Mike Jones: self-issued

Musings on Digital Identity

Month: July 2025

Updates to Audience Values for OAuth 2.0 Authorization Servers

By

On July 22, 2025

In IETF, JSON, OAuth, OpenID, Security, Specifications

OAuth logoA new version of the Updates to Audience Values for OAuth 2.0 Authorization Servers specification has been published that incorporates feedback from the OAuth working group during IETF 122. I look forward to a vigorous and useful discussion of the specification at IETF 123 in Madrid.

This specification updates a set of existing OAuth specifications to address a security vulnerability identified during formal analysis of a previous version of the OpenID Federation specification. The vulnerability resulted from ambiguities in the treatment of the audience values of tokens intended for the authorization server. The updates to these specifications close that vulnerability in the affected OAuth specifications – especially JWT client authentication in RFC 7523. In parallel, the OpenID Foundation has also updated affected OpenID specifications, including OpenID Federation and FAPI 2.0.

As summarized in the history entries, the changes in this draft were:

  • Focused RFC 7523 updates on JWT client authentication case.
  • Described client responsibilities for the audience value of authorization grants. No longer mandate that the audience for authorization grants be the issuer identifier, so as to make a minimum of breaking changes.
  • Deprecated the use of SAML assertions for client authentication.

Finally, Filip Skokan was added as an author, in recognition of his significant contributions to the work. Thanks to Filip and Brian Campbell for their work with me on this specification.

JOSE and COSE HPKE specifications updated in preparation for IETF 123

By

On July 9, 2025

In CBOR, Cryptography, IETF, JSON, Specifications

IETF logoThe working group last calls for the JOSE and COSE Hybrid Public Key Encryption (HPKE) specifications resulted in actionable feedback on both specs. Both were updated to incorporate the feedback when the actions to take were clear. That said, I expect substantive discussions to occur on the few remaining issues for both specifications at IETF 123 in Madrid.

The current versions are:

The specifications entering WGLC together were:

Thanks to the work that Orie Steele, Hannes Tschofenig, and Tirumal Reddy put in over the past weeks to get us ready for IETF 123!

“Split Signing Algorithms for COSE” and “ARKG” updated in preparation for IETF 123

By

On July 9, 2025

In CBOR, Cryptography, IETF, Specifications

IETF logoEmil Lundberg and I have published the Split Signing Algorithms for COSE specification. This is an update to the spec formerly called COSE Algorithms for Two-Party Signing. The new draft incorporates feedback received during IETF 122, preparing for discussions at IETF 123 in Madrid.

As recorded in the History entries, the changes made were:

  • Renamed document from “COSE Algorithms for Two-Party Signing” to “Split signing algorithms for COSE” and updated introduction and terminology accordingly.
  • Dropped definitions for HashML-DSA, as split variants of ML-DSA are being actively discussed in other IETF groups.
  • Changed “Base algorithm” heading in definition tables to “Verification algorithm”.
  • Remodeled COSE_Key_Ref as COSE_Sign_Args.
  • Dropped definitions of reference types for COSE Key Types registry.

Emil also published an update to the Asynchronous Remote Key Generation (ARKG) specification, with some assistance from me. See the History entries there for details of the updates made. Some of the changes made were for alignment with the Split Signing Algorithms specification.

Major updates to JSON Web Proof specifications in preparation for IETF 123

By

On July 9, 2025

In CBOR, Claims, Cryptography, IETF, JSON, Privacy, Specifications

IETF logoDavid Waite and I made significant updates to the JSON Web Proof, JSON Proof Algorithms, and JSON Proof Token and CBOR Proof Token specifications in preparation for presentation and discussions in the JOSE working group at IETF 123 in Madrid. The most significant updates were:

  • Changed the Single Use algorithm representations to use a common presentation proof format for both the Compact and CBOR serializations.
  • Defined a new binary “Presentation Internal Representation” so that the holder signature protects the entire presentation.
  • Changed the MAC algorithm to directly sign the binary Combined MAC Representation rather than convert it to a JWS.
  • Added step-by-step instructions for verification of a presentation.
  • Added CBOR examples.
  • Use JSON Proof Token and CBOR Proof Token terminology.
  • Aligned media type names and added media type suffixes.
  • Removed the JSON Serialization (leaving the Compact Serialization and the CBOR Serialization).
  • Made terminology changes to make the meanings of terms more intuitive.

These changes went into the -09 and -10 drafts of the specifications. See more details in the History entries of each spec.

The current drafts are available at:

Thanks to David Waite for doing the heavy lifting to make the bulk of these architectural changes, and especially for writing the code that makes the examples real!

More SPICEyness

By

On July 9, 2025

In CBOR, Claims, IETF, Specifications

IETF logoIn April, I wrote about several useful developments in the IETF Secure Patterns for Internet CrEdentials (SPICE) working group. I’ve recently contributed to progressing several specifications in preparation for the SPICE working group meeting at IETF 123 in Madrid. Here’s a tour…

I’ve become a contributor to the Selective Disclosure CWT (SD-CWT) specification. The draft we just published in preparation for IETF 123 contains significant enhancements, including better alignment with both SD-JWT and CWT, clearer and simpler specification of the use of encryption, creation of the Verifiable Credential Type Identifiers registry, using a CBOR simple value for redacted claims, and numerous editorial improvements. See the history entry for more details. This was joint work with Rohan Mahy and Orie Steele.

I’ve become an editor of the OpenID Connect Standard Claims Registration for CBOR Web Tokens specification, along with Beltram Maldant. It creates CWT equivalents of the standard JWT claims defined by OpenID Connect. The draft we just published in preparation for IETF 123 aligns the terminology used with OpenID Connect. I believe it’s ready for working group last call.

Brent Zundel and I updated the GLobal Unique Enterprise (GLUE) Identifiers specification to fix some links and update his association to Tradeverifyd. I believe this one is also ready for working group last call.

Finally, Brent and I updated the Traceability Claims specification to tighten up many of the claim definitions. See the history entries for details.

I’m looking forward to continued progress at the SPICE meeting in two weeks!

OpenID Connect RP Metadata Choices is an Implementer’s Draft

By

On July 9, 2025

In Federation, JSON, OpenID, Specifications

OpenID logoI’m happy to report that the OpenID Connect Relying Party Metadata Choices specification has been approved by the OpenID Foundation membership as an Implementer’s Draft. An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification.

The need for this was independently identified by Roland Hedberg and Stefan Santesson while implementing OpenID Federation. The contents of the specification were also validated by Filip Skokan, who implemented it. Filip has been added as an author.

The abstract of the specification is:

This specification extends the OpenID Connect Dynamic Client Registration 1.0 specification to enable RPs to express a set of supported values for some RP metadata parameters, rather than just single values. This functionality is particularly useful when Automatic Registration, as defined in OpenID Federation 1.0, is used, since there is no registration response from the OP to tell the RP what choices were made by the OP. This gives the OP the information that it needs to make choices about how to interact with the RP in ways that work for both parties.

Thanks to all who contributed to reaching this milestone!

Powered by WordPress & Theme by Anders Norén