Category: Events Page 1 of 6

Progress Report on Handling an Actionable Security Vulnerability

On May 29, 2026

In Events, Federation, OAuth, OpenID, Specifications

OAuth Security Workshop I gave a presentation at the 2026 OAuth Security Workshop in Leipzig describing the actions we took when an actionable security vulnerability was discovered affecting numerous OpenID and OAuth specifications. Much of the information discussed was not previously public.

As I described when writing about a spec we created to address the problems, the security vulnerability was identified during formal analysis of the OpenID Federation specification. The vulnerability resulted from ambiguities in the treatment of the audience values of tokens intended for the authorization server. The ambiguities enabled a malicious authorization server to use the token endpoint of a legitimate authorization server as the audience value, resulting in a client authentication JWT that the attacker could use there.

The presentation detailed how the vulnerability was discussed privately among authors of affected specifications, privately disclosed to affected parties and developers, disclosed to the OAuth working group, disclosed publicly by the OpenID Foundation, and fixed in the affected specifications (which is still a work in progress). I presented the tradeoffs considered, the decisions made and the reasons for them, and reflected on lessons learned. See the presentation deck I used (pptx) (pdf).

The thoughtful, careful, and timely action by those responsible for the affected specifications and ecosystems was impressive. I was honored to be part of it.

I’ll close by saying noting that the OAuth Security Workshop came into existence in November 2015 in response to an earlier security vulnerability also discovered through formal analysis. Describing our handling of another such vulnerability at this OSW was therefore certainly in keeping with the reasons for the workshop in the first place!

Post-Quantum Signatures for JOSE and COSE

On May 19, 2026

In CBOR, Cryptography, Events, FIDO, IETF, JSON, Specifications

Congratulations to Mike Prorock and Orie Steele on the publication of “ML-DSA for JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE)” as RFC 9964! This is a major step forward towards enabling widely-available post-quantum signatures for the Internet and devices.

The abstract from the RFC is:

This document specifies JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) serializations for the Module-Lattice-Based Digital Signature Standard (ML-DSA), a Post-Quantum Cryptography (PQC) digital signature scheme defined in US NIST FIPS 204.

As I discussed at TDI 2026 and will discuss tomorrow at EIC 2026, transitioning to post-quantum algorithms is a multi-step process:

Developing PQ algorithms
Creating standards for using PQ algorithms
Updating software to use PQ standards
Deploying the updated software in your environment

Mike and Orie successfully completed step 2 for JOSE and COSE signatures today!

The JOSE and COSE algorithm identifiers for ML-DSA were actually registered with IANA in July 2025, once it was clear that the document was stable. Some deployments already exist. For instance, Yubico has created prototype Yubikeys (hardware passkeys) supporting ML-DSA signatures. The algorithms are now recommended in the FIDO2 CTAP2.3 Server Requirements.

I played a few supporting roles progressing this spec. I co-chaired the COSE Working Group with Ivaylo Petrov where the work occurred. Ivo and I made a consensus call in May 2025 to standardize only one private key representation – the seed. (As I often advocate, “Standards are about making choices”.) And I requested early allocation of the algorithm identifiers with IANA in July 2025.

Orie said to me while the spec was in AUTH48 with the RFC Editor: “This may be one of the most consequential RFCs I ever create.” I completely agree! And special congratulations, Mike Prorock, on your first RFC!

Here’s a slide from my TDI 2026 presentation on what’s hard about deploying post-quantum cryptography. I’ll make the same case tomorrow at EIC.

What's Hard About Post-Quantum Cryptography

OpenID Presentations at April 2026 OpenID Workshop and IIW

On April 28, 2026

In Events, Federation, OpenID

I gave the following presentation on behalf of the OpenID Connect Working Group at the Monday, April 27, 2026 OpenID Workshop at Cisco:

OpenID Connect Working Group Update (PowerPoint) (PDF)

And as has become traditional, I also gave this invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 28, 2026:

Introduction to OpenID Connect (PowerPoint) (PDF)

Once again, there was an engaged and informed set of participants who brought their own perspectives and questions to the session, making it more useful for everyone.

