Mike Jones: self-issued

Musings on Digital Identity

Category: Specifications Page 9 of 23

Security Event Token (SET) spec simplifying claims usage

By

On February 2, 2018

In Claims, IETF, JSON, OpenID, Specifications

IETF logoThe Security Event Token (SET) specification has been updated to simplify the definitions and usage of the “iat” (issued at) and “toe” (time of event) claims. The full set of changes made was:

  • Simplified the definitions of the “iat” and “toe” claims in ways suggested by Annabelle Backman.
  • Added privacy considerations text suggested by Annabelle Backman.
  • Updated the RISC event example, courtesy of Marius Scurtescu.
  • Reordered the claim definitions to place the required claims first.
  • Changed to using the RFC 8174 boilerplate instead of the RFC 2119 boilerplate.

Thanks to Annabelle Backman, Marius Scurtescu, Phil Hunt, and Dick Hardt for the discussions that led to these simplifications.

The specification is available at:

An HTML-formatted version is also available at:

CBOR Web Token (CWT) draft correcting an example

By

On January 21, 2018

In CBOR, Claims, IETF, Specifications

IETF logoA new CBOR Web Token (CWT) draft has been published that applies a correction to an example. The full list of changes is:

  • Corrected the “iv” value in the signed and encrypted CWT example.
  • Mention CoAP in the application/cwt media type registration.
  • Changed references of the form “Section 4.1.1 of JWT <xref target="RFC7519"/>” to “Section 4.1.1 of <xref target="RFC7519"/>” so that rfcmarkup will generate correct external section reference links.
  • Updated Acknowledgements.

Thanks to Samuel Erdtman for validating all the examples once more and finding the issue with the signed and encrypted example. Thanks to Benjamin Kaduk for pointing out additional improvements that could be applied from the second WGLC comments.

The specification is available at:

An HTML-formatted version is also available at:

Security Event Token (SET) spec incorporating clarifications and a RISC example

By

On January 20, 2018

In Claims, IETF, JSON, OpenID, Specifications

IETF logoA new version of the Security Event Token (SET) specification has been published that incorporates clarifications suggested by working group members in discussions since IETF 100. Changes were:

  • Clarified that all “events” values must represent aspects of the same state change that occurred to the subject — not an aggregation of unrelated events about the subject.
  • Removed ambiguities about the roles of multiple “events” values and the responsibilities of profiling specifications for defining how and when they are used.
  • Corrected places where the term JWT was used when what was actually being discussed was the JWT Claims Set.
  • Addressed terminology inconsistencies. In particular, standardized on using the term “issuer” to align with JWT terminology and the “iss” claim. Previously the term “transmitter” was sometimes used and “issuer” was sometimes used. Likewise, standardized on using the term “recipient” instead of “receiver” for the same reasons.
  • Added a RISC event example, courtesy of Marius Scurtescu.
  • Applied wording clarifications suggested by Annabelle Backman and Yaron Sheffer.
  • Applied numerous grammar, syntax, and formatting corrections.

No changes to the semantics of the specification were made.

The specification is available at:

An HTML-formatted version is also available at:

OAuth Token Exchange spec addressing Area Director feedback

By

On January 19, 2018

In Claims, IETF, OAuth, Specifications

OAuth logoA new draft of the OAuth 2.0 Token Exchange specification has been published that addresses feedback from Security Area Director Eric Rescorla. The acknowledgements were also updated. Thanks to Brian Campbell for doing the editing for this version.

The specification is available at:

An HTML-formatted version is also available at:

CBOR Web Token (CWT) addressing 2nd WGLC comments

By

On December 17, 2017

In CBOR, Claims, IETF, Specifications

IETF logoA new CBOR Web Token (CWT) draft has been published that addresses comments received during the second working group last call. Thanks to Hannes Tschofenig, Esko Dijk, Ludwig Seitz, Carsten Bormann, and Benjamin Kaduk for their feedback. All changes made were clarifications or formatting improvements.

The specification is available at:

An HTML-formatted version is also available at:

Seventh working draft of W3C Web Authentication (WebAuthn) specification

By

On December 5, 2017

In Cryptography, Phishing Resistance, Specifications, W3C

W3C logoThe W3C Web Authentication working group has published the seventh working draft of the W3C Web Authentication (WebAuthn) specification. See the release page for a description of the changes since WD-06. The working group plans for the next version published to be a W3C Candidate Recommendation (CR). No breaking changes are expected between WD-07 and CR.

