Musings on Digital Identity

Category: IETF Page 1 of 8

WGLC for JOSE and COSE HPKE Specifications

IETF logoHybrid Public Key Encryption (HPKE) was standardized by RFC 9180 in February 2022. It is “hybrid” in the sense that it combines public key cryptographic operations to establish a symmetric key with symmetric cryptographic algorithms using the established key to do the content encryption. It has its own set of registries where Key Encapsulation Mechanisms (KEMs), Key Derivation Functions (KDFs), and Authenticated Encryption with Associated Data (AEAD) algorithms used with HPKE are registered. The KEMs registered include post-quantum KEMs.

There’s been a multi-year effort to bring HPKE encryption to applications using JSON Web Encryption (JWE) and COSE encryption. As has been done by other protocols using HPKE, such as MLS, both the JOSE and COSE HPKE specifications made choices about which cryptographic operations make sense together in the specification’s context, as well as which HPKE features to use. Making those choices within the working groups is part of what made these specifications take a while. There’s also been a deliberate effort to keep the specifications aligned where it made sense.

The good news is that both the JOSE and COSE HPKE specifications have matured to the point where Working Group Last Call (WGLC) has started for them. The two WGLCs are intentionally running concurrently because the drafts are closely related and their functionality is intended to be aligned. They run until Friday, June 20, 2025.

Please participate in the WGLCs on either the jose@ietf.org or cose@ietf.org mailing lists, respectively. The messages to reply to are:

The specifications entering WGLC together are:

Finally, I’ll note that a new IETF HPKE working group has recently been formed to make updates to the HPKE specification. Among the chartered updates are adding post-quantum KEMs and hybrid combined KEMs.

Thanks to all in both working groups who helped us reach this point!

Ten Years of JSON Web Token (JWT) and Preparing for the Future

IETF logoTen years ago this week, in May 2015, the JSON Web Token (JWT) became RFC 7519. This was the culmination of a 4.5 year journey to create a simple JSON-based security token format and underlying JSON-based cryptographic standards. The full set of RFCs published together was:

  • RFC 7515: JSON Web Signature (JWS)
  • RFC 7516: JSON Web Encryption (JWE)
  • RFC 7517: JSON Web Key (JWK)
  • RFC 7518: JSON Web Algorithms (JWA)
  • RFC 7519: JSON Web Token (JWT)
  • RFC 7520: Examples of Protecting Content Using JSON Object Signing and Encryption (JOSE)
  • RFC 7521: Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
  • RFC 7522: Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
  • RFC 7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

It’s certainly the case that we co-designed JWT and its underpinnings with OpenID Connect, while also attempting to create general-purpose, widely useful standards. Given the adoption that’s ensued, it seems that we succeeded.

As I wrote in my post JWTs helping combat fraudulent and unwanted telephone calls, “It’s often said that one sign of a standard having succeeded is that it’s used for things that the inventors never imagined.” I’m gratified that this applies to JWT and the related specifications. As was written in the post Essential Moments in the OAuth and OpenID Connect Timeline, it’s now hard to imagine an online security world without these standards.

That said, there’s work underway to keep JWTs and the use of them secure for the next decade. Five years ago, the JSON Web Token Best Current Practices specification was created. As I wrote then:

This Best Current Practices specification contains a compendium of lessons learned from real JWT deployments and implementations over that period. It describes pitfalls and how to avoid them as well as new recommended practices that enable proactively avoiding problems that could otherwise arise.

My coauthors Yaron Sheffer and Dick Hardt and I are now updating the JWT BCP to describe additional threats and mitigations that have become known in the last five years. See the updated JSON Web Token Best Current Practices specification.

Similarly, my coauthors Brian Campbell and Chuck Mortimore of the JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants are updating it and related specifications to address vulnerabilities caused by ambiguities in the audience values of tokens sent to the authorization server. See the RFC7523bis specification.

I’m truly grateful that my coauthors John Bradley and Nat Sakimura and I created something useful and widely used ten years ago, of course with substantial contributions from the OAuth, JOSE, and OpenID Connect working groups. I look forward to what the next decade will bring!