Presentation on the OpenID Federation Journey at TDI 2026

On April 27, 2026

In Events, Federation, OpenID, Specifications

I gave the presentation “The Journey to OpenID Federation 1.0 and the Road Ahead” at the 4th International Workshop on Trends in Digital Identity (TDI 2026) in Verona, Italy. My talk abstract was:

The OpenID Federation 1.0 specification was completed in February 2026 after a 9½ year journey, starting with the challenge from Lucy Lynch to Roland Hedberg at the TNC 2016 conference “If there is someone who should be able to bring the eduGAIN identity federation into the new world of OpenID Connect, it is you.” It enables establishing trust among parties in a federation without them having to have a bi-lateral relationship. It establishes a protocol-independent framework for trust establishment that can be employed with any protocol and ecosystem.

Along the road, there have been 9 interop events, from which the authors used feedback from developers and deployers to improve the specification. Early deployments, especially in Italy, provided real-world experience. A security analysis identified an actionable vulnerability not just in OpenID Federation, but also in OAuth, OpenID Connect, and FAPI.

The road ahead includes continued adoption and developing extensions needed for particular use cases and protocols. Those include extensions used by the Italian EUDI Wallet deployment and open finance deployments in Australia. I am confident that the inherent benefits of the scalable and modular OpenID Federation framework will continue to win adherents the world over.

It was an honor to discuss this topic in Italy and with researchers from FBK, who were among the first to deploy OpenID Federation in production and at scale.

See the presentation deck I used (pptx) (pdf).

Thanks to the FBK Center for Cybersecurity for the dynamic and enjoyable conference!

OpenID Federation Journey at TDI 2026

Post-Quantum Presentation at TDI 2026

On April 27, 2026

In Cryptography, Events, IETF

I gave the presentation “The Post-Quantum Apocalypse Is Already Upon Us” at the 4th International Workshop on Trends in Digital Identity (TDI 2026) in Verona, Italy. My talk abstract was:

“The future is already here — it’s just not evenly distributed” is an apt description of the impact of quantum computers on cryptography and its use in our identity systems. We all know that quantum computers are predicted to be able to break the cryptographic algorithms used in today’s identity systems (RSA, Elliptic Curve, etc.) at some unknown point in the future. But this possibility has huge implications right now. “Disruptive” is an understatement. Every piece of software using cryptography has to be updated before Cryptographically Relevant Quantum Computers (CRQCs) are created (and we don’t know when that will be). “Store now — decrypt later” attacks require action now, not later. Are you using software and protocols that may never be updated for the post-quantum world (such as SAML)? Are you comfortable with your migration path to fully quantum-safe software? This presentation will help you evaluate what you need to do when and how and why to avoid being a victim of the Post-Quantum Apocalypse.

This resulted in an active and useful discussion on what the practical barriers are to updating our computing environments to be secure in the advent of Cryptographically Relevant Quantum Computers (CRQCs), and why it’s critical to start now. Topics included cryptographic algorithms, standards, updating software, and possibly the most difficult thing of all – acting in the presence of uncertainty.

See the presentation deck I used (pptx) (pdf).

Thanks to the FBK Center for Cybersecurity for the great event!

Post-Quantum Presentation at TDI 2026

OpenID Federation Interop Event at TIIME 2026 in Amsterdam

On February 16, 2026

In Events, Federation, Interoperability, OpenID, People, Software, Specifications

Implementers of OpenID Federation gathered at the 2026 Trust and Internet Identity Meeting Europe (TIIME) unconference in Amsterdam on Friday, February 13, 2026 to test their implementations with one another. 12 people with 9 implementations and from 9 countries performed interop tests together. Participants were from Croatia, Finland, Greece, Italy, Netherlands, Poland, Serbia, Sweden, and the US.

The interop was organized by Niels van Dijk of SURF and Davide Vaghetti of GARR. Davide ran the interop, including assembing the test federation with the participants. Giuseppe De Marco’s OpenID Federation Browser was a useful tool for visualizing and understanding the test federation. The test federation remains assembled and I’ve observed that some participants have continued to test with one another in the days since the in-person interop at TIIME.

