were reverted.

This specification is available at:

An HTML formatted version is also available at:

Act-As and On-Behalf-Of for OAuth 2.0

By

On July 4, 2014

In Claims, JSON, OAuth, Specifications

OAuth logoIn preparation for IETF 90 in Toronto, I’ve updated the OAuth Token Exchange draft to allow JWTs to be unsigned in cases where the trust model permits it. This draft also incorporates some of the review feedback received on the -00 draft. (Because I believe it deserves more working group discussion to determine the right resolutions, John Bradley’s terminology feedback was not yet addressed. This would be a good topic to discuss in Toronto.)

This specification is available at:

An HTML formatted version is also available at:

Page 18 of 33

Previous

Next

Powered by WordPress & Theme by Anders Norén