Ongoing recognition for the impact of OpenID Connect and OpenID Certification

OpenID logoThis week the OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. This is actually the second award for the OpenID Certification program this year and only the latest in a series awards recognizing the value and impact of OpenID Connect and certification of its implementations.

On this occasion, I thought I’d take the opportunity to recount the awards that OpenID Connect, the specifications underlying it, and its certification program have been granted. To date, they are:

My

Alex Simons 92% OpenID Connect
Continue reading "Ongoing recognition for the impact of OpenID Connect and OpenID Certification"

OpenID Certification wins 2018 European Identity and Cloud Award

OpenID Certified logoThe OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. See the award announcement by the OpenID Foundation for more details. This is actually the second award this year for the OpenID Certification program.

The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to Kuppinger Cole for recognizing the impact of the OpenID Certification program!

EIC 2018 Award EIC 2018 Award Certificate EIC 2018 Award John Bradley, Mike Jones, Nat Sakimura EIC 2018 Award Don Thibeau EIC 2018 Award State EIC 2018 Award Don Thibeau, George Fletcher, Mike Jones, John Bradley, Nat Sakimura

GDPR will pop the adtech bubble

In The Big Short, investor Michael Burry says “One hallmark of mania is the rapid rise in the incidence and complexity of fraud.” (Burry shorted the mania- and fraud-filled subprime mortgage market and made a mint in the process.)

One would be equally smart to bet against the mania for the tracking-based form of advertising called adtech.

Since tracking people took off in the late ’00s, adtech has grown to become a four-dimensional shell game played by hundreds (or, if you include martech, thousands) of companies, none of which can see the whole mess, or can control the fraud, malware and other forms of bad acting that thrive in the midst of it.

And that’s on top of the main problem: tracking people without their knowledge, approval or a court order is just flat-out wrong. The fact that it can be done is no excuse. Nor

Continue reading "GDPR will pop the adtech bubble"

Security Event Token (SET) updates addressing IESG feedback

IETF logoWe’ve updated the Security Event Token (SET) specification to address feedback received from Internet Engineering Steering Group (IESG) members. We’ve actually published three versions in quick succession in preparation for tomorrow’s evaluation by the IESG.

Draft -11 incorporated feedback from Security Area Director Eric Rescorla and IANA Designated Expert Ned Freed. Changes were:

  • Clarified “iss” claim language about the SET issuer versus the security subject issuer.
  • Changed a “SHOULD” to a “MUST” in the “sub” claim description to be consistent with the Requirements for SET Profiles section.
  • Described the use of the “events” claim to prevent attackers from passing off other kinds of JWTs as SETs.
  • Stated that SETs are to be signed by an issuer that is trusted to do so for the use case.
  • Added quotes in the phrase ‘”token revoked” SET to be issued’ in the Timing Issues section.
  • Added section number references to the media type Continue reading "Security Event Token (SET) updates addressing IESG feedback"

JWT BCP updates addressing WGLC feedback

OAuth logoThe JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to address the Working Group Last Call (WGLC) feedback received. Thanks to Neil Madden for his numerous comments and to Carsten Bormann and Brian Campbell for their reviews.

Assuming the chairs concur, the next step should be to request publication.

The specification is available at:

An HTML-formatted version is also available at:

Day of Amazement – Technovation Calgary, 2018

Last weekend, I spent a day with an amazing set of young women.

I was invited to be the judge of the chapter of the Technovation Challenge in my hometown of Calgary, Canada.  Volunheroes - Technovation 2018Twelve teams of teenage girls worked to conceive, pitch and build a mobile application that addressed a problem in their community.  Team after team of young women hit the stage to share their vision and accomplishments, and to later give demos to the judges and the crowd.  What a *great* idea this whole enterprise is! While I only had to commit a weekend, there were a ton of people who put hundreds if not thousands of hours into this opportunity.  For any of you who feel like it is impossible to impact the ‘pipeline problem’, take a look at getting involved! As I understand it, Technovation is global and there might be an

Continue reading "Day of Amazement – Technovation Calgary, 2018"

“CBOR Web Token (CWT)” is now RFC 8392

IETF logoThe “CBOR Web Token (CWT)” specification is now RFC 8392 – an IETF standard. The abstract for the specification is:

CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.

