Mike Jones: self-issued

Musings on Digital Identity

Category: FIDO Page 1 of 2

Standards are About Making Choices

By

On June 9, 2024

In CBOR, Claims, Cryptography, Events, FIDO, IETF, Interoperability, JSON, OAuth, OpenID, Phishing Resistance, Specifications, W3C

EIC 2024 LogoI was honored to give the keynote presentation Standards are About Making Choices at the 2024 European Identity and Cloud Conference (PowerPoint) (PDF). The abstract was:

When building machines, we take for granted being able to use nuts, bolts, wires, light bulbs, and countless other parts made to industry standards. Standards contain choices about dimensions of screw threads, nut sizes, etc., enabling a marketplace of interoperable parts from multiple suppliers. Without these choices, every part would be custom manufactured. The same is true of the identity and security standards we use to build identity systems.

However, the identity and security standards at our disposal differ wildly in the degree to which they do and don’t make choices. Some consistently define ONE way to do things, resulting in everyone doing it that way (interoperability!). Others leave critical choices unmade, passing the buck to implementers and applications (your mileage may vary).

In this talk, I’ll name names and take prisoners, critiquing existing and emerging standards through the lens of the choices they made and failed to make. Hold on to your hats as we examine the pros and cons of the choices made by OAuth, SAML, X.509, OpenID Connect, Verifiable Credentials, DIDs, WebCrypto, JOSE, COSE, and many others through this lens!

I believe you’ll agree with me that making choices matters.

The conference keynote description includes a recording of the presentation.

Thanks to MATTR for providing a designer to work with me on the presentation, enabling the visual design to transcend my usual black-text-on-white-background design style!

Using Standards: Some Assembly Required

By

On May 30, 2024

In CBOR, Claims, Cryptography, Events, FIDO, IETF, Interoperability, JSON, OAuth, OpenID, Phishing Resistance, Specifications, W3C

Identiverse LogoI gave the following presentation in the session Using Standards: Some Assembly Required at the 2024 Identiverse conference (PowerPoint) (PDF). The abstract was:

  • Standards are about making choices. When building machines, we take for granted being able to use nuts, bolts, wires, light bulbs, and countless other parts made to industry standards. Standards contain choices about dimensions of screw threads, nut sizes, etc., enabling a marketplace of interoperable parts from multiple suppliers. Without these choices, every part would be custom-manufactured. The same is true of the identity and security standards we use to build the Identity Engine. However, the identity and security standards at our disposal differ wildly in the degree to which they do and don’t make choices. Some consistently define ONE way to do things, resulting in everyone doing it that way (interoperability!). Others leave critical choices unmade, passing the buck to implementers and applications (your mileage may vary). In this talk, I’ll name names and take prisoners, critiquing existing and emerging standards through the lens of the choices they made and failed to make. Hold on to your hats as we examine the pros and cons of the choices made by OAuth, SAML, X.509, OpenID Connect, Verifiable Credentials, DIDs, WebCrypto, JOSE, COSE, and many others through this lens! I believe you’ll agree with me that making choices matters.

The audience was highly engaged by the process of giving existing and emerging standards letter grades based on the choices they made (or failed to make)!

Public Drafts of Third W3C WebAuthn and FIDO2 CTAP Specifications

By

On October 10, 2023

In Cryptography, FIDO, Phishing Resistance, Privacy, Specifications, W3C

W3C logoFIDO logoThe W3C WebAuthn and FIDO2 working groups have been actively creating third versions of the W3C Web Authentication (WebAuthn) and FIDO2 Client to Authenticator Protocol (CTAP) specifications. While remaining compatible with the original and second standards, these third versions add features that have been motivated by experience with deployments of the previous versions. Additions include Cross-Origin Authentication within an iFrame, Credential Backup State, the isPasskeyPlatformAuthenticatorAvailable method, Conditional Mediation, Device-Bound Public Keys (since renamed Supplemental Public Keys), requesting Attestations during authenticatorGetAssertion, the Pseudo-Random Function (PRF) extension, the Hybrid Transport, and Third-Party Payment Authentication.

I often tell people that I use my blog as my external memory. I thought I’d post references to these drafts to help me and others find them. They are:

Thanks to John Bradley for helping me compile the list of deltas!

Touchstones Along My Identity Journey

By

On May 22, 2023

In Claims, Cryptography, Events, Federation, FIDO, History, IETF, Information Cards, Interoperability, JSON, OAuth, OpenID, People, Phishing Resistance, Specifications, Windows CardSpace

EIC 2023 LogoI had the distinct honor of being invited to give a keynote talk at EIC 2023. The result was Touchstones Along My Identity Journey. My talk abstract was:

In 2005, Kim Cameron excitedly told me about digital identity and set my life on a course to “Build the Internet’s missing identity layer”. In this talk I’ll tell key stories from my identity journey — stories of the people, ideas, and lessons learned along the way. I’ll speak of technology and collaboration, usability and business models, solving problems people actually have, and building new ecosystems. Come with me on this journey of exploration, trials, triumphs, and humor as I recount touchstones of the human endeavor that is digital identity.

