I gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 23, 2018:
- Introduction to OpenID Connect (PowerPoint) (PDF)
Month: October 2018
Now that the Security Event Token (SET) specification is RFC 8417, the SecEvent working group is working on defining the SET delivery mechanisms. This week, both the push-based and poll-based SET delivery specs have been updated to simplify their exposition and reduce duplication of text between the drafts. Thanks to Annabelle Backman for doing the bulk of the recent work on the push-based delivery spec. The latest versions of both specs contain these updates:
- Addressed problems identified in my 18-Jul-18 review message titled “Issues for both the Push and Poll Specs”.
- Changes to align terminology with RFC 8417, for instance, by using the already defined term SET Recipient rather than SET Receiver.
- Applied editorial and minor normative corrections.
- Updated Marius Scurtescu’s contact information.
In addition, the latest version of the poll delivery spec also contains this update:
- Begun eliminating redundancies between this specification and “Push-Based Security Event Token (SET) Delivery Using HTTP”, referencing, rather that duplicating common normative text.
The specifications are available at:
- https://tools.ietf.org/html/draft-ietf-secevent-http-push-03
- https://tools.ietf.org/html/draft-ietf-secevent-http-poll-01
HTML-formatted versions are also available at:
The IETF Token Binding working group has completed the core Token Binding specifications. These new standards are:
- RFC 8471: The Token Binding Protocol Version 1.0
- RFC 8472: Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation
- RFC 8473: Token Binding over HTTP
As Alex Simons recently wrote, it’s time for token binding. Especially now that the core specs are done, now’s the time for platforms and applications to deploy Token Binding. This will enable replacing bearer tokens, which can be stolen and reused, with Token Bound tokens, which are useless if stolen. This is a huge security benefit applicable to any tokens used over TLS, including browser cookies, OAuth access tokens and refresh tokens, and OpenID Connect ID Tokens.
Congratulations especially to the editors Andrei Popov, Dirk Balfanz, Jeff Hodges, Magnus Nyström, and Nick Harper and the chairs John Bradley and Leif Johansson for getting this done!
I likewise look forward to timely completion of related Token Binding specifications, which enable use of Token Binding with TLS 1.3, with OAuth 2.0, and with OpenID Connect.