Mike Jones: self-issued

The OAuth 2.0 Token Exchange specification is now RFC 8693. The abstract of the specification is:

This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.

This specification standardizes an already widely-deployed pattern in production use by Box, Microsoft, RedHat, Salesforce, and many others. Thanks to all of you who helped make a standard for this important functionality!

No Comments » Posted under IETF & OAuth & Specifications

The Poll-Based Security Event Token (SET) Delivery specification has been updated to address Working Group Last Call (WGLC) and Document Shepherd comments received. Thanks to Annabelle Backman for the useful WGLC comments and to Yaron Sheffer for the useful Shepherd comments. This update is intended to enable our area director Benjamin Kaduk to review both the Push and Poll delivery method specifications at the same time.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-secevent-http-poll-05

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-secevent-http-poll-05.html

No Comments » Posted under IETF & JSON & Specifications

I’m pleased to report that the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification is now technically stable and will shortly be an RFC – an Internet standard. Specifically, it has now progressed to the RFC Editor queue, meaning that the only remaining step before finalization is editorial due diligence. Thus, implementations can now utilize the draft specification with confidence that that breaking changes will not occur as it is finalized.

The abstract of the specification is:

This specification describes how to declare in a CBOR Web Token (CWT) (which is defined by RFC 8392) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as being the holder-of-key. This specification provides equivalent functionality to “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” (RFC 7800) but using Concise Binary Object Representation (CBOR) and CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens (JWTs).

Thanks to the ACE working group for completing this important specification.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-11

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-11.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

The “COSE and JOSE Registrations for WebAuthn Algorithms” specification has been updated to address working group last call (WGLC) feedback received. Thanks to J.C. Jones, Kevin Jacobs, Jim Schaad, Neil Madden, and Benjamin Kaduk for their useful reviews.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-02

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-cose-webauthn-algorithms-02.html

No Comments » Posted under CBOR & Cryptography & FIDO & IETF & JSON & Specifications & W3C

I’m pleased to report that the JSON Web Token (JWT) Best Current Practices (BCP) specification is now technically stable and will shortly be an RFC – an Internet standard. Specifically, it has now progressed to the RFC Editor queue, meaning that the only remaining step before finalization is editorial due diligence. Thus, implementations can now utilize the draft specification with confidence that that breaking changes will not occur as it is finalized.

The abstract of the specification is:

JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity, and in other application areas. The goal of this Best Current Practices document is to provide actionable guidance leading to secure implementation and deployment of JWTs.

Thanks to the OAuth working group for completing this important specification.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-07

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-oauth-jwt-bcp-07.html

No Comments » Posted under Claims & Cryptography & IETF & JSON & OAuth & Specifications

A new version of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published addressing the Gen-ART and SecDir review comments. Thanks to Christer Holmberg and Yoav Nir, respectively, for these useful reviews.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-09

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-09.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

A new version of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published to address the remaining Area Director review comments by Benjamin Kaduk. Thanks to Ludwig Seitz for doing the bulk of the editing for this version.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-08

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-08.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address the Area Director review comments by Benjamin Kaduk. Thanks to Ludwig Seitz and Hannes Tschofenig for their work on resolving the issues raised.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-07

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-07.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

The OAuth Device Flow specification (recently renamed to be the OAuth 2.0 Device Authorization Grant specification) is now RFC 8628. The abstract describes the specification as:

The OAuth 2.0 device authorization grant is designed for Internet-connected devices that either lack a browser to perform a user-agent-based authorization or are input constrained to the extent that requiring the user to input text in order to authenticate during the authorization flow is impractical. It enables OAuth clients on such devices (like smart TVs, media consoles, digital picture frames, and printers) to obtain user authorization to access protected resources by using a user agent on a separate device.

This specification standardizes an already widely-deployed pattern in production use by Facebook, ForgeRock, Google, Microsoft, Salesforce, and many others. Thanks to all of you who helped make this existing practice an actual standard!