Here’s some photos and graphics to capture the spirit of the interop.

Davide Running TIIME Interop

OpenID Federation Browser View of GARR Federation

TIIME 2026 Interop Participants

SURF Trust Anchor

Davide Presenting Trust Mark Request

OpenID Federation Presentation at 2026 TIIME Unconference

On February 13, 2026

In Events, Federation, OpenID, Specifications

I had the pleasure of presenting an overview of OpenID Federation during the 2026 Trust and Internet Identity Meeting Europe (TIIME) unconference in Amsterdam. It was the opening talk in a day dedicated to OpenID Federation – Friday, February 13, 2026. There were ~90 practitioners in attendance. They asked great practical questions, including about how to decide what Federations to trust and the use of Trust Marks.

See the deck I used titled “OpenID Federation Overview” (pptx) (pdf).

I’m really looking forward to what I’ll learn during the discussions today. Many deployments are being described, including the GÉANT eduGAIN OpenID Federation pilot. Plus, there’s a “TechHUB” interop event today during which people will test their OpenID Federation implementations with one another.

My Federation Keynote at TIIME 2026

OpenID Federation Discussion at 2025 TechEx

On December 12, 2025

In Events, Federation, OpenID, Specifications

I was encouraged by Pål Axelsson to hold an unconference discussion giving an overview of OpenID Federation during the 2025 Internet2 Technology Exchange conference in Denver. So I did so with a receptive and engaged group of participants yesterday, Thursday, December 11, 2025. See the notes from the Thursday session by Phil Smart, which include links to multiple Federation pilots.

Afterwards, several people told me that they were sorry to have missed it. So I reprised the discussion today, Friday, December 12, 2025, with a second equally engaged and mostly non-overlapping set of participants. See the notes from the Friday session by James Cramton, which captures both the breadth of participation and some of the key points made. Mihály Héder from Hungary is prototyping and was particularly engaged.

See the deck I used to queue up discussion points titled “OpenID Federation Overview” (pptx) (pdf).

The participants were some of the world’s experts in multi-lateral federation. It was great spending time with them and learning from them!

OpenID Presentations at October 2025 OpenID Workshop and IIW

On October 21, 2025

In Events, OpenID

As has become traditional, I gave the following presentation at the Monday, October 20, 2025 OpenID Workshop at Cisco:

OpenID Connect Working Group Update (PowerPoint) (PDF)

I also gave this invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 21, 2025:

Introduction to OpenID Connect (PowerPoint) (PDF)

OpenID Federation Interop Event at SUNET in Stockholm

On May 16, 2025

In Events, Federation, Interoperability, OpenID, People, Specifications

At the end of April, I had the privilege of gathering in Stockholm with 30 participants to perform interoperability testing among 14 different OpenID Federation implementations. Leif Johansson and SUNET were fabulous hosts for the meeting at their offices in Stockholm. People from 15 countries participated, coming from as far as Australia and New Zealand! We performed eight different classes of tests between the implementations plus tested the OpenID Certification tests being developed for OpenID Federation.

It was great to have many of the core contributors to OpenID Federation come together and meet one another, most in-person, a few virtually, many for the first time. The sense of community and shared mission in the room was palpable! Besides testing, we also took time for architectural discussions, addressing open issues, and of course, socializing over drinks and dinners.

I must say that the OpenID Foundation staff who helped organize the meeting did a bang-up job! Stephanie Meli and Gareth Narinesingh both pitched in in numerous ways, resulting in a flawless and fun event! I’d normally be the one blogging and posting to capture the essence of the event, but they already more than covered that base. Their posts are full of facts, anecdotes, and photos. Check them out…

I thought I’d add a few more photos and graphics to capture the spirit of the interop.

In-Person Participants at SUNET

Logos of Participating Organizations

Roland Hedberg

OpenID Federation Browser View of KIT Federation

Celebrating in Stockholm

So you want to use Digital Credentials? You’re now facing a myriad of choices!

