Mike Jones: self-issued

The OAuth 2.0 JWT-Secured Authorization Request (JAR) specification has been published as RFC 9101. Among other applications, this specification is used by the OpenID Financial-grade API (FAPI). This is another in the series of RFCs bringing OpenID Connect-defined functionality to OAuth 2.0. Previous such RFCs included “OAuth 2.0 Dynamic Client Registration Protocol” [RFC 7591] and “OAuth 2.0 Authorization Server Metadata” [RFC 8414].

The abstract of the RFC is:

The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that authorization request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that a) the communication through the user agents is not integrity protected and thus, the parameters can be tainted, b) the source of the communication is not authenticated, and c) the communication through the user agents can be monitored. Because of these weaknesses, several attacks to the protocol have now been put forward.

This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication, and confidentiality properties of the authorization request are attained. The request can be sent by value or by reference.

Thanks to Nat Sakimura and John Bradley for persisting in finishing this RFC!

No Comments » Posted under Claims & IETF & JSON & OAuth & OpenID & Specifications

As described in my last post about OAuth JAR, after it was first sent to the RFC Editor, the IESG requested an additional round of IETF feedback. I’m happy to report that, having addressed this feedback, the spec has now been sent back to the RFC Editor.

As a reminder, this specification takes the JWT Request Object from Section 6 of OpenID Connect Core (Passing Request Parameters as JWTs) and makes this functionality available for pure OAuth 2.0 applications – and does so without introducing breaking changes. This is one of a series of specifications bringing functionality originally developed for OpenID Connect to the OAuth 2.0 ecosystem. Other such specifications included OAuth 2.0 Dynamic Client Registration Protocol [RFC 7591] and OAuth 2.0 Authorization Server Metadata [RFC 8414].

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-33

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-jwsreq-33.html

No Comments » Posted under Claims & IETF & JSON & OAuth & OpenID & Specifications

After the OAuth 2.0 JWT Secured Authorization Request (JAR) specification was sent to the RFC Editor, the IESG requested an additional round of IETF feedback. We’ve published an updated draft addressing the remaining review comments, specifically, SecDir comments from Watson Ladd. The only normative change made since the 28 was to change the MIME Type from “oauth.authz.req+jwt” to “oauth-authz-req+jwt”, per advice from the designated experts.

As a reminder, this specification takes the JWT Request Object from Section 6 of OpenID Connect Core (Passing Request Parameters as JWTs) and makes this functionality available for pure OAuth 2.0 applications – and does so without introducing breaking changes. This is one of a series of specifications bringing functionality originally developed for OpenID Connect to the OAuth 2.0 ecosystem. Other such specifications included OAuth 2.0 Dynamic Client Registration Protocol [RFC 7591] and OAuth 2.0 Authorization Server Metadata [RFC 8414].

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-31

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-jwsreq-31.html

No Comments » Posted under Claims & IETF & JSON & OAuth & OpenID & Specifications

The SecEvent Delivery specifications, “Push-Based Security Event Token (SET) Delivery Using HTTP” and “Poll-Based Security Event Token (SET) Delivery Using HTTP”, are now RFC 8935 and RFC 8936. Both deliver Security Event Tokens (SETs), which are defined by RFC 8417. The abstracts of the specifications are:

Push-Based Security Event Token (SET) Delivery Using HTTP:

This specification defines how a Security Event Token (SET) can be delivered to an intended recipient using HTTP POST over TLS. The SET is transmitted in the body of an HTTP POST request to an endpoint operated by the recipient, and the recipient indicates successful or failed transmission via the HTTP response.

Poll-Based Security Event Token (SET) Delivery Using HTTP:

This specification defines how a series of Security Event Tokens (SETs) can be delivered to an intended recipient using HTTP POST over TLS initiated as a poll by the recipient. The specification also defines how delivery can be assured, subject to the SET Recipient’s need for assurance.

These were designed with use cases such as Risk & Incident Sharing and Collaboration (RISC) and Continuous Access Evaluation Protocol (CAEP) in mind, both of which are happening in the OpenID Shared Signals and Events Working Group.

No Comments » Posted under IETF & JanRain & Safety & Specifications

The Concise Binary Object Representation (CBOR) Tags for Date specification has now been published as RFC 8943. In particular, the full-date tag requested for use by the ISO Mobile Driver’s License specification in the ISO/IEC JTC 1/SC 17 “Cards and security devices for personal identification” working group has been created by this RFC. The abstract of the RFC is:

The Concise Binary Object Representation (CBOR), as specified in RFC 7049, is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation.