Fully-Specified Algorithms are now the Law of the Land

IETF logoI’m thrilled to be able to report that, from now on, only fully-specified algorithms will be registered for JOSE and COSE. Furthermore, fully-specified signature algorithms are now registered to replace the previously registered polymorphic algorithms, which are now deprecated. For example, you can now use Ed25519 and Ed448 instead of the ambiguous EdDSA.

The new IANA JOSE registrations and IANA COSE registrations are now in place, as are the deprecations of the polymorphic signing algorithms. And perhaps most significantly for the long term, the instructions to the designated experts for both registries have been updated so that only fully-specified algorithms will be registered going forward.

Lots of people deserve credit for this significant improvement to both ecosystems. Filip Skokan was the canary in the coal mine, alerting the OpenID Connect working group to the problems with trying to sign with Ed25519 and Ed448 when there were no algorithm identifiers that could be used to specify their use. Similarly, John Bradley alerted the WebAuthn working group to the same problems for WebAuthn and FIDO2, devising the clever and awful workaround that, when used by those specs, EdDSA is to be interpreted as meaning Ed25519. John also supported this work as a JOSE working group chair. Roman Danyliw supported including the ability to specify the use of fully-specified algorithms in the JOSE charter as the Security Area Director then responsible for JOSE. Karen O’Donoghue created the shepherd write-up as JOSE co-chair. Deb Cooley thoroughly reviewed and facilitated advancement of the specification as the Security Area Director currently responsible for JOSE. And of course, Orie Steele, the co-inventor of the fully-specified algorithms idea, and my co-author since our audacious proposal to fix the polymorphic algorithms problem at IETF 117 in July 2023 deserves huge credit for making the proposal a reality!

The specification is now in the RFC Editor Queue. I can’t wait until it pops out the other side as an RFC!

The specification is available at:

Thanks to all who helped make fully-specified algorithms the law of the land!

So you want to use Digital Credentials? You’re now facing a myriad of choices!

EIC 2025 LogoI gave the keynote talk So you want to use Digital Credentials? You’re now facing a myriad of choices! at EIC 2025. I opened by describing engineering choices – credential formats (W3C VCs, ISO mDOCs, SD-JWTs, SD-CWTs, JWPs, X.509 Certificates), issuance and presentation mechanisms (bespoke and standards-based, in-person and remote), mechanisms for choosing them (query languages, user interfaces), and trust establishment mechanisms (trust lists, certificates, and federation).

I then upped the ante by talking about the criticality of usability, the challenges of building ecosystems (something Andrew Nash first explained to me most of two decades ago!), and how digital credentials are not an end in and of themselves; they’re a tool to help us solve real-world problems. And of course, I closed by coming back to my theme Standards are About Making Choices, urging us to come together and make the right choices to enable interoperable use of digital credentials in ways that benefit people worldwide.

View my slides as PowerPoint or PDF. I’ll also post a link to the video of the presentation here once Kuppinger Cole posts it.

EIC 2025 Andrew Nash

Thought Experiment on Trust Establishment

Will people be able to use it and want to?

Standards Are About Making Choices

Thank You to SIROS

Mike Jones Candid

Fully-Specified Algorithms Specification Addressing IESG Feedback

IETF logoOrie Steele and I have updated the “Fully-Specified Algorithms for JOSE and COSE” specification to address feedback received through directorate reviews and from Internet Engineering Steering Group (IESG) members. This prepares us for consideration of the specification by the IESG during its “telechat” on Thursday. This is an important milestone towards progressing the specification to become an RFC.

Changes made since I last wrote about the spec, as summarized in the history entries, are:

-11

  • Stated in the abstract that the specification deprecates some polymorphic algorithm identifiers, as suggested by Éric Vyncke.

-10

  • Provided a complete list of the Recommended column terms for COSE registrations, as suggested by Mohamed Boucadair.
  • Applied suggestions to improve the exposition received during IESG review.

-09

  • Addressed comments from secdir review by Kathleen Moriarty.

-08

  • Updated requested Brainpool algorithm numbers to match those chosen by Sean Turner.
  • Incorporated wording suggestions by Vijay Gurbani.