In CBOR, Claims, Events, Federation, IETF, Interoperability, JSON, OpenID, Privacy, Specifications

EIC 2025 Logo I gave the keynote talk So you want to use Digital Credentials? You’re now facing a myriad of choices! at EIC 2025. I opened by describing engineering choices – credential formats (W3C VCs, ISO mDOCs, SD-JWTs, SD-CWTs, JWPs, X.509 Certificates), issuance and presentation mechanisms (bespoke and standards-based, in-person and remote), mechanisms for choosing them (query languages, user interfaces), and trust establishment mechanisms (trust lists, certificates, and federation).

I then upped the ante by talking about the criticality of usability, the challenges of building ecosystems (something Andrew Nash first explained to me most of two decades ago!), and how digital credentials are not an end in and of themselves; they’re a tool to help us solve real-world problems. And of course, I closed by coming back to my theme Standards are About Making Choices, urging us to come together and make the right choices to enable interoperable use of digital credentials in ways that benefit people worldwide.

View my slides as PowerPoint or PDF. I’ll also post a link to the video of the presentation here once Kuppinger Cole posts it.

EIC 2025 Andrew Nash

Thought Experiment on Trust Establishment

Will people be able to use it and want to?

Standards Are About Making Choices

Thank You to SIROS

Mike Jones Candid

OpenID Presentations at April 2025 OpenID Workshop and IIW

On April 9, 2025

In Events, OpenID

As has become traditional, I gave the following presentation at the Monday, April 7, 2025 OpenID Workshop at Google:

OpenID Connect Working Group Update (PowerPoint) (PDF)

I also gave this invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 8, 2025:

Introduction to OpenID Connect (PowerPoint) (PDF)

The Cambrian Explosion of OAuth and OpenID Specifications

On February 28, 2025

In Events, IETF, OAuth, OpenID, Specifications

OAuth Security Workshop Vladimir Dzhuvinov and I led a discussion on The Cambrian Explosion of OAuth and OpenID Specifications at the 2025 OAuth Security Workshop in Reykjavík.

The abstract for the session was:

The number of OAuth and OpenID specifications continues to grow. At present there are 30 OAuth RFCs, two more in the RFC Editor queue, 13 OAuth working group drafts, and another eight individual OAuth drafts that may advance. There are nine JOSE RFCs and seven working group drafts. There are four SecEvent RFCs. On the OpenID side, there are 12 final OpenID Connect specs, three final FAPI specs, one final MODRNA spec, three final eKYC-IDA specs, and 24 Implementer’s drafts across the OpenID working groups, plus another ten working group drafts.

The number of possible combinations boggles the mind. And there’s no end in sight!

What’s a developer to do? How have people and companies gone about selecting and curating the specs to implement in an attempt to create coherent and useful open source and commercial offerings? And faced with such an array of combinations and choices, how are application developers to make sense of it all? How can interoperability be achieved in the face of continued innovation?

This session will prime the pump by discussing choices made by some existing open source and commercial offerings in the OAuth and OpenID space and lead to an open discussion of choices made by the workshop attendees and the reasoning behind them. It’s our goal that useful strategies emerge from the discussion that help people grapple with the ever-expanding sets of specifications and make informed implementation choices, while still fostering the innovation and problem-solving that these specifications represent.

The slides used to queue up the discussion session are available as PowerPoint and PDF. Also, see the list of 101 OAuth and OpenID-related specifications referenced during the discussion.

The topic seems to have touched a chord. Many people were clearly already thinking about the situation and shared their views. Some of them were:

Nobody actually expects everyone to implement everything.
Stopping things is super hard. But sometimes it’s necessary (as Brian Campbell put it, “when they’re wrong”).
Timing can be fickle. What may not be useful at one time can turn out to be useful later.
Some specs are highly related and often used together. But those relationships are not always apparent to those new to the space.
We need better on-ramps to help people new to the space wrap their arms around the plethora specs and what they’re useful for.
Well-written profiles are a way of managing the complexity. For instance, FAPI 2 limits choices, increasing both interoperability and security.
The amount of innovation happening is a sign of success!

Thanks to the organizers for a great tenth OAuth Security Workshop! And special thanks to the colleagues from Signicat who did a superb job with local arrangements in Reykjavík!

Twenty Years of Digital Identity!

