Mike Jones: self-issued_Education & Science

Mike Jones: self-issuedMusings on Digital IdentityHomeAbout May 4, 2022OAuth DPoP Specification Addressing WGLC CommentsBrian Campbell has published an updated OAuth DPoP draft addressing the Working Group Last Call (WGLC) comments received. All changes were editorial in nature. The most substantive change was further clarifying that either iat or nonce can be used alone in validating the timeliness of the proof, somewhat deemphasizing jti tracking.As Brian reminded us during the OAuth Security Workshop today, the name DPoP was inspired by a Deutsche POP poster he saw on the S-Bahn during the March 2019 OAuth Security Workshop in Stuttgart:He considered it an auspicious sign seeing another Deutsche PoP sign in the Vienna U-Bahn during IETF 113 the same day WGLC was requested!The specification is available at:https://tools.ietf.org/id/draft-ietf-oauth-dpop-08.htmlNo Comments »Posted under Events & IETF & OAuth & Specifications April 26, 2022OpenID Presentations at April 2022 OpenID Workshop and IIWI gave the following presentations at the Monday, April 25, 2022 OpenID Workshop at Google:OpenID Connect Working Group (PowerPoint) (PDF)OpenID Enhanced Authentication Profile (EAP) Working Group (PowerPoint) (PDF)I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 1, 2019:Introduction to OpenID Connect (PowerPoint) (PDF)No Comments »Posted under Events & OpenID March 5, 2022Two new COSE- and JOSE-related Internet Drafts with Tobias LookerThis week, Tobias Looker and I submitted two individual Internet Drafts for consideration by the COSE working group.The first is “Barreto-Lynn-Scott Elliptic Curve Key Representations for JOSE and COSE“, the abstract of which is:This specification defines how to represent cryptographic keys for the pairing-friendly elliptic curves known as Barreto-Lynn-Scott (BLS), for use with the key representation formats of JSON Web Key (JWK) and COSE (COSE_Key).These curves are used in Zero-Knowledge Proof (ZKP) representations for JOSE and COSE, where the ZKPs use the CFRG drafts “Pairing-Friendly Curves” and “BLS Signatures“.The second is “CBOR Web Token (CWT) Claims in COSE Headers“, the abstract of which is:This document describes how to include CBOR Web Token (CWT) claims in the header parameters of any COSE structure. This functionality helps to facilitate applications that wish to make use of CBOR Web Token (CWT) claims in encrypted COSE structures and/or COSE structures featuring detached signatures, while having some of those claims be available before decryption and/or without inspecting the detached payload.JWTs define a mechanism for replicating claims as header parameter values, but CWTs have been missing the equivalent capability to date. The use case is the same as that which motivated Section 5.3 of JWT “Replicating Claims as Header Parameters” – encrypted CWTs for which you’d like to have unencrypted instances of particular claims to determine how to process the CWT prior to decrypting it.We plan to discuss both with the COSE working group at IETF 113 in Vienna.No Comments »Posted under CBOR & Claims & IETF & JSON & Specifications March 3, 2022Minor Updates to OAuth DPoP Prior to IETF 113 in ViennaThe editors have applied some minor updates to the OAuth DPoP specification in preparation for discussion at IETF 113 in Vienna. Updates made were:Renamed the always_uses_dpop client registration metadata parameter to dpop_bound_access_tokens.Clarified the relationships between server-provided nonce values, authorization servers, resource servers, and clients.Improved other descriptive wording.The specification is available at:https://tools.ietf.org/id/draft-ietf-oauth-dpop-06.htmlNo Comments »Posted under IETF & OAuth & Specifications February 20, 2022Four Months of Refinements to OAuth DPoPA new draft of the OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) specification has been published that addresses four months’ worth of great review comments from the working group. Refinements made were:Added Authorization Code binding via the dpop_jkt parameter.Described the authorization code reuse attack and how dpop_jkt mitigates it.Enhanced description of DPoP proof expiration checking.Described nonce storage requirements and how nonce mismatches and missing nonces are self-correcting.Specified the use of the use_dpop_nonce error for missing and mismatched nonce values.Specified that authorization servers use 400 (Bad Request) errors to supply nonces and resource servers use 401 (Unauthorized) errors to do so.Added a bit more about ath and pre-generated proofs to the security considerations.Mentioned confirming the DPoP binding of the access token in the list in (#checking).Added the always_uses_dpop client registration metadata parameter.Described the relationship between DPoP and Pushed Authorization Requests (PAR).Updated references for drafts that are now RFCs.I believe this brings us much closer to a final version.The specification is available at:https://tools.ietf.org/id/draft-ietf-oauth-dpop-05.htmlNo Comments »Posted under IETF & OAuth & Specifications February 15, 2022JWK Thumbprint URI Draft Addressing Working Group Last Call CommentsKristina Yasuda and I have published an updated JWK Thumbprint URI draft that addresses the OAuth Working Group Last Call (WGLC) comments received. Changes made were:Added security considerations about multiple public keys coresponding to the same private key.Added hash algorithm identifier after the JWK thumbprint URI prefix to make it explicit in a URI which hash algorithm is used.Added reference to a registry for hash algorithm identifiers.Added SHA-256 as a mandatory to implement hash algorithm to promote interoperability.Acknowledged WGLC reviewers.The specification is available at:https://www.ietf.org/archive/id/draft-ietf-oauth-jwk-thumbprint-uri-01.htmlNo Comments »Posted under Cryptography & IETF & OAuth & OpenID & Specifications January 29, 2022Working Group Adoption of the JWK Thumbprint URI SpecificationThe IETF OAuth working group has adopted the JWK Thumbprint URI specification. The abstract of the specification is:This specification registers a kind of URI that represents a JSON Web Key (JWK) Thumbprint value. JWK Thumbprints are defined in RFC 7638. This enables JWK Thumbprints to be used, for instance, as key identifiers in contexts requiring URIs.The need for this arose during specification work in the OpenID Connect working group. In particular, JWK Thumbprint URIs are used as key identifiers that can be syntactically distinguished from other kinds of identifiers also expressed as URIs in the Self-Issued OpenID Provider v2 specification.Given that the specification does only one simple thing in a straightforward manner, we believe that it is ready for working group last call.The specification is available at:https://www.ietf.org/archive/id/draft-ietf-oauth-jwk-thumbprint-uri-00.htmlNo Comments »Posted under Cryptography & IETF & OAuth & OpenID & Specifications January 12, 2022Described more of the motivations for the JWK Thumbprint URI specificationAs requested by the chairs during today’s OAuth Virtual Office Hours call, Kristina Yasuda and I have updated the JWK Thumbprint URI specification to enhance the description of the motivations for the specification. In particular, it now describes using JWK Thumbprint URIs as key identifiers that can be syntactically distinguished from other kinds of identifiers also expressed as URIs. It is used this way in the Self-Issued OpenID Provider v2 specification, for instance. No normative changes were made.As discussed on the call, we are requesting that that the chairs use this new draft as the basis for a call for working group adoption.The specification is available at:https://www.ietf.org/archive/id/draft-jones-oauth-jwk-thumbprint-uri-01.htmlNo Comments »Posted under Cryptography & IETF & OAuth & OpenID & Specifications January 1, 2022Computing Archaeology Expedition: The First Smiley :-)In September 1982, artificial intelligence professor Scott Fahlman made a post on the Carnegie Mellon Computer Science Department “general” bboard inventing the original smiley :-). I remember thinking at the time when I read it “what a good idea!”. But in 2002 when I told friends about it, I couldn’t find Scott’s post online anywhere.So in 2002, I led a computing archaeology expedition to restore his post. As described in my original post describing this accomplishment, after a significant effort to locate it, on September 10, 2002 the original post made by Scott Fahlman on CMU CS general bboard was retrieved by Jeff Baird from an October 1982 backup tape of the spice vax (cmu-750x). Here is Scott’s original post:19-Sep-82 11:44 Scott E Fahlman :-)From: Scott E Fahlman I propose that the following character sequence for joke markers::-)Read it sideways. Actually, it is probably more economical to markthings that are NOT jokes, given current trends. For this, use:-(I’m reposting this here now both to recommemorate the accomplishment nearly twenty years later, and because my page at Microsoft Research where it was originally posted is no longer available.No Comments »Posted under History & People December 20, 2021Identity, Unlocked Podcast: OpenID Connect with Mike JonesI had a fabulous time talking with my friend Vittorio Bertocci while recording the podcast Identity, Unlocked: OpenID Connect with Mike Jones. We covered a lot of ground in 43:29 – protocol design ground, developer ground, legal ground, and just pure history.As always, people were a big part of the story. Two of my favorite parts are talking about how Kim Cameron brought me into the digital identity world to build the Internet’s missing identity layer (2:00-2:37) and describing how we applied the “Nov Matake Test” when thinking about keeping OpenID Connect simple (35:16-35:50).Kim, I dedicate this podcast episode to you!No Comments »Posted under Information Cards & OpenID & People December 19, 2021Stories of Kim CameronSince Kim’s passing, I’ve been reflecting on his impact on my life and remembering some of the things that made him special. Here’s a few stories I’d like to tell in his honor.Kim