Kuppinger Cole has posted a video of my keynote on YouTube. I was pleased with how well it went. After the first few sentences, I was in the zone! I hope many of you find the messages in the talk useful.

My slides are also available in (PowerPoint) and PDF.

Special thanks go to the OpenID Foundation for supporting my trip to EIC this year and to designer Alistair Kincaid at MATTR for helping me transcend my usual black-bulleted-text-on-a-white-background presentation style!

EIC 2023 Keynote Photo

EIC 2023 Keynote Photo with Kim Cameron

EIC 2023 Keynote Photo for OAuth

OpenID and FIDO Presentation at October 2021 FIDO Plenary

By

On October 21, 2021

In Events, FIDO, OpenID, Phishing Resistance

OpenID logoFIDO logoI described the relationship between OpenID and FIDO during the October 21, 2021 FIDO Alliance plenary meeting, including how OpenID Connect and FIDO are complementary. In particular, I explained that using WebAuthn/FIDO authenticators to sign into OpenID Providers brings phishing resistance to millions of OpenID Relying Parties without them having to do anything!

The presentation was:

Proof-of-possession (pop) AMR method added to OpenID Enhanced Authentication Profile spec

By

On October 13, 2021

In FIDO, OpenID, Phishing Resistance, Specifications, W3C

OpenID logoI’ve defined an Authentication Method Reference (AMR) value called “pop” to indicate that Proof-of-possession of a key was performed. Unlike the existing “hwk” (hardware key) and “swk” (software key) methods, it is intentionally unspecified whether the proof-of-possession key is hardware-secured or software-secured. Among other use cases, this AMR method is applicable whenever a WebAuthn or FIDO authenticator are used.

The specification is available at these locations:

Thanks to Christiaan Brand for suggesting this.

Second Version of FIDO2 Client to Authenticator Protocol (CTAP) Now a Standard

By

On June 23, 2021

In Cryptography, FIDO, Phishing Resistance, Privacy, Specifications

FIDO logoThe FIDO Alliance has completed the CTAP 2.1 Specification. This follows the publication of the closely-related second version of the W3C Web Authentication (WebAuthn) specification.

Today’s FIDO Alliance announcement describes the enhancements in the second version as follows:

Enhancements to FIDO standards to accelerate passwordless in the enterprise

The FIDO Alliance has announced enhancements to its FIDO2 specifications, which include several new features that will be helpful for passwordless enterprise deployments and other complex security applications. Both FIDO2 specifications were recently updated by their governing bodies — with the World Wide Web Consortium (W3C) approving WebAuthn Level 2 and FIDO doing the same for CTAP 2.1.

Key to these enhancements is enterprise attestation, which provides enterprise IT with improved management of FIDO authenticators used by employees. Enterprise attestation enables better binding of an authenticator to an account, assists with usage tracking and other management functions including credential and pin management, and biometric enrollment required in the enterprise.

Other updates include support for cross-origin iFrames and Apple attestation, as well as improvements to resident credentials. More details on these and other FIDO specification enhancements are available here.

Second Version of W3C Web Authentication (WebAuthn) Now a Standard

By

On April 14, 2021

In Cryptography, FIDO, Phishing Resistance, Privacy, Specifications, W3C

W3C logoThe World Wide Web Consortium (W3C) has published this Recommendation for the Web Authentication (WebAuthn) Level 2 specification, meaning that it now a completed standard. While remaining compatible with the original standard, this second version adds additional features, among them for user verification enhancements, manageability, enterprise features, and an Apple attestation format. The companion second FIDO2 Client to Authenticator Protocol (CTAP) specification is also approaching becoming a completed standard.

See the W3C announcement of this achievement. Also, see Tim Cappalli‘s summary of the changes in the second versions of WebAuthn and FIDO2.

Second Version of FIDO2 Client to Authenticator Protocol (CTAP) advanced to Public Review Draft

By

On March 31, 2021

In Cryptography, FIDO, Phishing Resistance, Privacy

FIDO logoThe FIDO Alliance has published this Public Review Draft for the FIDO2 Client to Authenticator Protocol (CTAP) specification, bringing the second version of FIDO2 one step closer to becoming a completed standard. While remaining compatible with the original standard, this second version adds additional features, among them for user verification enhancements, manageability, enterprise features, and an Apple attestation format.

This parallels the similar progress of the closely related second version of the W3C Web Authentication (WebAuthn) specification, which recently achieved Proposed Recommendation (PR) status.