The specification is available at:

Hybrid Public Key Encryption (HPKE) for JOSE incorporating feedback from IETF 122

IETF logoThe “Use of Hybrid Public-Key Encryption (HPKE) with JSON Object Signing and Encryption (JOSE)” specification has updated to incorporate feedback from IETF 122 in Bangkok.

Per the History entries, the changes were:

  • Use "enc":"int" for integrated encryption.
  • Described the reasons for excluding authenticated HPKE.
  • Stated that mutually known private information MAY be used as the HPKE info value.

At this point, the authors have closed all the issues and PRs that we believe there’s consensus to address. I would normally suggest that we’re ready for working group last call at this point, but I’d like us to take the extra step to verify that the spec is aligned with the COSE HPKE spec first. Both as an author of the JOSE HPKE spec and as a COSE chair interested in the COSE HPKE spec, I’d request that members of both working groups review the specs together and send their feedback.

OAuth 2.0 Protected Resource Metadata is now RFC 9728

OAuth logoThe OAuth 2.0 Protected Resource Metadata specification has been published as RFC 9728! This is certainly the longest that any RFC that I have worked on has taken from initial individual draft to RFC – August 2016 to April 2025 – 8 years and 8 months. As we discussed at the 2025 OAuth Security Workshop in Reykjavík:

Timing can be fickle. What may not be useful at one time can turn out to be useful later.

Per the abstract, here’s what it adds to the OAuth 2.0 family of specifications:

This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource.

It joins the OAuth 2.0 Dynamic Client Registration Protocol [RFC 7591] and OAuth 2.0 Authorization Server Metadata [RFC 8414] specifications, completing the set of metadata specifications for all three OAuth 2.0 roles.

I’m glad to have co-authored this one with long-time collaborator Phil Hunt and new collaborator Aaron Parecki. And I’m proud of the fact that all of my last five RFCs had a co-author for which it was their first RFC; in this case, it’s Aaron’s first RFC.

Congratulations, Aaron! It was a pleasure working on this with you.

SPICEy Developments

IETF logoThis week saw several useful developments in the IETF Secure Patterns for Internet CrEdentials (SPICE) working group. Two new drafts were adopted and an individual draft was published also intended for later adoption by the working group. Here’s the tour…

  • GLobal Unique Enterprise (GLUE) Identifiers was adopted. The specification’s abstract is:

    This specification establishes an IETF URN namespace for GLobal Unique Enterprise (GLUE) Identifiers. It also establishes an IETF URN namespace for identifiers defined by the IETF Secure Patterns for Internet CrEdentials (SPICE) working group. The GLUE URN namespace is within the SPICE URN namespace.

    I worked closely with Brent Zundel on this one, primarily defining and using the IETF SPICE URN namespace, in which the GLUE namespace now resides.

  • OpenID Connect standard claims registration for CBOR Web Tokens was adopted. The specification’s abstract is:

    This document registers OpenID Connect standards claims already used in JSON Web Tokens for CBOR Web Tokens.

    While I didn’t work on this specification directly, I did suggest changes to the initial version to its author, Beltram Maldant, intended to make the spec ready for working group adoption, in my role as a Designated Expert for the IANA CBOR Web Token (CWT) Claims registry. I’m glad this is happening!

  • Traceability Claims was updated with an eye towards future working group adoption. The specification’s abstract is:

    This document defines claims to support traceability of physical goods across supply chains, focusing on items such as bills of lading, transport modes, and container manifests. These claims standardize the encoding of essential logistics and transport metadata, facilitating enhanced transparency and accountability in global supply chains. These claims are registered for use in both CBOR Web Tokens (CWTs) and JSON Web Tokens (JWTs).

    I worked closely with Mike Prorock on this one, primarily motivating and refining the claim definitions and registering JWT claims in addition to the corresponding CWT claims.

SPICEy indeed!

Fully-Specified Algorithms Specification Addressing Area Director Feedback

IETF logoOrie Steele and I want to thank Deb Cooley for her Area Director review of the “Fully-Specified Algorithms for JOSE and COSE” specification. Addressing it simplified the exposition, while preserving the essence of what the draft accomplishes.

Specifically, the resulting draft significantly simplified the fully-specified encryption description and removed the appendix on polymorphic ECDH algorithms. We also stated that HSS-LMS is not fully specified, as suggested by John Preuß Mattsson.