In CBOR, one point of extensibility is the definition of CBOR tags. RFC 7049 defines two tags for time: CBOR tag 0 (date/time string as per RFC 3339) and tag 1 (POSIX “seconds since the epoch”). Since then, additional requirements have become known. This specification defines a CBOR tag for a date text string (as per RFC 3339) for applications needing a textual date representation within the Gregorian calendar without a time. It also defines a CBOR tag for days since the date 1970-01-01 in the Gregorian calendar for applications needing a numeric date representation without a time. This specification is the reference document for IANA registration of the CBOR tags defined.

Note that a gifted musical singer/songwriter appears in this RFC in a contextually appropriate fashion, should you need an additional incentive to read the specification. ;-)

No Comments » Posted under CBOR & IETF & Specifications

The “Concise Binary Object Representation (CBOR) Tags for Date” specification has completed IETF last call and advanced to evaluation by the Internet Engineering Steering Group (IESG). This is the specification that defines the full-date tag requested for use by the ISO Mobile Driver’s License specification in the ISO/IEC JTC 1/SC 17 “Cards and security devices for personal identification” working group.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-cbor-date-tag-06

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-cbor-date-tag-06.html

No Comments » Posted under CBOR & IETF & Specifications

Congratulations to Nat Sakimura and John Bradley for progressing the OAuth 2.0 JWT Secured Authorization Request (JAR) specification from the working group through the IESG to the RFC Editor. This specification takes the JWT Request Object from Section 6 of OpenID Connect Core (Passing Request Parameters as JWTs) and makes this functionality available for pure OAuth 2.0 applications – and intentionally does so without introducing breaking changes.

This is one of a series of specifications bringing functionality originally developed for OpenID Connect to the OAuth 2.0 ecosystem. Other such specifications included OAuth 2.0 Dynamic Client Registration Protocol [RFC 7591] and OAuth 2.0 Authorization Server Metadata [RFC 8414].

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-28

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-jwsreq-28.html

Again, congratulations to Nat and John and the OAuth Working Group for this achievement!

No Comments » Posted under Claims & IETF & JSON & OAuth & OpenID & Specifications

The W3C Web Authentication (WebAuthn) working group and the IETF COSE working group created “CBOR Object Signing and Encryption (COSE) and JSON Object Signing and Encryption (JOSE) Registrations for Web Authentication (WebAuthn) Algorithms” to make some algorithms and elliptic curves used by WebAuthn and FIDO2 officially part of COSE and JOSE. The RSA algorithms are used by TPMs. The “secp256k1” curve registered (a.k.a., the Bitcoin curve) is also used in some decentralized identity applications. The completed specification has now been published as RFC 8812.

As described when the registrations recently occurred, the algorithms registered are:

• RS256 – RSASSA-PKCS1-v1_5 using SHA-256 – new for COSE
• RS384 – RSASSA-PKCS1-v1_5 using SHA-384 – new for COSE
• RS512 – RSASSA-PKCS1-v1_5 using SHA-512 – new for COSE
• RS1 – RSASSA-PKCS1-v1_5 using SHA-1 – new for COSE
• ES256K – ECDSA using secp256k1 curve and SHA-256 – new for COSE and JOSE

The elliptic curves registered are:

• secp256k1 – SECG secp256k1 curve – new for COSE and JOSE

See them in the IANA COSE Registry and the IANA JOSE Registry.

No Comments » Posted under CBOR & Cryptography & FIDO & IETF & JSON & Specifications & W3C

The W3C Web Authentication (WebAuthn) working group created the IETF specification “Registries for Web Authentication (WebAuthn)” to establish registries needed for WebAuthn extension points. These IANA registries were populated in June 2020. Now the specification creating them has been published as RFC 8809.

Thanks again to Kathleen Moriarty and Benjamin Kaduk for their Area Director sponsorships of the specification and to Jeff Hodges and Giridhar Mandyam for their work on it.

No Comments » Posted under FIDO & IETF & Specifications & W3C

I’m pleased to report that the SecEvent delivery specifications are now stable, having been approved by the IESG, and will shortly become RFCs. Specifically, they have now progressed to the RFC Editor queue, meaning that the only remaining step before finalization is editorial due diligence. Thus, implementations can now utilize the draft specifications with confidence that that breaking changes will not occur as they are finalized.