Near-Final Second W3C WebAuthn and FIDO2 CTAP Specifications

By

On December 31, 2020

In Cryptography, FIDO, Phishing Resistance, Privacy, Specifications, W3C

W3C logoFIDO logoThe W3C WebAuthn and FIDO2 working groups have been busy this year preparing to finish second versions of the W3C Web Authentication (WebAuthn) and FIDO2 Client to Authenticator Protocol (CTAP) specifications. While remaining compatible with the original standards, these second versions add additional features, among them for user verification enhancements, manageability, enterprise features, and an Apple attestation format. Near-final review drafts of both have been published:

Expect these to become approved standards in early 2021. Happy New Year!

COSE and JOSE Registrations for Web Authentication (WebAuthn) Algorithms is now RFC 8812

By

On August 14, 2020

In CBOR, Cryptography, FIDO, IETF, JSON, Specifications, W3C

IETF logoThe W3C Web Authentication (WebAuthn) working group and the IETF COSE working group created “CBOR Object Signing and Encryption (COSE) and JSON Object Signing and Encryption (JOSE) Registrations for Web Authentication (WebAuthn) Algorithms” to make some algorithms and elliptic curves used by WebAuthn and FIDO2 officially part of COSE and JOSE. The RSA algorithms are used by TPMs. The “secp256k1” curve registered (a.k.a., the Bitcoin curve) is also used in some decentralized identity applications. The completed specification has now been published as RFC 8812.

As described when the registrations recently occurred, the algorithms registered are:

  • RS256 — RSASSA-PKCS1-v1_5 using SHA-256 — new for COSE
  • RS384 — RSASSA-PKCS1-v1_5 using SHA-384 — new for COSE
  • RS512 — RSASSA-PKCS1-v1_5 using SHA-512 — new for COSE
  • RS1 — RSASSA-PKCS1-v1_5 using SHA-1 — new for COSE
  • ES256K — ECDSA using secp256k1 curve and SHA-256 — new for COSE and JOSE

The elliptic curves registered are:

  • secp256k1 — SECG secp256k1 curve — new for COSE and JOSE

See them in the IANA COSE Registry and the IANA JOSE Registry.

Registries for Web Authentication (WebAuthn) is now RFC 8809

By

On August 11, 2020

In FIDO, IETF, Specifications, W3C

IETF logoThe W3C Web Authentication (WebAuthn) working group created the IETF specification “Registries for Web Authentication (WebAuthn)” to establish registries needed for WebAuthn extension points. These IANA registries were populated in June 2020. Now the specification creating them has been published as RFC 8809.

Thanks again to Kathleen Moriarty and Benjamin Kaduk for their Area Director sponsorships of the specification and to Jeff Hodges and Giridhar Mandyam for their work on it.

Registrations for all WebAuthn algorithm identifiers completed

By

On June 19, 2020

In CBOR, Cryptography, FIDO, IETF, JSON, Specifications, W3C

IETF logoWe wrote the specification COSE and JOSE Registrations for WebAuthn Algorithms to create and register COSE and JOSE algorithm and elliptic curve identifiers for algorithms used by WebAuthn and CTAP2 that didn’t yet exist. I’m happy to report that all these registrations are now complete and the specification has progressed to the RFC Editor. Thanks to the COSE working group for supporting this work.

Search for WebAuthn in the IANA COSE Registry and the IANA JOSE Registry to see the registrations. These are now stable and can be used by applications, both in the WebAuthn/FIDO2 space and for other application areas, including decentralized identity (where the secp256k1 “bitcoin curve” is in widespread use).

The algorithms registered are:

  • RS256 — RSASSA-PKCS1-v1_5 using SHA-256 — new for COSE
  • RS384 — RSASSA-PKCS1-v1_5 using SHA-384 — new for COSE
  • RS512 — RSASSA-PKCS1-v1_5 using SHA-512 — new for COSE
  • RS1 — RSASSA-PKCS1-v1_5 using SHA-1 — new for COSE
  • ES256K — ECDSA using secp256k1 curve and SHA-256 — new for COSE and JOSE

The elliptic curves registered are:

  • secp256k1 — SECG secp256k1 curve — new for COSE and JOSE

secp256k1 curve and algorithm registered for JOSE use

By

On May 31, 2020

In CBOR, Cryptography, FIDO, IETF, JSON, Specifications, W3C

IETF logoIANA has registered the “secp256k1” elliptic curve in the JSON Web Key Elliptic Curve registry and the corresponding “ES256K” signing algorithm in the JSON Web Signature and Encryption Algorithms registry. This curve is widely used among blockchain and decentralized identity implementations.

The registrations were specified by the COSE and JOSE Registrations for WebAuthn Algorithms specification, which was created by the W3C Web Authentication working group and the IETF COSE working group because WebAuthn also allows the use of secp256k1. This specification is now in IETF Last Call. The corresponding COSE registrations will occur after the specification becomes an RFC.