was more important to my career and life than most people know. Conversations with him in early 2005 led me to leave Microsoft Research and join his quest to “Build the Internet’s missing identity layer” – a passion that still motivates me to this day.Within days of me joining the identity quest, Kim asked me to go with him to the first gathering of the Identity Gang at PC Forum in Scottsdale, Arizona. Many of the people that I met there remain important in my professional and personal life! The first Internet Identity Workshop soon followed.Kim taught me a lot about building positive working relationships with others. Early on, he told me to always try to find something nice to say to others. Showing his devious sense of humor, he said “Even if you are sure that their efforts are doomed to fail because of fatal assumptions on their part, you can at least say to them ‘You’re working on solving a really important problem!’ :-)” He modelled by example that consensus is much easier to achieve when you make allies rather than enemies. And besides, it’s a lot more fun for everyone that way!Kim was always generous with his time and hospitality and lots of fun to be around. I remember he and Adele inviting visitors from Deutsche Telekom to their home overlooking the water in Bellevue. He organized a night at the opera for identity friends in Munich. He took my wife Becky and I and Tony Nadalin out to dinner at his favorite restaurant in Paris, La Coupole. He and Adele were the instigators behind many a fun evening. He had a love of life beyond compare!At one point in my career, I was hoping to switch to a manager more supportive of my passion for standards work, and asked Kim if I could work for him. I’ll always remember his response: “Having you work for me would be great, because I wouldn’t have to manage you. But the problem is that then they’d make me have others work for me too. Managing people would be the death of me!”This blog exists because Kim encouraged me to blog.I once asked Kim why there were so many Canadians working in digital identity. He replied: “Every day as a Canadian, you think ‘What is it that makes me uniquely Canadian, as opposed to being American? Whereas Americans never give it a thought. Canadians are always thinking about identity.'”Kim was a visionary and a person of uncommon common sense. His Information Card paradigm was ahead of its time. For instance, the “selecting cards within a wallet” metaphor that Windows CardSpace introduced is now widespread – appearing in platform and Web account selectors, as well as emerging “self-sovereign identity” wallets, containing digital identities that you control. The demos people are giving now sure look a lot like InfoCard demos from back in the day!Kim was a big believer in privacy and giving people control over their own data (see the Laws of Identity). He championed the effort for Microsoft to acquire and use the U-Prove selective disclosure technology, and to make it freely available for others to use.Kim was hands-on. To get practical experience with OpenID Connect, he wrote a complete OpenID Provider in 2018 and even got it certified! You can see the certification entry at https://openid.net/certification/ for the “IEF Experimental Claimer V0.9” that he wrote.Kim was highly valued by Microsoft’s leaders (and many others!). He briefly retired from Microsoft most of a decade ago, only to have the then-Executive Vice President of the Server and Tools division, Satya Nadella, immediately seek him out and ask him what it would take to convince him to return. Kim made his asks, the company agreed to them, and he was back within about a week. One of his asks resulted in the AAD business-to-customer (B2C) identity service in production use today. He also used to have regular one-on-ones with Bill Gates.Kim wasn’t my mentor in any official capacity, but he was indeed my mentor in fact. I believe he saw potential in me and chose to take me under his wing and help me develop in oh so many ways. I’ll always be grateful for that, and most of all, for his friendship.In September 2021 at the European Identity and Cloud (EIC) conference in Munich, Jackson Shaw and I remarked to each other that neither of us had heard from Kim in a while. I reached out to him, and he responded that his health was failing, without elaborating. Kim and I talked for a while on the phone after that. He encouraged me that the work we are doing now is really important, and to press forward quickly.On October 25, 2021, Vittorio Bertocci organized an informal CardSpace team reunion in Redmond. Kim wished he could come but his health wasn’t up to travelling. Determined to include him in a meaningful way, I called him on my phone during the reunion and Kim spent about a half hour talking to most of the ~20 attendees in turn. They shared stories and laughed! As Vittorio said to me when we learned of his passing, we didn’t know then that we were saying goodbye.P.S. Here’s a few of my favorite photos from the first event that Kim included me in: All images are courtesy of Doc Searls. Each