Special thanks to Erik Wahlström for starting this work and to Samuel Erdtman for doing most of the heavy lifting involved in creating correct and useful CBOR and COSE examples.

Next up – finishing “Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)”, Continue reading "“CBOR Web Token (CWT)” is now RFC 8392"

On our journey to deprecate the password: Public Implementation Draft of FIDO2 Client to Authenticator Protocol (CTAP) specification

FIDO logoI’m pleased to report that a public Implementation Draft of the FIDO2 Client to Authenticator Protocol (CTAP) specification has been published. This specification enables FIDO2 clients, such as browsers implementing the W3C Web Authentication (WebAuthn) specification, to perform authentication using pairwise public/private key pairs securely held by authenticators speaking the CTAP protocol (rather than passwords). Use of three transports for communicating with authenticators is specified in the CTAP specification: USB Human Interface Device (USB HID), Near Field Communication (NFC), and Bluetooth Smart/Bluetooth Low Energy Technology (BLE).

This specification was developed in parallel with WebAuthn, including having a number of common authors. This CTAP version is aligned with the WebAuthn Candidate Recommendation (CR) version.

The CTAP Implementation Draft is available at:

Congratulations to the members of the FIDO2 working group for reaching this important milestone. This is a major step in our journey to deprecate the password!

Additional RSA Algorithms for COSE Messages Registered by W3C WebAuthn

W3C logoThe WebAuthn working group has published the “COSE Algorithms for Web Authentication (WebAuthn)” specification, which registers COSE algorithm identifiers for RSASSA-PKCS1-v1_5 signature algorithms with SHA-2 and SHA-1 hash algorithms. RSASSA-PKCS1-v1_5 with SHA-256 is used by several kinds of authenticators. RSASSA-PKCS1-v1_5 with SHA-1, while deprecated, is used by some Trusted Platform Modules (TPMs). See https://www.iana.org/assignments/cose/cose.xhtml#algorithms for the actual IANA registrations.

Thanks to John Fontana, Jeff Hodges, Tony Nadalin, Jim Schaad, Göran Selander, Wendy Seltzer, Sean Turner, and Samuel Weiler for their roles in registering these algorithm identifiers.

The specification is available at:

An HTML-formatted version is also available at:

Security Event Token (SET) spec addressing additional SecDir review comments

IETF logoAn updated Security Event Token (SET) specification has published to address recent review comments received. Changes were:

  • Incorporated wording improvements resulting from Russ Housley’s additional SecDir comments.
  • Registered +jwt structured syntax suffix.

The specification is available at:

An HTML-formatted version is also available at:

Well here I am!

I am officially a Microsoft employee, holy smokes.  I’m pretty blown away by this initial experience… I’m sure you’ll all view what I say next according to whatever confirmation bias you bring into this — but the initial Microsoft experience is pretty spectacular, and I say this as someone who isn’t pre-conditioned to see everything with rose-colored glasses.  These people take *care* of their people.  I love that.  I also love the charitable giving program.  I don’t know if I’m allowed to describe it, but I can’t wait to max it out.  I love the corporate commitment to sustainability.  If you’re going to be in a bubble, it should be a self-aware bubble, right? This is an incredibly self-aware bubble, and I wouldn’t want it any other way.

My two axes of initial judgement are pretty simple — how do you treat your Continue reading "Well here I am!"

Coherence and Decentralized Systems

Summary: Building decentralized systems requires more than defining a few specifications and hoping for the best. In order to thrive, decentralized systems need coherence, the social organization necessary to get otherwise independent actors to cooperate.

