Musings on Digital Identity

Month: October 2019

COSE and JOSE Registrations for WebAuthn Algorithms spec addressing WGLC comments

IETF logoThe “COSE and JOSE Registrations for WebAuthn Algorithms” specification has been updated to address working group last call (WGLC) feedback received. Thanks to J.C. Jones, Kevin Jacobs, Jim Schaad, Neil Madden, and Benjamin Kaduk for their useful reviews.

The specification is available at:

An HTML-formatted version is also available at:

JSON Web Token Best Current Practices sent to the RFC Editor

OAuth logoI’m pleased to report that the JSON Web Token (JWT) Best Current Practices (BCP) specification is now technically stable and will shortly be an RFC — an Internet standard. Specifically, it has now progressed to the RFC Editor queue, meaning that the only remaining step before finalization is editorial due diligence. Thus, implementations can now utilize the draft specification with confidence that that breaking changes will not occur as it is finalized.

The abstract of the specification is:

JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity, and in other application areas. The goal of this Best Current Practices document is to provide actionable guidance leading to secure implementation and deployment of JWTs.

Thanks to the OAuth working group for completing this important specification.

The specification is available at:

An HTML-formatted version is also available at:

OpenID Connect Federation draft 09 ready for your review

OpenID logoDraft 09 of the OpenID Connect Federation specification has been published at https://openid.net/specs/openid-connect-federation-1_0-09.html. This version of the specification benefitted from in-person review by experts at IIW. Major changes were:

  • Separated entity configuration discovery from operations provided by the federation API.
  • Defined new authentication error codes.

The authors believe that this version should become the second Implementer’s Draft, in preparation for interop testing in the coming year. Please review!

Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing Gen-ART and SecDir reviews

IETF logoA new version of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published addressing the Gen-ART and SecDir review comments. Thanks to Christer Holmberg and Yoav Nir, respectively, for these useful reviews.

The specification is available at:

An HTML-formatted version is also available at:

Using OpenID Connect Self-Issued to Achieve DID Auth

OpenID logoMy co-authors and I recently competed the paper Using OpenID Connect Self-Issued to Achieve DID Auth, which was created as a result of discussions at the eighth Rebooting the Web of Trust workshop. The paper’s abstract is:

Proving control of a DID requires proving ownership of a private key corresponding to a public key for the DID. Of course, this could be done with a new DID-specific protocol. However, standard protocols for proving ownership of a public/private key pair already exist.

This paper describes how to reuse the Self-Issued OpenID Connect (SIOP) specification and related protocol messages to prove control of a DID. It describes both why and how to do this. Related topics, such as release of claims, are also touched upon.

Several people came to the workshop wanting to explore how to use the OpenID Connect Self-Issued OpenID Provider functionality to prove control of a Decentralized Identifier (DID), including myself. The paper describes the approach being taken by a number of groups using DIDs, including Microsoft. The paper’s publication is timely, as the W3C DID Working Group has just formed to create a DID standard. Microsoft is an active member of the working group.

Special thanks to Dmitri Zagidulin for getting the paper over the finish line!

Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing remaining Area Director comments

IETF logoA new version of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published to address the remaining Area Director review comments by Benjamin Kaduk. Thanks to Ludwig Seitz for doing the bulk of the editing for this version.

The specification is available at:

An HTML-formatted version is also available at:

OpenID Presentations at September 2019 OpenID Workshop and IIW

OpenID logoI gave the following presentations at the Monday, September 30, 2019 OpenID Workshop at Verizon Media:

I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 1, 2019:

Powered by WordPress & Theme by Anders Norén