photo links to the original.2 Comments »Posted under Events & Information Cards & People & Windows CardSpace December 12, 2021OpenID Presentations at December 2021 OpenID Virtual WorkshopI gave the following presentations at the Thursday, December 9, 2021 OpenID Virtual Workshop:OpenID Connect Working Group (PowerPoint) (PDF)OpenID Enhanced Authentication Profile (EAP) Working Group (PowerPoint) (PDF)No Comments »Posted under Events & OpenID November 24, 2021JWK Thumbprint URI SpecificationThe JSON Web Key (JWK) Thumbprint specification [RFC 7638] defines a method for computing a hash value over a JSON Web Key (JWK) [RFC 7517] and encoding that hash in a URL-safe manner. Kristina Yasuda and I have just created the JWK Thumbprint URI specification, which defines how to represent JWK Thumbprints as URIs. This enables JWK Thumbprints to be communicated in contexts requiring URIs, including in specific JSON Web Token (JWT) [RFC 7519] claims.Use cases for this specification were developed in the OpenID Connect Working Group of the OpenID Foundation. Specifically, its use is planned in future versions of the Self-Issued OpenID Provider v2 specification.The specification is available at:https://www.ietf.org/archive/id/draft-jones-oauth-jwk-thumbprint-uri-00.htmlNo Comments »Posted under Cryptography & IETF & OAuth & OpenID & Specifications October 21, 2021OpenID and FIDO Presentation at October 2021 FIDO PlenaryI described the relationship between OpenID and FIDO during the October 21, 2021 FIDO Alliance plenary meeting, including how OpenID Connect and FIDO are complementary. In particular, I explained that using WebAuthn/FIDO authenticators to sign into OpenID Providers brings phishing resistance to millions of OpenID Relying Parties without them having to do anything!The presentation was:OpenID and FIDO (PowerPoint) (PDF)No Comments »Posted under Events & FIDO & OpenID & Phishing Resistance October 13, 2021Proof-of-possession (pop) AMR method added to OpenID Enhanced Authentication Profile specIâ€™ve defined an Authentication Method Reference (AMR) value called â€œpopâ€ to indicate that Proof-of-possession of a key was performed. Unlike the existing â€œhwkâ€ (hardware key) and â€œswkâ€ (software key) methods, it is intentionally unspecified whether the proof-of-possession key is hardware-secured or software-secured. Among other use cases, this AMR method is applicable whenever a WebAuthn or FIDO authenticator are used.The specification is available at these locations:https://openid.net/specs/openid-connect-eap-acr-values-1_0-01.htmlhttps://openid.net/specs/openid-connect-eap-acr-values-1_0.htmlThanks to Christiaan Brand for suggesting this.No Comments »Posted under FIDO & OpenID & Phishing Resistance & Specifications & W3C October 12, 2021OpenID Connect Presentation at IIW XXXIIII gave the following invited “101” session presentation at the 33rd Internet Identity Workshop (IIW) on Tuesday, October 12, 2021:Introduction to OpenID Connect (PowerPoint) (PDF)The session was well attended. There was a good discussion about the use of passwordless authentication with OpenID Connect.No Comments »Posted under Events & OpenID October 6, 2021Server-contributed nonces added to OAuth DPoPThe latest version of the â€œOAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)â€ specification adds an option for servers to supply a nonce value to be included in the DPoP proof. Both authorization servers and resource servers can provide nonce values to clients.As described in the updated Security Considerations, the nonce prevents a malicious party in control of the client (who might be a legitimate end-user) from pre-generating DPoP proofs to be used in the future and exfiltrating them to a machine without the DPoP private key. When server-provided nonces are used, actual possession of the proof-of-possession key is being demonstrated — not just possession of a DPoP proof.The specification is available at:https://tools.ietf.org/id/draft-ietf-oauth-dpop-04.htmlNo Comments »Posted under IETF & OAuth & Specifications September 14, 2021OpenID Connect Presentation at 2021 European Identity and Cloud (EIC) ConferenceI gave the following presentation on the OpenID Connect Working Group during the September 13, 2021 OpenID Workshop at the 2021 European Identity and Cloud (EIC) conference. As I noted during the talk, this is an exciting time for OpenID Connect; there’s more happening now than at any time since the original OpenID Connect specs were created!OpenID Connect Working Group (PowerPoint) (PDF)No Comments »Posted under Events & OpenID August 21, 2021OAuth 2.0 JWT-Secured Authorization Request (JAR) is now RFC 9101The OAuth 2.0 JWT-Secured Authorization Request (JAR) specification has been published as RFC 9101. Among other applications, this specification is used by the OpenID Financial-grade API (FAPI). This is another in the series of RFCs bringing OpenID Connect-defined functionality to OAuth 2.0. Previous such RFCs included “OAuth 2.0 Dynamic Client Registration Protocol” [RFC 7591] and “OAuth 2.0 Authorization Server Metadata” [RFC 