The draft has now completed IETF last call, with the two resulting reviews stating that the draft is ready for publication.

The specification is available at:

COSE Algorithms for Two-Party Signing

IETF logoEmil Lundberg and I have published the COSE Algorithms for Two-Party Signing specification. Its abstract is:

This specification defines COSE algorithm identifiers used when the signing operation is performed cooperatively between two parties. When performing two-party signing, the first party typically hashes the data to be signed and the second party signs the hashed data computed by the first party. This can be useful when communication with the party holding the signing private key occurs over a limited-bandwidth channel, such as NFC or Bluetooth Low Energy (BLE), in which it is infeasible to send the complete set of data to be signed. The resulting signatures are identical in structure to those computed by a single party, and can be verified using the same verification procedure without additional steps to preprocess the signed data.

A motivating use case for this is for WebAuthn/FIDO2 Authenticators to use when signing application data, as described in the proposed WebAuthn signing extension. Parts of this spec’s content were previously in the Asynchronous Remote Key Generation (ARKG) algorithm spec, which we’ve also been updated.

I plan to talk about the spec during IETF 122 in Bangkok. I hope to see many of you there!

The specification is available at:


This work was supported by the SIROS Foundation.

The Cambrian Explosion of OAuth and OpenID Specifications

OAuth Security WorkshopVladimir Dzhuvinov and I led a discussion on The Cambrian Explosion of OAuth and OpenID Specifications at the 2025 OAuth Security Workshop in Reykjavík.

The abstract for the session was:

The number of OAuth and OpenID specifications continues to grow. At present there are 30 OAuth RFCs, two more in the RFC Editor queue, 13 OAuth working group drafts, and another eight individual OAuth drafts that may advance. There are nine JOSE RFCs and seven working group drafts. There are four SecEvent RFCs. On the OpenID side, there are 12 final OpenID Connect specs, three final FAPI specs, one final MODRNA spec, three final eKYC-IDA specs, and 24 Implementer’s drafts across the OpenID working groups, plus another ten working group drafts.

The number of possible combinations boggles the mind. And there’s no end in sight!

What’s a developer to do? How have people and companies gone about selecting and curating the specs to implement in an attempt to create coherent and useful open source and commercial offerings? And faced with such an array of combinations and choices, how are application developers to make sense of it all? How can interoperability be achieved in the face of continued innovation?

This session will prime the pump by discussing choices made by some existing open source and commercial offerings in the OAuth and OpenID space and lead to an open discussion of choices made by the workshop attendees and the reasoning behind them. It’s our goal that useful strategies emerge from the discussion that help people grapple with the ever-expanding sets of specifications and make informed implementation choices, while still fostering the innovation and problem-solving that these specifications represent.

The slides used to queue up the discussion session are available as PowerPoint and PDF. Also, see the list of 101 OAuth and OpenID-related specifications referenced during the discussion.

The topic seems to have touched a chord. Many people were clearly already thinking about the situation and shared their views. Some of them were:

  • Nobody actually expects everyone to implement everything.
  • Stopping things is super hard. But sometimes it’s necessary (as Brian Campbell put it, “when they’re wrong”).
  • Timing can be fickle. What may not be useful at one time can turn out to be useful later.
  • Some specs are highly related and often used together. But those relationships are not always apparent to those new to the space.
  • We need better on-ramps to help people new to the space wrap their arms around the plethora specs and what they’re useful for.
  • Well-written profiles are a way of managing the complexity. For instance, FAPI 2 limits choices, increasing both interoperability and security.
  • The amount of innovation happening is a sign of success!

Thanks to the organizers for a great tenth OAuth Security Workshop! And special thanks to the colleagues from Signicat who did a superb job with local arrangements in Reykjavík!

Twenty Years of Digital Identity!

Kim Cameron first told me what Digital Identity is on February 1, 2005. He said that the Internet was created without an identity layer. He encouraged me “You should come help build it with me.” I’ve been at it ever since!

What I wrote about digital identity a decade ago remains as true today:

An interesting thing about digital identity is that, by definition, it’s not a problem that any one company can solve, no matter how great their technology is. For digital identity to be “solved”, the solution has to be broadly adopted, or else people will continue having different experiences at different sites and applications. Solving digital identity requires ubiquitously adopted identity standards. Part of the fun and the challenge is making that happen.

I’m not going to even try to list all the meaningful identity and security initiatives that I’ve had the privilege to work on with many of you. But I can’t resist saying that, in my view, OpenID Connect, JSON Web Token (JWT), and OAuth 2.0 are the ones that we knocked out of the park. I tried to distill the lessons learned from many of the initiatives, both successes and failures, during my 2023 EIC keynote Touchstones Along My Identity Journey. And there’s a fairly complete list of the consequential things I’ve gotten to work on in my Standards CV.

I’ll also call attention to 2025 marking twenty years of the Internet Identity Workshop. I attended the first one, which was held in Berkeley, California in October 2005, and all but one since. What a cast of characters I met there, many of whom I continue working with to this day!

As a personal testament to the value of IIW, it’s where many of the foundational decisions about what became JWS, JWE, JWK, JWT, and OpenID Connect were made. Particularly, see my post documenting decisions made at IIW about JWS, including the header.payload.signature representation of the JWS Compact Serialization and the decision to secure the Header Parameters. And see the posts following it on JWE decisions, naming decisions, and JWK decisions. IIW continues playing the role of enabling foundational discussions for emerging identity technologies today!

It’s been a privilege working with all of you for these two decades, and I love what we’ve accomplished together! There’s plenty of consequential work under way and I’m really looking forward to what comes next.

Mike Jones Kim with Coffee

Images are courtesy of Doc Searls. Each photo links to the original.

OAuth 2.0 Protected Resource Metadata Specification in RFC Editor Queue

OAuth logoI’m pleased to report that the “OAuth 2.0 Protected Resource Metadata” specification has been approved by the IESG and is now in the RFC Editor queue.

The version approved by the IESG and sent to the RFC Editor is:

It joins OAuth 2.0 Security Best Current Practice and JWT Response for OAuth Token Introspection, which are also both currently there.

Thanks to the IETF directorate reviewers and IESG members for their feedback that resulted in improvements to the specification!

OAuth 2.0 Protected Resource Metadata draft addressing reviews since IETF Last Call

OAuth logoAaron Parecki and I published a new version the “OAuth 2.0 Protected Resource Metadata” specification that addresses the review comments received since the IETF Last Call. Per the history entries, the changes were:

  • Added metadata values declaring support for DPoP and mutual-TLS client certificate-bound access tokens.
  • Added missing word caught during IANA review.
  • Addressed ART, SecDir, and OpsDir review comments by Arnt Gulbrandsen, David Mandelberg, and Bo Wu, resulting in the following changes:
  • Added step numbers to sequence diagram.
  • Defined meaning of omitting bearer_methods_supported metadata parameter.
  • Added internationalization of human-readable metadata values using the mechanism from [RFC7591].
  • Added resource_name metadata parameter, paralleling client_name in [RFC7591].
  • Added Security Considerations section on metadata caching.
  • Used and referenced Resource Identifier definition.
  • Added motivating example of an email client to intro.

The specification is available at:

Fully-Specified Algorithms Specification Addressing Feedback from IETF 120

IETF logoOrie Steele and I have updated the “Fully-Specified Algorithms for JOSE and COSE” specification to incorporate feedback from IETF 120 in Vancouver. Specifically, the registrations for fully-specified Elliptic Curve Diffie-Hellman (ECDH) algorithms in draft 03 were removed, along with the previously proposed fully-specified ECDH algorithm identifiers, while continuing to describe how to create fully-specified ECDH algorithms in the future, if needed.

The specification is available at:

Fully-Specified Algorithms Specification Addressing Working Group Last Call Comments

IETF logoOrie Steele and I have updated the “Fully-Specified Algorithms for JOSE and COSE” specification to incorporate working group last call (WGLC) feedback. Thanks to all who took the time to comment on the draft. Your feedback was exceptionally actionable and helped to substantially improve the specification. Responses to each WGLC comment thread were sent on the IETF JOSE working group mailing list.