OAuth Token Exchange spec adding URIs for SAML assertions

By

On November 30, 2017

In Claims, IETF, OAuth, Specifications

OAuth logoA new draft of the OAuth 2.0 Token Exchange specification has been published that adds token type URIs for SAML 1.1 and SAML 2.0 assertions. They were added in response to actual developer use cases. These parallel the existing token type URI for JWT tokens.

The specification is available at:

An HTML-formatted version is also available at:

OAuth Authorization Server Metadata spec incorporating IETF last call feedback

By

On November 15, 2017

In Claims, IETF, JSON, OAuth, Specifications

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to incorporate feedback received during IETF last call. Thanks to Shwetha Bhandari, Brian Carpenter, Donald Eastlake, Dick Hardt, and Mark Nottingham for their reviews. See the Document History appendix for clarifications applied. No normative changes were made.

The specification is available at:

An HTML-formatted version is also available at:

Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec using CBOR diagnostic notation

By

On October 30, 2017

In CBOR, Claims, Cryptography, IETF, Specifications

IETF logoDraft -01 of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification updates the examples to use CBOR diagnostic notation, thanks to Ludwig Seitz. A table summarizing the “cnf” names, keys, and value types was added, thanks to Samuel Erdtman. Finally, some of Jim Schaad’s feedback on -00 was addressed (with more to be addressed by the opening of IETF 100 in Singapore).

The specification is available at:

An HTML-formatted version is also available at:

CBOR Web Token (CWT) specification adding CBOR_Key values and Key IDs to examples

By

On October 26, 2017

In CBOR, Claims, IETF, Specifications

IETF logoA new CBOR Web Token (CWT) draft has been published that adds CBOR_Key values and Key IDs to examples. Thanks to Samuel Erdtman for working on the examples, as always. Thanks to Giridhar Mandyam for validating the examples!

I believe that it’s time to request publication, as there remain no known issues with the specification.

The specification is available at:

An HTML-formatted version is also available at:

OAuth and OpenID Connect Token Binding specs updated

By

On October 26, 2017

In Cryptography, IETF, OAuth, OpenID, Specifications, Token Binding

OAuth logoThe OAuth 2.0 Token Binding specification has been updated to enable Token Binding of JWT Authorization Grants and JWT Client Authentication. The discussion of phasing in Token Binding was improved and generalized. See the Document History section for other improvements applied.

The specification is available at:

An HTML-formatted version is also available at:

An update to the closely-related OpenID Connect Token Bound Authentication 1.0 specification was also simultaneously published. Its discussion of phasing in Token Binding was correspondingly updated.

The OpenID Connect Token Binding specification is available in HTML and text versions at:

Thanks to Brian Campbell for doing the bulk of the editing for both sets of revisions.

Initial Working Group Draft of Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

By

On September 12, 2017

In CBOR, Claims, Cryptography, IETF, Specifications

IETF logoThe initial working group draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been posted. It contains the same normative content as draft-jones-ace-cwt-proof-of-possession-01. The abstract of the specification is:

This specification describes how to declare in a CBOR Web Token (CWT) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. This specification provides equivalent functionality to “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” (RFC 7800), but using CBOR and CWTs rather than JSON and JWTs.

I look forward to working with my co-authors and the working group to hopefully complete this quickly!

The specification is available at:

An HTML-formatted version is also available at:

“Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages” is now RFC 8230

By

On September 11, 2017

In CBOR, Cryptography, IETF, Specifications

IETF logoThe “Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages” specification is now RFC 8230 – an IETF standard. The abstract for the specification is:

The CBOR Object Signing and Encryption (COSE) specification defines cryptographic message encodings using Concise Binary Object Representation (CBOR). This specification defines algorithm encodings and representations enabling RSA algorithms to be used for COSE messages. Encodings are specified for the use of RSA Probabilistic Signature Scheme (RSASSA-PSS) signatures, RSA Encryption Scheme – Optimal Asymmetric Encryption Padding (RSAES-OAEP) encryption, and RSA keys.