The specifications are available at:

• https://tools.ietf.org/html/draft-ietf-secevent-http-push-14
• https://tools.ietf.org/html/draft-ietf-secevent-http-poll-12

HTML-formatted versions are also available at:

• https://self-issued.info/docs/draft-ietf-secevent-http-push-14.html
• https://self-issued.info/docs/draft-ietf-secevent-http-poll-12.html

No Comments » Posted under IETF & JSON & Safety & Specifications

We wrote the specification COSE and JOSE Registrations for WebAuthn Algorithms to create and register COSE and JOSE algorithm and elliptic curve identifiers for algorithms used by WebAuthn and CTAP2 that didn’t yet exist. I’m happy to report that all these registrations are now complete and the specification has progressed to the RFC Editor. Thanks to the COSE working group for supporting this work.

Search for WebAuthn in the IANA COSE Registry and the IANA JOSE Registry to see the registrations. These are now stable and can be used by applications, both in the WebAuthn/FIDO2 space and for other application areas, including decentralized identity (where the secp256k1 “bitcoin curve” is in widespread use).

The algorithms registered are:

• RS256 – RSASSA-PKCS1-v1_5 using SHA-256 – new for COSE
• RS384 – RSASSA-PKCS1-v1_5 using SHA-384 – new for COSE
• RS512 – RSASSA-PKCS1-v1_5 using SHA-512 – new for COSE
• RS1 – RSASSA-PKCS1-v1_5 using SHA-1 – new for COSE
• ES256K – ECDSA using secp256k1 curve and SHA-256 – new for COSE and JOSE

The elliptic curves registered are:

• secp256k1 – SECG secp256k1 curve – new for COSE and JOSE

No Comments » Posted under CBOR & Cryptography & FIDO & IETF & JSON & Specifications & W3C

The SecEvent delivery specifications have been revised to unambiguously require the use of TLS, while preserving descriptions of precautions needed for non-TLS use in non-normative appendices. Thanks to the Security Events and Shared Signals and Events working group members who weighed in on this decision. I believe these drafts are now ready to be scheduled for an IESG telechat.

The updated specifications are available at:

• https://tools.ietf.org/html/draft-ietf-secevent-http-push-12
• https://tools.ietf.org/html/draft-ietf-secevent-http-poll-11

HTML-formatted versions are also available at:

• https://self-issued.info/docs/draft-ietf-secevent-http-push-12.html
• https://self-issued.info/docs/draft-ietf-secevent-http-poll-11.html

No Comments » Posted under IETF & Safety & Specifications

The CBOR tags for the date representations defined by the “Concise Binary Object Representation (CBOR) Tags for Date” specification have been registered in the IANA Concise Binary Object Representation (CBOR) Tags registry. This means that they’re now ready for use by applications. In particular, the full-date tag requested for use by the ISO Mobile Driver’s License specification in the ISO/IEC JTC 1/SC 17 “Cards and security devices for personal identification” working group is now good to go.

FYI, I also updated the spec to incorporate a few editorial suggestions by Carsten Bormann. The new draft changed “positive or negative” to “unsigned or negative” and added an implementation note about the relationship to Modified Julian Dates. Thanks Carsten, for the useful feedback, as always!

It’s my sense that the spec is now ready for working group last call in the CBOR Working Group.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-cbor-date-tag-01

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-cbor-date-tag-01.html

No Comments » Posted under CBOR & IETF & Specifications

I’ve published updated SecEvent delivery specs addressing the directorate reviews received during IETF last call. Thanks to Joe Clarke, Vijay Gurbani, Mark Nottingham, Robert Sparks, and Valery Smyslov for your useful reviews.

The specifications are available at:

• https://tools.ietf.org/html/draft-ietf-secevent-http-push-11
• https://tools.ietf.org/html/draft-ietf-secevent-http-poll-10

HTML-formatted versions are also available at:

• https://self-issued.info/docs/draft-ietf-secevent-http-push-11.html
• https://self-issued.info/docs/draft-ietf-secevent-http-poll-10.html

No Comments » Posted under IETF & Safety & Specifications

IANA has registered the “secp256k1” elliptic curve in the JSON Web Key Elliptic Curve registry and the corresponding “ES256K” signing algorithm in the JSON Web Signature and Encryption Algorithms registry. This curve is widely used among blockchain and decentralized identity implementations.