The updated draft attempts to discuss the full range of the problems created by polymorphic algorithm identifiers. Guided by working group feedback, it strikes an engineering balance between which of these problems to fix immediately in the specification and which to describe how future specifications can fix later as the need arises.

I look forward to discussing next steps for the specification at IETF 120 in Vancouver.

The specification is available at:

OAuth 2.0 Protected Resource Metadata draft addressing shepherd comments

OAuth logoThe “OAuth 2.0 Protected Resource Metadata” specification has been updated to address feedback from our document shepherd Rifaat Shekh-Yusef in advance of IETF 120 in Vancouver. All changes were strictly editorial.

The specification is available at:

CBOR Web Token (CWT) Claims in COSE Headers is now RFC 9597

IETF logo The CBOR Web Token (CWT) Claims in COSE Headers specification has been published as RFC 9597! This closes a gap for COSE relative to JOSE, adding the ability to use CWT claims in COSE header parameters, just as JWT claims can be used in JOSE header parameters.

The specification abstract is:

This document describes how to include CBOR Web Token (CWT) claims in the header parameters of any CBOR Object Signing and Encryption (COSE) structure. This functionality helps to facilitate applications that wish to make use of CWT claims in encrypted COSE structures and/or COSE structures featuring detached signatures, while having some of those claims be available before decryption and/or without inspecting the detached payload. Another use case is using CWT claims with payloads that are not CWT Claims Sets, including payloads that are not CBOR at all.

Special thanks to my co-author Tobias Looker, who had a use case for this functionality and wrote an RFC with me defining it (his first!). It was a pleasure working with Tobias on the draft as we navigated the ins and outs of working group feedback and IETF processes. The spec was refined by the journey we took together. And as with CBOR Object Signing and Encryption (COSE) “typ” (type) Header Parameter (now RFC 9596) that immediately preceded it, I believe the CBOR and COSE ecosystems are better for it.

COSE “typ” (type) Header Parameter is now RFC 9596

IETF logo The CBOR Object Signing and Encryption (COSE) “typ” (type) Header Parameter specification has been published as RFC 9596! This closes a gap for COSE relative to JOSE, adding the ability to use media types to declare the content of the complete COSE object.

The specification abstract is:

This specification adds the equivalent of the JSON Object Signing and Encryption (JOSE) “typ” (type) header parameter to CBOR Object Signing and Encryption (COSE). This enables the benefits of explicit typing (as defined in RFC 8725, “JSON Web Token Best Current Practices”) to be brought to COSE objects. The syntax of the COSE type header parameter value is the same as the existing COSE content type header parameter.

Special thanks to my co-author Orie Steele, who pointed out the gap and proposed that we close it. He was an active participant and insightful partner in making this RFC happen (his first!). The CBOR and COSE ecosystems are better for it.

Standards are About Making Choices

EIC 2024 LogoI was honored to give the keynote presentation Standards are About Making Choices at the 2024 European Identity and Cloud Conference (EIC) (PowerPoint) (PDF). The abstract was:

When building machines, we take for granted being able to use nuts, bolts, wires, light bulbs, and countless other parts made to industry standards. Standards contain choices about dimensions of screw threads, nut sizes, etc., enabling a marketplace of interoperable parts from multiple suppliers. Without these choices, every part would be custom manufactured. The same is true of the identity and security standards we use to build identity systems.

However, the identity and security standards at our disposal differ wildly in the degree to which they do and don’t make choices. Some consistently define ONE way to do things, resulting in everyone doing it that way (interoperability!). Others leave critical choices unmade, passing the buck to implementers and applications (your mileage may vary).

In this talk, I’ll name names and take prisoners, critiquing existing and emerging standards through the lens of the choices they made and failed to make. Hold on to your hats as we examine the pros and cons of the choices made by OAuth, SAML, X.509, OpenID Connect, Verifiable Credentials, DIDs, WebCrypto, JOSE, COSE, and many others through this lens!

I believe you’ll agree with me that making choices matters.

The conference keynote description includes a recording of the presentation.

Thanks to MATTR for providing a designer to work with me on the presentation, enabling the visual design to transcend my usual black-text-on-white-background design style!

Page 1 of 8

Powered by WordPress & Theme by Anders Norén