On February 2, 2025

In Events, IETF, JSON, OAuth, OpenID, People

Kim Cameron first told me what Digital Identity is on February 1, 2005. He said that the Internet was created without an identity layer. He encouraged me “You should come help build it with me.” I’ve been at it ever since!

What I wrote about digital identity a decade ago remains as true today:

An interesting thing about digital identity is that, by definition, it’s not a problem that any one company can solve, no matter how great their technology is. For digital identity to be “solved”, the solution has to be broadly adopted, or else people will continue having different experiences at different sites and applications. Solving digital identity requires ubiquitously adopted identity standards. Part of the fun and the challenge is making that happen.

I’m not going to even try to list all the meaningful identity and security initiatives that I’ve had the privilege to work on with many of you. But I can’t resist saying that, in my view, OpenID Connect, JSON Web Token (JWT), and OAuth 2.0 are the ones that we knocked out of the park. I tried to distill the lessons learned from many of the initiatives, both successes and failures, during my 2023 EIC keynote Touchstones Along My Identity Journey. And there’s a fairly complete list of the consequential things I’ve gotten to work on in my Standards CV.

I’ll also call attention to 2025 marking twenty years of the Internet Identity Workshop. I attended the first one, which was held in Berkeley, California in October 2005, and all but one since. What a cast of characters I met there, many of whom I continue working with to this day!

As a personal testament to the value of IIW, it’s where many of the foundational decisions about what became JWS, JWE, JWK, JWT, and OpenID Connect were made. Particularly, see my post documenting decisions made at IIW about JWS, including the header.payload.signature representation of the JWS Compact Serialization and the decision to secure the Header Parameters. And see the posts following it on JWE decisions, naming decisions, and JWK decisions. IIW continues playing the role of enabling foundational discussions for emerging identity technologies today!

It’s been a privilege working with all of you for these two decades, and I love what we’ve accomplished together! There’s plenty of consequential work under way and I’m really looking forward to what comes next.

Images are courtesy of Doc Searls. Each photo links to the original.

OpenID Presentations at October 2024 OpenID Workshop and IIW plus New Specifications

On October 29, 2024

In Events, OpenID, Specifications

I gave the following presentation on work in the OpenID Connect working group at the Monday, October 28, 2024 OpenID Workshop at Microsoft:

OpenID Connect Working Group Update (PowerPoint) (PDF)

I also gave this invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 29, 2024:

Introduction to OpenID Connect (PowerPoint) (PDF)

There’s more happening in the OpenID Connect working group than at any other time since we started the OpenID Connect work. In fact, two new specifications were adopted today!

Thanks to all who helped us get there!

Celebrating Ten Years of OpenID Connect at Identiverse and EIC

On June 11, 2024

In Claims, Events, Federation, History, JSON, OAuth, OpenID, Specifications

EIC 2024 Logo Identiverse Logo We held the second and third of the three planned tenth anniversary celebrations for the completion of OpenID Connect at the 2024 Identiverse conference and European Identity and Cloud Conference. That concludes celebrations in Asia, the Americas, and Europe!

At both Identiverse and EIC, panelists included Nat Sakimura, John Bradley, and myself. Chuck Mortimore joined us at Identiverse. And Torsten Lodderstedt added his perspectives at EIC. We shared our perspectives on what led to OpenID Connect, why it succeeded, and what lessons we learned along the way.

The most common refrain throughout our descriptions was the design philosophy to “Keep simple things simple”. This was followed closely by the importance of early feedback from developers and deployers.

Chuck reached back in time to his OpenID slides from 2011. He reflected on what he was thinking at the time versus what actually happened (and why). Torsten pointed out the importance of cooperation, certification, security analysis, open standards, and an approachable community. At Identiverse, Nat reached back 25 years, examining the intellectual underpinnings and history of OpenID. And at EIC, Nat tackled assertions that OpenID Connect can be complex. John concluded by observing that the OpenID idea is greater than any particular specification.

Our recent OpenID Connect 10th anniversary sessions were:

Identiverse: Panel PowerPoint PDF
EIC: Panel PowerPoint PDF

They build upon the celebration at the OpenID Summit Tokyo 2024.