No Comments » Posted under IETF & OAuth & Specifications

I’m very pleased to report that the OAuth 2.0 Token Exchange specification is now technically stable and will shortly be an RFC – an Internet standard. Specifically, it has now progressed to the RFC Editor queue, meaning that the only remaining step before finalization is editorial due diligence. Thus, implementations can now utilize the draft specification with confidence that that breaking changes will not occur as it is finalized.

The abstract of the specification is:

This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.

Thanks to the OAuth working group for completing this important specification. And thanks to Brian Campbell for taking point in making the recent updates to get us here.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-19

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-oauth-token-exchange-19.html

No Comments » Posted under Claims & IETF & JSON & OAuth & Specifications

The two Security Event Token (SET) delivery specifications have been updated to address working group feedback received, in preparation for discussions at IETF 105 in Montreal. Only minor terminological updates were made to the Push Delivery spec following the working group last call (WGLC) changes in the previous recent revisions. Thanks to Annabelle Backman for the edits to the Push Delivery spec.

The changes to the Poll Delivery spec further aligned it with the Push spec, referencing shared functionality, rather than duplicating it. I believe that the Poll spec is now ready for working group last call.

The specifications are available at:

• https://tools.ietf.org/html/draft-ietf-secevent-http-push-07
• https://tools.ietf.org/html/draft-ietf-secevent-http-poll-03

HTML-formatted versions are also available at:

• http://self-issued.info/docs/draft-ietf-secevent-http-push-07.html
• http://self-issued.info/docs/draft-ietf-secevent-http-poll-03.html

No Comments » Posted under IETF & Safety & Specifications

The “COSE and JOSE Registrations for WebAuthn Algorithms” specification has been updated to address feedback received since working group adoption. The one breaking change is changing the secp256k1 curve identifier for JOSE from “P-256K” to “secp256k1”, for reasons described by John Mattsson. The draft now also specifies that the SHA-256 hash function is to be used with “ES256K” signatures – a clarification due to Matt Palmer.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-01

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-cose-webauthn-algorithms-01.html

No Comments » Posted under CBOR & Cryptography & IETF & JSON & Specifications & W3C

I’m excited that a new, simpler approach for application-level proof of possession of OAuth access tokens and refresh tokens is being developed by members of the IETF OAuth working group. The effort is led by Daniel Fett, who had previously done formal analysis of the OAuth protocol. I wanted to bring it to your attention now to solicit your early feedback. This approach was designed in discussions at the Fourth OAuth Security Workshop and is captured in a new individual draft specification for Demonstration of Proof-of-Possession (DPoP) intended for the OAuth working group. The abstract of the new specification is:

This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows to detect replay attacks with access and refresh tokens.

The specification is still an early draft and undergoing active development, but I believe the approach shows a lot of promise and is likely to be adopted by the OAuth working group soon. It works by creating a proof-of-possession signature over an access token or refresh token that would otherwise be a bearer token. And there’s already one implementation that I’m aware of – by Filip Skokan of Auth0. Let us know what you think of this new work!

The specification is available at:

• https://tools.ietf.org/html/draft-fett-oauth-dpop-01

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-fett-oauth-dpop-01.html

No Comments » Posted under IETF & OAuth & Specifications

I’m pleased to report that the IETF COSE Working Group has adopted the specification “COSE and JOSE Registrations for WebAuthn Algorithms”. An abstract of what it does is:

This specification defines how to use several algorithms with COSE [RFC8152] that are used by implementations of the W3C Web Authentication (WebAuthn) [WebAuthn] and FIDO2 Client to Authenticator Protocol (CTAP) [CTAP] specifications. These algorithms are to be registered in the IANA “COSE Algorithms” registry [IANA.COSE.Algorithms] and also in the IANA “JSON Web Signature and Encryption Algorithms” registry [IANA.JOSE.Algorithms], when not already registered there.

The algorithms registered are RSASSA-PKCS1-v1_5 with four different hash functions and signing with the secp256k1 curve. Note that there was consensus in the working group meeting not to work on registrations for the Elliptic Curve Direct Anonymous Attestation (ECDAA) algorithms “ED256” and “ED512”, both because of issues that have been raised with them and because they are not in widespread use.