Nearing completion on two WebAuthn-related specs at the IETF

By

On May 14, 2020

In CBOR, Cryptography, FIDO, IETF, JSON, Specifications, W3C

IETF logoThis week we published updates to two IETF specifications that support the WebAuthn/FIDO2 ecosystem, as well as other uses, such as decentralized identity.

One is COSE and JOSE Registrations for WebAuthn Algorithms. It registers algorithm and elliptic curve identifiers for algorithms used by WebAuthn and FIDO2. The “secp256k1” curve being registered is also used for signing in some decentralized identity applications. The specification has completed the Area Director review and has been submitted to the IESG for publication.

The other is Registries for Web Authentication (WebAuthn). This creates IANA registries enabling multiple kinds of extensions to W3C Web Authentication (WebAuthn) implementations to be registered. This specification has completed IETF last call and is scheduled for review by the IESG.

Thanks to the COSE working group for their adoption of the algorithms specification, and to Ivaylo Petrov and Murray Kucherawy for their reviews of it. Thanks to Kathleen Moriarty and Benjamin Kaduk for their Area Director sponsorships of the registries specification and to Jeff Hodges for being primary author of it.

The specifications are available at:

COSE and JOSE Registrations for WebAuthn Algorithms spec adding explanatory comments on design decisions

By

On January 27, 2020

In CBOR, Cryptography, FIDO, IETF, JSON, Specifications, W3C

IETF logoThe “COSE and JOSE Registrations for WebAuthn Algorithms” specification has been updated to add explanatory comments on design decisions made that were discussed on the mailing list that Jim Schaad requested be added to the draft.

The specification is available at:

An HTML-formatted version is also available at:

COSE and JOSE Registrations for WebAuthn Algorithms spec addressing WGLC comments

By

On October 24, 2019

In CBOR, Cryptography, FIDO, IETF, JSON, Specifications, W3C

IETF logoThe “COSE and JOSE Registrations for WebAuthn Algorithms” specification has been updated to address working group last call (WGLC) feedback received. Thanks to J.C. Jones, Kevin Jacobs, Jim Schaad, Neil Madden, and Benjamin Kaduk for their useful reviews.

The specification is available at:

An HTML-formatted version is also available at:

W3C WebAuthn and FIDO 2.0 win 2019 European Identity and Cloud Award

By

On May 22, 2019

In Events, FIDO, Phishing Resistance, Specifications, W3C

EIC logoThe W3C WebAuthn and FIDO 2.0 standards have won the 2019 European Identity and Cloud Award for Best Future Technology / Standard Project at the European Identity and Cloud (EIC) conference. This award recognizes the significance of these recently-approved standards, which enable password-less sign-in with platform authenticators, mobile devices, and security keys. They provide a huge step forward for online security, privacy, and convenience.

Thanks to Kuppinger Cole for recognizing the importance and impact of these important new standards!

EIC 2019 Award EIC 2019 Award Certificate

FIDO2 Client to Authenticator Protocol (CTAP) standard published

By

On March 9, 2019

In Cryptography, FIDO, Phishing Resistance, Privacy, Specifications, W3C

FIDO logoI’m thrilled to report that the FIDO2 Client to Authenticator Protocol (CTAP) is now a published FIDO Alliance standard! Together with the now-standard Web Authentication (WebAuthn) specification, this completes standardization of the APIs and protocols needed to enable password-less logins on the Web, on PCs, and on and mobile devices. This is a huge step forward for online security, privacy, and convenience!

The FIDO2 CTAP standard is available in HTML and PDF versions at these locations:

The W3C Web Authentication (WebAuthn) specification is now a standard!

By

On March 4, 2019

In Cryptography, FIDO, Phishing Resistance, Privacy, Specifications, W3C

W3C logoI’m thrilled to report that the Web Authentication (WebAuthn) specification is now a W3C standard! See the W3C press release describing this major advance in Web security and convenience, which enables logging in without passwords. Alex Simons, Microsoft Vice President of Identity Program Management is quoted in the release, saying:

“Our work with W3C and FIDO Alliance, and contributions to FIDO2 standards have been a critical piece of Microsoft’s commitment to a world without passwords, which started in 2015. Today, Windows 10 with Microsoft Edge fully supports the WebAuthn standard and millions of users can log in to their Microsoft account without using a password.”

The release also describes commitments to the standard by Google, Mozilla, and Apple, among others. Thanks to all who worked on the standard and who built implementations as we developed the standard — ensuring that that the standard can be used for a broad set of use cases, including password-less sign-in with platform authenticators, mobile devices, and security keys.

Page 1 of 2

Next

Powered by WordPress & Theme by Anders Norén