Coherence in Chaos

We take the Internet for granted, not realizing that such a global, decentralized system is a rare thing. Protocols, rightly, get credit, but they alone are insufficient. TCP/IP did not create the Internet. The Internet is not just a set of protocols, but rather a real thing. People and organizations created the Internet by hooking real hardware and communication lines together. To understand the importance of this, we need to understand what's necessary to create social systems like the Internet.

Social systems that are enduring, scalable, and generative require coherence among participants. Coherence allows us to manage complexity. Coherence is necessary for any group of people to cooperate. The coherence necessary to create the Internet Continue reading "Coherence and Decentralized Systems"

Building openssl for libindy and Android

Building of the indy-sdk for Android is currently not supported out of the box. The underlying issue is that libindy is implemented in Rust and the Android platform is currently not supported.

To build openssl for Android on your Ubuntu system take the following steps:
  1. Setup your build environment - missing tools are likely to be noticed by "configure" so you can install them then 
  2. Download openssl (I used version 1.0.2n) and unpack it.
  3. Setup the Android toolchain (command line tools are enough) and NDK toolchain for e.g. arm
    ${NDK_HOME}/build/tools/make_standalone_toolchain.py  --api 14 --arch arm  --install-dir ${NDK_TOOLCHAIN_DIR}/arm --stl=libc++
    or for arm64
    ${NDK_HOME}/build/tools/make_standalone_toolchain.py  --api 21 --arch arm64  --install-dir ${NDK_TOOLCHAIN_DIR}/arm64 --stl=libc++
  4. Edit the script setenv-android.sh

    I have these values:
    _ANDROID_NDK="android-ndk-r16"
    _ANDROID_EABI="arm-linux-androideabi-4.9"
    _ANDROID_ARCH=arch-arm
    _ANDROID_API="android-14"
  5. Run the script '. setenv-android.sh'
  6. run this:
    ./config shared no-ssl2 no-ssl3 no-comp no-hw no-engine      --openssldir=/usr/local/ssl/arm/$ANDROID_API --prefix=/usr/local/ssl/arm/$ANDROID_API
  7. Edit Makefile and add
    "--sysroot=/home/ignisvulpis/NDK_TOOLCHAIN_DIR/arm/sysroot/"
    to
    Continue reading "Building openssl for libindy and Android"

Late-breaking changes to OAuth Token Exchange syntax

OAuth logoThe syntax of two JWT claims registered by the OAuth Token Exchange specification has been changed as a result of developer feedback. Developers pointed out that the OAuth Token Introspection specification [RFC 7662] uses a “scope” string to represent scope values, whereas Token Exchange was defining an array-valued “scp” claim to represent scope values. The former also uses a “client_id” element to represent OAuth Client ID values, whereas the latter was using a “cid” claim for the same purpose.

After consulting with the working group, the OAuth Token Exchange claim names have been changed to “scope” and “client_id”. Thanks to Torsten Lodderstedt for pointing out the inconsistencies and to Brian Campbell for seeking consensus and making the updates.

The specification is available at:

An HTML-formatted version is also available at:

OAuth Device Flow spec addressing Area Director comments

OAuth logoThe OAuth 2.0 Device Flow for Browserless and Input Constrained Devices specification has been updated to address feedback by Security Area Director Eric Rescorla about the potential of a confused deputy attack. Thanks to John Bradley for helping work out the response to Eric and to William Denniss for reviewing and publishing the changes to the draft.

The specification is available at:

An HTML-formatted version is also available at:

Security Event Token (SET) spec addressing SecDir review comments

IETF logoA new draft of the Security Event Token (SET) specification has published that addresses comments from Russ Housley, who reviewed the spec for the IETF Security Directorate (SecDir). Changes were:

  • Incorporated wording improvements resulting from Russ Housley’s SecDir comments.
  • Acknowledged individuals who made significant contributions.

The specification is available at:

An HTML-formatted version is also available at: