What’s wrong with bots is they’re not ours

In Chatbots were the next big thing: what happened?, Justin Lee (@justinleejw) nicely unpacks how chatbots were overhyped to begin with and continue to fail their Turing tests, especially since humans in nearly all cases would  rather talk to humans than to mechanical substitutes.

There’s also a bigger and more fundamental reason why bots still aren’t a big thing: we don’t have them. If we did, they’d be our robot assistants, going out to shop for us, to get things fixed, or to do whatever.

Why didn’t we get bots of our own?

I can pinpoint the exact time and place where bots of our own failed to happen, and all conversation and development went sideways, away from the vector that takes us to bots of our own (hashtag: #booo), and instead toward big companies doing more than ever to deal with us robotically, mostly to

vrmcrmconduit
Continue reading "What’s wrong with bots is they’re not ours"

Multi-Source Identity

Summary: Multi-source identity systems like Sovrin enabled richer digital identity transactions that mirror the decentralized, ad hoc nature of identity in the physical world.

Audio Mixer

In the physical world, people collect and manage identity credentials1 from various sources including governments, financial institutions, schools, businesses, family, colleagues, and friends. They also assert information themselves. These various credentials serve different purposes. People collect them and present them in various contexts. When presented, the credential verifier is free to determine whether to trust the credential or not.

Online, identity doesn't work that way. Online identity has traditionally been single-source and built for specific purposes. Online, various, so-called "identity providers" authenticate people using usernames and passwords and provide a fixed, usually limited set of attributes about the subject of the identity transaction. The identity information from these systems is usually used within a specific, limited context. Social login allows it to be used across Continue reading "Multi-Source Identity"

OAuth Device Flow spec addressing initial IETF last call feedback

OAuth logoThe OAuth Device Flow specification (full name “OAuth 2.0 Device Flow for Browserless and Input Constrained Devices”) has been updated to address comments received to date from the IETF last call. Thanks to William Denniss for taking the pen for this set of revisions. Changes were:

  • Added a missing definition of access_denied for use on the token endpoint.
  • Corrected text documenting which error code should be returned for expired tokens (it’s “expired_token”, not “invalid_grant”).
  • Corrected section reference to RFC 8252 (the section numbers had changed after the initial reference was made).
  • Fixed line length of one diagram (was causing xml2rfc warnings).
  • Added line breaks so the URN grant_type is presented on an unbroken line.
  • Typos fixed and other stylistic improvements.

The specification is available at:

An HTML-formatted version is also available at:

Wanted: Online Pubs Doing Real (and therefore GDPR-compliant) Advertising

This is what greets me when I go to the Washington Post site from here in Germany:

Washington Post greeting for Europeans

So you can see it too, wherever you are, here’s the URL I’m redirected to on Chrome, on Firefox, on Safari and on Brave. All look the same except for Brave, which shows a blank page.

Note that last item in the Premium EU Subscription column: “No on-site advertising or third-party tracking.”

Ponder for a moment how the Sunday (or any) edition of the Post‘s print edition would look with no on-paper advertising. It would be woefully thin and kind of worthless-looking. Two more value-adds for advertising in the print edition:

  1. It doesn’t track readers, which is the sad and broken norm for newspapers and magazines in the online world—a norm now essentially outlawed by the GDPR, and surely the reason the Post is running this offer.
  2. It sponsors
    Continue reading "Wanted: Online Pubs Doing Real (and therefore GDPR-compliant) Advertising"

Deprecating the Password: A Progress Report

EIC logoI gave the well-received presentation “Deprecating the Password: A Progress Report” at the May 2018 European Identity and Cloud Conference (EIC). The presentation is available as PowerPoint (large because of the embedded video) and PDF.

The presentation abstract is:

If you ask almost anyone you meet if they have too many passwords, if they have trouble remembering their passwords, or if they are reusing the same passwords in multiple places, you’re likely to get an ear-full. People intuitively know that there has to be something better than having to have a password for everything they do!

The good news is that passwords are being used for fewer and fewer identity interactions. They are being replaced by biometrics (sign into your phone, your PC, or your bank with your face or fingerprint), local PINs (prove it’s you to your device and it does the rest), and federation (sign in with Facebook,

Mike presenting at EIC 2018
Continue reading "Deprecating the Password: A Progress Report"

Ongoing recognition for the impact of OpenID Connect and OpenID Certification

OpenID logoThis week the OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. This is actually the second award for the OpenID Certification program this year and only the latest in a series awards recognizing the value and impact of OpenID Connect and certification of its implementations.

On this occasion, I thought I’d take the opportunity to recount the awards that OpenID Connect, the specifications underlying it, and its certification program have been granted. To date, they are:

My

Alex Simons 92% OpenID Connect
Continue reading "Ongoing recognition for the impact of OpenID Connect and OpenID Certification"

OpenID Certification wins 2018 European Identity and Cloud Award

OpenID Certified logoThe OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. See the award announcement by the OpenID Foundation for more details. This is actually the second award this year for the OpenID Certification program.

The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to Kuppinger Cole for recognizing the impact of the OpenID Certification program!

EIC 2018 Award EIC 2018 Award Certificate EIC 2018 Award John Bradley, Mike Jones, Nat Sakimura EIC 2018 Award Don Thibeau EIC 2018 Award State EIC 2018 Award Don Thibeau, George Fletcher, Mike Jones, John Bradley, Nat Sakimura

GDPR will pop the adtech bubble

In The Big Short, investor Michael Burry says “One hallmark of mania is the rapid rise in the incidence and complexity of fraud.” (Burry shorted the mania- and fraud-filled subprime mortgage market and made a mint in the process.)