Thanks to the organizers of all these events for sponsoring the celebrations!

Standards are About Making Choices

On June 9, 2024

In CBOR, Claims, Cryptography, Events, FIDO, IETF, Interoperability, JSON, OAuth, OpenID, Phishing Resistance, Specifications, W3C

EIC 2024 Logo I was honored to give the keynote presentation Standards are About Making Choices at the 2024 European Identity and Cloud Conference (EIC) (PowerPoint) (PDF). The abstract was:

When building machines, we take for granted being able to use nuts, bolts, wires, light bulbs, and countless other parts made to industry standards. Standards contain choices about dimensions of screw threads, nut sizes, etc., enabling a marketplace of interoperable parts from multiple suppliers. Without these choices, every part would be custom manufactured. The same is true of the identity and security standards we use to build identity systems.

However, the identity and security standards at our disposal differ wildly in the degree to which they do and don’t make choices. Some consistently define ONE way to do things, resulting in everyone doing it that way (interoperability!). Others leave critical choices unmade, passing the buck to implementers and applications (your mileage may vary).

In this talk, I’ll name names and take prisoners, critiquing existing and emerging standards through the lens of the choices they made and failed to make. Hold on to your hats as we examine the pros and cons of the choices made by OAuth, SAML, X.509, OpenID Connect, Verifiable Credentials, DIDs, WebCrypto, JOSE, COSE, and many others through this lens!

I believe you’ll agree with me that making choices matters.

The conference keynote description includes a recording of the presentation.

Thanks to MATTR for providing a designer to work with me on the presentation, enabling the visual design to transcend my usual black-text-on-white-background design style!

Using Standards: Some Assembly Required

On May 30, 2024

In CBOR, Claims, Cryptography, Events, FIDO, IETF, Interoperability, JSON, OAuth, OpenID, Phishing Resistance, Specifications, W3C

Identiverse Logo I gave the following presentation in the session Using Standards: Some Assembly Required at the 2024 Identiverse conference (PowerPoint) (PDF). The abstract was:

Standards are about making choices. When building machines, we take for granted being able to use nuts, bolts, wires, light bulbs, and countless other parts made to industry standards. Standards contain choices about dimensions of screw threads, nut sizes, etc., enabling a marketplace of interoperable parts from multiple suppliers. Without these choices, every part would be custom-manufactured. The same is true of the identity and security standards we use to build the Identity Engine. However, the identity and security standards at our disposal differ wildly in the degree to which they do and don’t make choices. Some consistently define ONE way to do things, resulting in everyone doing it that way (interoperability!). Others leave critical choices unmade, passing the buck to implementers and applications (your mileage may vary). In this talk, I’ll name names and take prisoners, critiquing existing and emerging standards through the lens of the choices they made and failed to make. Hold on to your hats as we examine the pros and cons of the choices made by OAuth, SAML, X.509, OpenID Connect, Verifiable Credentials, DIDs, WebCrypto, JOSE, COSE, and many others through this lens! I believe you’ll agree with me that making choices matters.

The audience was highly engaged by the process of giving existing and emerging standards letter grades based on the choices they made (or failed to make)!

OpenID Federation Session at April 2024 IIW

On April 18, 2024

In Events, Federation, OpenID

John Bradley and I convened a session on Trust Establishment with OpenID Federation at the Internet Identity Workshop (IIW) on Thursday, April 18, 2024. The material used to drive the discussion was:

Trust Establishment with OpenID Federation (PowerPoint) (PDF)

The session was well attended and the discussion lively. Numerous people with trust establishment problems to solve contributed, including experts from the SAML federation world, people involved in digital wallet projects, and several people already using or considering using OpenID Federation. Thanks to all who participated!

OpenID Presentations at April 2024 OpenID Workshop and IIW

On April 16, 2024

In Events, OpenID

As has become traditional, I gave the following presentation at the Monday, April 15, 2024 OpenID Workshop at Google:

OpenID Connect Working Group Update (PowerPoint) (PDF)

I also gave this invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 16, 2024:

Introduction to OpenID Connect (PowerPoint) (PDF)

Powered by WordPress & Theme by Anders Norén