The -01 version will address the review comments received on the mailing list from Jim Schaad and John Mattsson.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-00

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-cose-webauthn-algorithms-00.html

No Comments » Posted under CBOR & Cryptography & IETF & JSON & Specifications & W3C

The two Security Event Token (SET) delivery specifications have been updated to address working group feedback received, in preparation for discussions at IETF 104 in Prague. The Push Delivery spec went through working group last call (WGLC). It has been updated to incorporate the WGLC comments. Changes made are summarized in the spec change log, the contents of which were also posted to the working group mailing list. Thanks to Annabelle Backman for the edits to the Push Delivery spec.

It’s worth noting that the Push Delivery spec and the Security Event Token (SET) are now being used in early Risk and Incident Sharing and Coordination (RISC) deployments, including between Google and Adobe. See the article about these deployments by Mat Honan of BuzzFeed.

Changes to the Poll Delivery spec are also summarized in that spec’s change log, which contains:

• Removed vestigial language remaining from when the push and poll delivery methods were defined in a common specification.
• Replaced remaining uses of the terms Event Transmitter and Event Recipient with the correct terms SET Transmitter and SET Recipient.
• Removed uses of the unnecessary term “Event Stream”.
• Removed dependencies between the semantics of maxEvents and returnImmediately.
• Said that PII in SETs is to be encrypted with TLS, JWE, or both.
• Corrected grammar and spelling errors.

The specifications are available at:

• https://tools.ietf.org/html/draft-ietf-secevent-http-push-05
• https://tools.ietf.org/html/draft-ietf-secevent-http-poll-02

HTML-formatted versions are also available at:

• http://self-issued.info/docs/draft-ietf-secevent-http-push-05.html
• http://self-issued.info/docs/draft-ietf-secevent-http-poll-02.html

No Comments » Posted under IETF & OpenID & Safety & Specifications

Responding to feedback from multiple parties that the title “OAuth 2.0 Device Flow for Browserless and Input Constrained Devices” was too much of a mouthful, the title of the specification has been simplified to “OAuth 2.0 Device Authorization Grant”. Likewise, we received feedback that “Device flow” was an insider term that caused more confusion than clarity, so its use has been removed from the specification. Finally, last minute feedback was received that client authorization and error handling were not explicitly spelled out. The specification now says that these occur in the same manner as in OAuth 2.0 [RFC 6749].

Many thanks to William Denniss for performing these edits! Hopefully this will be the draft that is sent to the RFC Editor.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-oauth-device-flow-15

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-oauth-device-flow-15.html

No Comments » Posted under IETF & OAuth & Specifications

The new COSE working group charter includes this deliverable:

4. Define the algorithms needed for W3C Web Authentication for COSE using draft-jones-webauthn-cose-algorithms and draft-jones-webauthn-secp256k1 as a starting point (Informational).

I have written draft-jones-cose-additional-algorithms, which combines these starting points into a single draft, which registers these algorithms in the IANA COSE registries. When not already registered, this draft also registers these algorithms for use with JOSE in the IANA JOSE registries. I believe that this draft is ready for working group adoption to satisfy this deliverable.

The specification is available at:

• https://tools.ietf.org/html/draft-jones-cose-additional-algorithms-00

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-jones-cose-additional-algorithms-00.html

No Comments » Posted under CBOR & Cryptography & IETF & JSON & Specifications & W3C

The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address issues identified by Roman Danyliw while writing his shepherd review. Thanks to Samuel Erdtman for fixing an incorrect example.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-06

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-06.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

Key ID confirmation method considerations suggested by Jim Schaad have been added to the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification. Per discussions in the working group meeting in Bangkok, it’s now time for the shepherd review.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-05

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-05.html

No Comments » Posted under CBOR & Claims & Cryptography & IETF & Specifications

The JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to address the review comments from Security Area Director (AD) Eric Rescorla. Thanks to Eric for the review and to Yaron Sheffer for working on the responses with me.

Note that IETF publication has already been requested. The next step is for the shepherd review to be submitted and responded to.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-04

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-oauth-jwt-bcp-04.html

No Comments » Posted under Claims & Cryptography & IETF & JSON & OAuth & Specifications