Some of these values are already being used by the sixth working draft of the W3C Web Authentication specification. In addition, the WebAuthn specification defines algorithm values for RSASSA-PKCS1-v1_5 signatures, which are used by TPMs, among other applications. The RSASSA-PKCS1-v1_5 signature algorithm values should also be registered shortly.

Thanks to Kathleen Moriarty for her Area Director sponsorship of the specification!

OAuth Authorization Server Metadata spec incorporating Area Director feedback

By

On September 7, 2017

In Claims, IETF, OAuth, Specifications

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to incorporate feedback from Security Area Director Eric Rescorla. Thanks to EKR for his useful review. A number of defaults and restrictions are now better specified.

The specification is available at:

An HTML-formatted version is also available at:

CBOR Web Token (CWT) specification addressing all known issues

By

On August 16, 2017

In CBOR, Claims, IETF, Specifications

IETF logoA new CBOR Web Token (CWT) draft has been published that updates the diagnostic notation for embedded objects in the examples. Thanks to Samuel Erdtman for making these updates. Thanks to Carsten Bormann for reviewing the examples!

This addresses all known issues with the specification. I believe that it is now time to request publication.

The specification is available at:

An HTML-formatted version is also available at:

Sixth working draft of W3C Web Authentication specification

By

On August 11, 2017

In Cryptography, Phishing Resistance, Specifications, W3C

W3C logoThe W3C Web Authentication working group has published the sixth working draft of the W3C Web Authentication specification. It now can request that the authenticator support user verification – meaning that it can be used as the sole or first authentication factor. It now also uses the standard CBOR COSE_Key key representation [RFC8152]. Like WD-05, implementation and interop testing for WD-06 is planned.

Initial working group draft of JSON Web Token Best Current Practices

By

On July 27, 2017

In Claims, Cryptography, IETF, JSON, OAuth, Specifications

OAuth logoI’m happy to announce that the OAuth working group adopted the JSON Web Token Best Current Practices (JWT BCP) draft that Yaron Sheffer, Dick Hardt, and I had worked on, following discussions at IETF 99 in Prague and on the working group mailing list.

The specification is available at:

An HTML-formatted version is also available at:

JSON Web Token Best Current Practices draft describing Explicit Typing

By

On July 4, 2017

In Claims, Cryptography, JSON, OAuth, Specifications

OAuth logoThe JWT BCP draft has been updated to describe the use of explicit typing of JWTs as one of the ways to prevent confusion among different kinds of JWTs. This is accomplished by including an explicit type for the JWT in the “typ” header parameter. For instance, the Security Event Token (SET) specification now uses the “application/secevent+jwt” content type to explicitly type SETs.

The specification is available at:

An HTML-formatted version is also available at:

Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing review comments

By

On June 30, 2017

In CBOR, Claims, Cryptography, Specifications

IETF logoThe Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address comments received since its initial publication. Changes were:

  • Tracked CBOR Web Token (CWT) Claims Registry updates.
  • Addressed review comments by Michael Richardson and Jim Schaad.
  • Added co-authors Ludwig Seitz, Göran Selander, Erik Wahlström, Samuel Erdtman, and Hannes Tschofenig.

Thanks for the feedback received to date!

The specification is available at:

An HTML-formatted version is also available at:

Security Event Token (SET) specification preventing token confusion

By

On June 30, 2017

In Claims, JSON, Specifications

IETF logoA new version of the Security Event Token (SET) specification has been published containing measures that prevent any possibility of confusion between ID Tokens and SETs. Preventing confusion between SETs, access tokens, and other kinds of JWTs is also covered. Changes were:

  • Added the Requirements for SET Profiles section.
  • Expanded the Security Considerations section to describe how to prevent confusion of SETs with ID Tokens, access tokens, and other kinds of JWTs.
  • Registered the application/secevent+jwt media type and defined how to use it for explicit typing of SETs.
  • Clarified the misleading statement that used to say that a SET conveys a single security event.
  • Added a note explicitly acknowledging that some SET profiles may choose to convey event subject information in the event payload.
  • Corrected an encoded claims set example.
  • Applied grammar corrections.

This draft is intended to provide solutions to the issues that had been discussed in IETF 98 in Chicago and subsequently on the working group mailing list. Thanks for all the great discussions that informed this draft!

The specification is available at:

An HTML-formatted version is also available at:

Page 9 of 23

Previous

Next

Powered by WordPress & Theme by Anders Norén