The registrations were specified by the COSE and JOSE Registrations for WebAuthn Algorithms specification, which was created by the W3C Web Authentication working group and the IETF COSE working group because WebAuthn also allows the use of secp256k1. This specification is now in IETF Last Call. The corresponding COSE registrations will occur after the specification becomes an RFC.

No Comments » Posted under CBOR & Cryptography & FIDO & IETF & JSON & Specifications & W3C

This week we published updates to two IETF specifications that support the WebAuthn/FIDO2 ecosystem, as well as other uses, such as decentralized identity.

One is COSE and JOSE Registrations for WebAuthn Algorithms. It registers algorithm and elliptic curve identifiers for algorithms used by WebAuthn and FIDO2. The “secp256k1” curve being registered is also used for signing in some decentralized identity applications. The specification has completed the Area Director review and has been submitted to the IESG for publication.

The other is Registries for Web Authentication (WebAuthn). This creates IANA registries enabling multiple kinds of extensions to W3C Web Authentication (WebAuthn) implementations to be registered. This specification has completed IETF last call and is scheduled for review by the IESG.

Thanks to the COSE working group for their adoption of the algorithms specification, and to Ivaylo Petrov and Murray Kucherawy for their reviews of it. Thanks to Kathleen Moriarty and Benjamin Kaduk for their Area Director sponsorships of the registries specification and to Jeff Hodges for being primary author of it.

The specifications are available at:

• https://tools.ietf.org/html/draft-hodges-webauthn-registries-07
• https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-06

No Comments » Posted under CBOR & Cryptography & FIDO & IETF & JSON & Specifications & W3C

The IETF CBOR working group has adopted the specification Concise Binary Object Representation (CBOR) Tags for Date. The abstract of the specification is:

The Concise Binary Object Representation (CBOR, RFC 7049) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation.

In CBOR, one point of extensibility is the definition of CBOR tags. RFC 7049 defines two tags for time: CBOR tag 0 (RFC 3339 date/time string) and tag 1 (Posix “seconds since the epoch”). Since then, additional requirements have become known. This specification defines a CBOR tag for an RFC 3339 date text string, for applications needing a textual date representation without a time. It also defines a CBOR tag for days since the Posix epoch, for applications needing a numeric date representation without a time. It is intended as the reference document for the IANA registration of the CBOR tags defined.

The need for this arose for the ISO Mobile Driver’s License specification in the working group ISO/IEC JTC 1/SC 17 “Cards and security devices for personal identification”.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-cbor-date-tag-00

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-cbor-date-tag-00.html

No Comments » Posted under CBOR & IETF & Specifications

A number of refinements have been applied to the DPoP specification. As recorded in the History entries, they are:

• Editorial updates
• Attempt to more formally define the DPoP Authorization header scheme
• Define the 401/WWW-Authenticate challenge
• Added invalid_dpop_proof error code for DPoP errors in token request
• Fixed up and added to the IANA section
• Added dpop_signing_alg_values_supported authorization server metadata
• Moved the Acknowledgements into an Appendix and added a bunch of names (best effort)

Thanks to Brian Campbell for doing the editing for this round.

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-01.html

No Comments » Posted under IETF & OAuth & Specifications

The two Security Event Token (SET) delivery specifications have been updated to address additional Area Director review comments by Benjamin Kaduk. See the History entries for descriptions of the changes, none of which were breaking. Both documents are now open for IETF Last Call reviews.

Thanks again to Ben for his thorough reviews. And thanks to Annabelle Backman for doing the editing for this round.

The specifications are available at:

• https://tools.ietf.org/html/draft-ietf-secevent-http-push-10
• https://tools.ietf.org/html/draft-ietf-secevent-http-poll-09

HTML-formatted versions are also available at:

• https://self-issued.info/docs/draft-ietf-secevent-http-push-10.html
• https://self-issued.info/docs/draft-ietf-secevent-http-poll-09.html

No Comments » Posted under IETF & Safety & Specifications

We’re making progress on a simple application-level proof-of-possession solution for OAuth 2.0. I’m pleased to report that DPoP has now been adopted as an OAuth working group specification. The abstract of the specification is:

This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-00.html

No Comments » Posted under IETF & OAuth & Specifications