8414].The abstract of the RFC is:The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that authorization request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that a) the communication through the user agents is not integrity protected and thus, the parameters can be tainted, b) the source of the communication is not authenticated, and c) the communication through the user agents can be monitored. Because of these weaknesses, several attacks to the protocol have now been put forward.This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication, and confidentiality properties of the authorization request are attained. The request can be sent by value or by reference.Thanks to Nat Sakimura and John Bradley for persisting in finishing this RFC!No Comments »Posted under Claims & IETF & JSON & OAuth & OpenID & Specifications June 23, 2021Second Version of FIDO2 Client to Authenticator Protocol (CTAP) Now a StandardThe FIDO Alliance has completed the CTAP 2.1 Specification. This follows the publication of the closely-related second version of the W3C Web Authentication (WebAuthn) specification.Today’s FIDO Alliance announcement describes the enhancements in the second version as follows:Enhancements to FIDO standards to accelerate passwordless in the enterpriseThe FIDO Alliance has announced enhancements to its FIDO2 specifications, which include several new features that will be helpful for passwordless enterprise deployments and other complex security applications. Both FIDO2 specifications were recently updated by their governing bodies â€“ with the World Wide Web Consortium (W3C) approving WebAuthn Level 2 and FIDO doing the same for CTAP 2.1.Key to these enhancements is enterprise attestation, which provides enterprise IT with improved management of FIDO authenticators used by employees. Enterprise attestation enables better binding of an authenticator to an account, assists with usage tracking and other management functions including credential and pin management, and biometric enrollment required in the enterprise.Other updates include support for cross-origin iFrames and Apple attestation, as well as improvements to resident credentials. More details on these and other FIDO specification enhancements are available here.No Comments »Posted under Cryptography & FIDO & Phishing Resistance & Privacy & Specifications Next » Search Categories Bandit ProjectCBORClaimsCryptographyDocumentationEventsFederationFIDOFirefoxHiggins ProjectHistoryHumorI-namesIETFInformation CardsInteroperabilityJanRainJSONLiveIDOAuthOpenIDPamela ProjectPeoplePhishing ResistancePrivacySafetyShibbolethSoftwareSpecificationsToken BindingU-ProveUncategorizedW3CWindows CardSpace Monthly May 2022April 2022March 2022February 2022January 2022December 2021November 2021October 2021September 2021August 2021June 2021May 2021April 2021March 2021February 2021January 2021December 2020November 2020October 2020August 2020July 2020June 2020May 2020April 2020March 2020February 2020January 2020December 2019November 2019October 2019September 2019August 2019July 2019June 2019May 2019April 2019March 2019February 2019January 2019December 2018November 2018October 2018September 2018August 2018July 2018June 2018May 2018April 2018March 2018February 2018January 2018December 2017November 2017October 2017September 2017August 2017July 2017June 2017May 2017April 2017March 2017February 2017January 2017December 2016November 2016October 2016September 2016August 2016July 2016June 2016May 2016April 2016March 2016February 2016January 2016December 2015November 2015October 2015September 2015August 2015July 2015June 2015May 2015April 2015March 2015February 2015January 2015December 2014November 2014October 2014September 2014August 2014July 2014June 2014May 2014April 2014March 2014February 2014January 2014December 2013November 2013October 2013September 2013August 2013July 2013June 2013May 2013April 2013March 2013February 2013January 2013December 2012November 2012October 2012September 2012August 2012July 2012June 2012May 2012April 2012March 2012February 2012January 2012December 2011November 2011October 2011September 2011July 2011June 2011May 2011April 2011March 2011February 2011January 2011December 2010November 2010October 2010September 2010August 2010July 2010May 2010April 2010March 2010January 2010December 2009November 2009October 2009September 2009August 2009July 2009June 2009May 2009April 2009March 2009February 2009January 2009December 2008November 2008October 2008September 2008August 2008July 2008June 2008May 2008April 2008March 2008February 2008January 2008December 2007November 2007October 2007September 2007August 2007July 2007June 2007May 2007April 2007 MetaRegisterLog in BlogrollAndrew HodgkinsonAndrew NashAndy DaleAshish JainAxel NennkerBen LaurieCardSpace TeamChuck MortimoreDale OldsDick HardtDon SchmidtDrummond ReedGabe WachobGarrett SerackJohn BradleyKim CameronNat SakimuraOpenIDPamela DinglePatrick HardingPaul MadsenPaul TrevithickRyan JanssenTim BrayVittorio BertocciYaron Goland Subscribe Posts RSS Comments RSS Copyright © 2022 Mike Jones: self-issued.