Musings on Digital Identity

Month: May 2017

Thirty years ago today… and at last I knew Pittsburgh

This appeared in the Columbus Dispatch on Tuesday, May 19, 1987 on page B1…

“I didn’t expect to win,” said Sheila Richter of Minneapolis after taking top honors, or dishonors, in an annual bad writing contest that drew more than 10,000 entries. “I knew my entry was dreadful, but I didn’t know it was that dreadful.” Richter, who works at the University of Minnesota, wins a personal computer and “whatever public humiliation may come her way,” said Scott Rice, an English professor at San Jose State University and founder of the Bulwer-Lytton Fiction Contest. Richter’s winning entry reads: “The notes blatted skyward as the sun rose over the Canada geese, feathered rumps mooning the day, webbed appendages frantically pedaling unseen bicycles in their search for sustenance, driven by cruel Nature’s maxim, ‘ya wanna eat, ya gotta work,’ and at last I knew Pittsburgh.”

Clarified Security Considerations in Using RSA Algorithms with COSE Messages

IETF logoA slightly updated version of the “Using RSA Algorithms with COSE Messages” specification has been published in preparation for IETF last call. Changes were:

  • Clarified the Security Considerations in ways suggested by Kathleen Moriarty.
  • Acknowledged reviewers.

The specification is available at:

An HTML-formatted version is also available at:

Strong Authentication and Token Binding Presentations at EIC 2017

EIC logoI gave two presentations at the 2017 European Identity and Cloud Conference (EIC) on progress we’re making in creating and deploying important new identity and security standards. The presentations were:

  • Strong Authentication using Asymmetric Keys on Devices Controlled by You: This presentation is about the new authentication experiences enabled by the W3C Web Authentication (WebAuthn) and FIDO 2.0 Client To Authenticator Protocol (CTAP) specifications. It describes the progress being made on the standards and shows some example user experiences logging in using authenticators. Check it out in PowerPoint or PDF.
  • Token Binding Standards and Applications: Securing what were previously bearer tokens: This presentation is about how data structures such as browser cookies, ID Tokens, and access tokens can be cryptographically bound to the TLS channels on which they are transported, making them no longer bearer tokens. It describes the state of the Token Binding standards (IETF, OAuth, and OpenID) and provides data on implementations and deployments to date. This presentation was a collaboration with Brian Campbell of Ping Identity. Check it out in PowerPoint or PDF.

Mike presenting at EIC 2017
(Photo from

Fifth working draft of W3C Web Authentication Specification

W3C logoThe W3C Web Authentication working group has published the fifth working draft of the W3C Web Authentication specification. It has a new title that’s more reflective of what it enables: “Web Authentication: An API for accessing Public Key Credentials“. Among other changes, the draft is now aligned with the W3C Credential Management API. Numerous issues were resolved and many improvements in the process of creating this release.

While not a candidate recommendation, this version is informally intended by the working group to be an Implementer’s Draft, which will be used for experimenting with implementations of the API.

Powered by WordPress & Theme by Anders Norén