Musings on Digital Identity

Month: February 2024

COSE “typ” (type) Header Parameter Specification Addressing IETF Last Call Feedback

IETF logoOrie Steele and I have updated the COSE “typ” (type) Header Parameter Specification to address feedback received during IETF Last Call. No normative changes were made.

Thanks to those that reviewed the specification!

The specification is available at:

Besides the spec being useful on its own, it’s worth noting that the CBOR Web Token (CWT) Claims in COSE Headers specification references this spec, and so won’t exit the RFC Editor queue as an RFC until this one also does.

Continued refinement: OpenID Federation draft 33 published

OpenID logoOpenID Federation draft 33 has been published at https://openid.net/specs/openid-federation-1_0-33.html and https://openid.net/specs/openid-federation-1_0.html. The working group continues refining the specification to make it more consistent and easier to read and implement.

We published draft 33 now to get these improvements out to implementers. Per the history entries at https://openid.net/specs/openid-federation-1_0-33.html#name-document-history, a summary of changes made in -32 and -33 is:

-33:

  • Addressed #2111: The metadata_policy_crit claim MAY only appear in Subordinate Statements and its values apply to all metadata_policies found in the Trust Chain.
  • Fixed #2096: Authorization Signed Request Object may contain trust_chain in its payload and should not in its JWS header parameters.
  • Strengthen language requiring client verification with automatic registration.
  • Fixed #2076: Promoted Trust Marks to be a top-level section.
  • Added General-Purpose JWT Claims section.
  • Moved Federation Endpoints section before Obtaining Federation Entity Configuration Information section.
  • Fixed #2110: Explanation text when multiple entity_type parameters are provided in the Subordinate Listing endpoint.
  • Fixed #2112, #2113, and #2114: Defined that client authentication is not used by default and that the default client authentication method, when used, is private_key_jwt. Specified that requests using client authentication use HTTP POST.
  • Fixed #2104: Allow trust marks in Subordinate Statements for implementation profiles that might want this.
  • Fixed #2103: Addressed ambiguities in the definition of constraints.

-32:

  • Tightened OpenID Connect Client Registration section.
  • Tightened appendix examples.
  • Fixed #2075: Trust Mark endpoint for the provisioning of the Trust Marks.
  • Fixed #2085: Trust Marked Entities Listing, added sub URL query parameter.
  • Made fetch issuer unambiguous by making the iss parameter REQUIRED.
  • Introduced the term “Subordinate Statement” and applied it throughout the specification. Also consistently use the term “registration Entity Statement” for Explicit Client Registration results.
  • Clarified where Entity Statement claims can and cannot occur.
  • Renamed policy_language_crit to metadata_policy_crit.
  • Fixed #2093: Numbered the list defining the order policy operators are applied in.

Special thanks to Stefan Santesson for his thorough review of the specification in the context of the Swedish Federation deployment!

Powered by WordPress & Theme by Anders Norén