Mike Jones: self-issued

Musings on Digital Identity

Month: June 2024

CBOR Web Token (CWT) Claims in COSE Headers is now RFC 9597

By

On June 24, 2024

In CBOR, Claims, IETF, Specifications

IETF logo The CBOR Web Token (CWT) Claims in COSE Headers specification has been published as RFC 9597! This closes a gap for COSE relative to JOSE, adding the ability to use CWT claims in COSE header parameters, just as JWT claims can be used in JOSE header parameters.

The specification abstract is:

This document describes how to include CBOR Web Token (CWT) claims in the header parameters of any CBOR Object Signing and Encryption (COSE) structure. This functionality helps to facilitate applications that wish to make use of CWT claims in encrypted COSE structures and/or COSE structures featuring detached signatures, while having some of those claims be available before decryption and/or without inspecting the detached payload. Another use case is using CWT claims with payloads that are not CWT Claims Sets, including payloads that are not CBOR at all.

Special thanks to my co-author Tobias Looker, who had a use case for this functionality and wrote an RFC with me defining it (his first!). It was a pleasure working with Tobias on the draft as we navigated the ins and outs of working group feedback and IETF processes. The spec was refined by the journey we took together. And as with CBOR Object Signing and Encryption (COSE) “typ” (type) Header Parameter (now RFC 9596) that immediately preceded it, I believe the CBOR and COSE ecosystems are better for it.

COSE “typ” (type) Header Parameter is now RFC 9596

By

On June 11, 2024

In CBOR, Claims, IETF, Specifications

IETF logo The CBOR Object Signing and Encryption (COSE) “typ” (type) Header Parameter specification has been published as RFC 9596! This closes a gap for COSE relative to JOSE, adding the ability to use media types to declare the content of the complete COSE object.

The specification abstract is:

This specification adds the equivalent of the JSON Object Signing and Encryption (JOSE) “typ” (type) header parameter to CBOR Object Signing and Encryption (COSE). This enables the benefits of explicit typing (as defined in RFC 8725, “JSON Web Token Best Current Practices”) to be brought to COSE objects. The syntax of the COSE type header parameter value is the same as the existing COSE content type header parameter.

Special thanks to my co-author Orie Steele, who pointed out the gap and proposed that we close it. He was an active participant and insightful partner in making this RFC happen (his first!). The CBOR and COSE ecosystems are better for it.

Celebrating Ten Years of OpenID Connect at Identiverse and EIC

By

On June 11, 2024

In Claims, Events, Federation, History, JSON, OAuth, OpenID, Specifications

EIC 2024 LogoIdentiverse LogoWe held the second and third of the three planned tenth anniversary celebrations for the completion of OpenID Connect at the 2024 Identiverse conference and European Identity and Cloud Conference. That concludes celebrations in Asia, the Americas, and Europe!

At both Identiverse and EIC, panelists included Nat Sakimura, John Bradley, and myself. Chuck Mortimore joined us at Identiverse. And Torsten Lodderstedt added his perspectives at EIC. We shared our perspectives on what led to OpenID Connect, why it succeeded, and what lessons we learned along the way.

The most common refrain throughout our descriptions was the design philosophy to “Keep simple things simple”. This was followed closely by the importance of early feedback from developers and deployers.

Chuck reached back in time to his OpenID slides from 2011. He reflected on what he was thinking at the time versus what actually happened (and why). Torsten pointed out the importance of cooperation, certification, security analysis, open standards, and an approachable community. At Identiverse, Nat reached back 25 years, examining the intellectual underpinnings and history of OpenID. And at EIC, Nat tackled assertions that OpenID Connect can be complex. John concluded by observing that the OpenID idea is greater than any particular specification.

Our recent OpenID Connect 10th anniversary sessions were:

They build upon the celebration at the OpenID Summit Tokyo 2024.

Thanks to the organizers of all these events for sponsoring the celebrations!

Standards are About Making Choices

By

On June 9, 2024

In CBOR, Claims, Cryptography, Events, FIDO, IETF, Interoperability, JSON, OAuth, OpenID, Phishing Resistance, Specifications, W3C

EIC 2024 LogoI was honored to give the keynote presentation Standards are About Making Choices at the 2024 European Identity and Cloud Conference (PowerPoint) (PDF). The abstract was:

When building machines, we take for granted being able to use nuts, bolts, wires, light bulbs, and countless other parts made to industry standards. Standards contain choices about dimensions of screw threads, nut sizes, etc., enabling a marketplace of interoperable parts from multiple suppliers. Without these choices, every part would be custom manufactured. The same is true of the identity and security standards we use to build identity systems.

However, the identity and security standards at our disposal differ wildly in the degree to which they do and don’t make choices. Some consistently define ONE way to do things, resulting in everyone doing it that way (interoperability!). Others leave critical choices unmade, passing the buck to implementers and applications (your mileage may vary).

In this talk, I’ll name names and take prisoners, critiquing existing and emerging standards through the lens of the choices they made and failed to make. Hold on to your hats as we examine the pros and cons of the choices made by OAuth, SAML, X.509, OpenID Connect, Verifiable Credentials, DIDs, WebCrypto, JOSE, COSE, and many others through this lens!

I believe you’ll agree with me that making choices matters.

The conference keynote description includes a recording of the presentation.

Thanks to MATTR for providing a designer to work with me on the presentation, enabling the visual design to transcend my usual black-text-on-white-background design style!

Powered by WordPress & Theme by Anders Norén