One would be equally smart to bet against the mania for the tracking-based form of advertising called adtech.

Since tracking people took off in the late ’00s, adtech has grown to become a four-dimensional shell game played by hundreds (or, if you include martech, thousands) of companies, none of which can see the whole mess, or can control the fraud, malware and other forms of bad acting that thrive in the midst of it.

And that’s on top of the main problem: tracking people without their knowledge, approval or a court order is just flat-out wrong. The fact that it can be done is no excuse. Nor

Continue reading "GDPR will pop the adtech bubble"

Security Event Token (SET) updates addressing IESG feedback

IETF logoWe’ve updated the Security Event Token (SET) specification to address feedback received from Internet Engineering Steering Group (IESG) members. We’ve actually published three versions in quick succession in preparation for tomorrow’s evaluation by the IESG.

Draft -11 incorporated feedback from Security Area Director Eric Rescorla and IANA Designated Expert Ned Freed. Changes were:

  • Clarified “iss” claim language about the SET issuer versus the security subject issuer.
  • Changed a “SHOULD” to a “MUST” in the “sub” claim description to be consistent with the Requirements for SET Profiles section.
  • Described the use of the “events” claim to prevent attackers from passing off other kinds of JWTs as SETs.
  • Stated that SETs are to be signed by an issuer that is trusted to do so for the use case.
  • Added quotes in the phrase ‘”token revoked” SET to be issued’ in the Timing Issues section.
  • Added section number references to the media type Continue reading "Security Event Token (SET) updates addressing IESG feedback"

JWT BCP updates addressing WGLC feedback

OAuth logoThe JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to address the Working Group Last Call (WGLC) feedback received. Thanks to Neil Madden for his numerous comments and to Carsten Bormann and Brian Campbell for their reviews.

Assuming the chairs concur, the next step should be to request publication.

The specification is available at:

An HTML-formatted version is also available at:

Day of Amazement – Technovation Calgary, 2018

Last weekend, I spent a day with an amazing set of young women.

I was invited to be the judge of the chapter of the Technovation Challenge in my hometown of Calgary, Canada.  Volunheroes - Technovation 2018Twelve teams of teenage girls worked to conceive, pitch and build a mobile application that addressed a problem in their community.  Team after team of young women hit the stage to share their vision and accomplishments, and to later give demos to the judges and the crowd.  What a *great* idea this whole enterprise is! While I only had to commit a weekend, there were a ton of people who put hundreds if not thousands of hours into this opportunity.  For any of you who feel like it is impossible to impact the ‘pipeline problem’, take a look at getting involved! As I understand it, Technovation is global and there might be an

Continue reading "Day of Amazement – Technovation Calgary, 2018"

“CBOR Web Token (CWT)” is now RFC 8392

IETF logoThe “CBOR Web Token (CWT)” specification is now RFC 8392 – an IETF standard. The abstract for the specification is:

CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.

Special thanks to Erik Wahlström for starting this work and to Samuel Erdtman for doing most of the heavy lifting involved in creating correct and useful CBOR and COSE examples.

Next up – finishing “Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)”, Continue reading "“CBOR Web Token (CWT)” is now RFC 8392"

On our journey to deprecate the password: Public Implementation Draft of FIDO2 Client to Authenticator Protocol (CTAP) specification

FIDO logoI’m pleased to report that a public Implementation Draft of the FIDO2 Client to Authenticator Protocol (CTAP) specification has been published. This specification enables FIDO2 clients, such as browsers implementing the W3C Web Authentication (WebAuthn) specification, to perform authentication using pairwise public/private key pairs securely held by authenticators speaking the CTAP protocol (rather than passwords). Use of three transports for communicating with authenticators is specified in the CTAP specification: USB Human Interface Device (USB HID), Near Field Communication (NFC), and Bluetooth Smart/Bluetooth Low Energy Technology (BLE).

This specification was developed in parallel with WebAuthn, including having a number of common authors. This CTAP version is aligned with the WebAuthn Candidate Recommendation (CR) version.

The CTAP Implementation Draft is available at:

Congratulations to the members of the FIDO2 working group for reaching this important milestone. This is a major step in our journey to deprecate the password!

Additional RSA Algorithms for COSE Messages Registered by W3C WebAuthn

W3C logoThe WebAuthn working group has published the “COSE Algorithms for Web Authentication (WebAuthn)” specification, which registers COSE algorithm identifiers for RSASSA-PKCS1-v1_5 signature algorithms with SHA-2 and SHA-1 hash algorithms. RSASSA-PKCS1-v1_5 with SHA-256 is used by several kinds of authenticators. RSASSA-PKCS1-v1_5 with SHA-1, while deprecated, is used by some Trusted Platform Modules (TPMs). See https://www.iana.org/assignments/cose/cose.xhtml#algorithms for the actual IANA registrations.

Thanks to John Fontana, Jeff Hodges, Tony Nadalin, Jim Schaad, Göran Selander, Wendy Seltzer, Sean Turner, and Samuel Weiler for their roles in registering these algorithm identifiers.

The specification is available at:

An HTML-formatted version is also available at:

Security Event Token (SET) spec addressing additional SecDir review comments

IETF logoAn updated Security Event Token (SET) specification has published to address recent review comments received. Changes were:

  • Incorporated wording improvements resulting from Russ Housley’s additional SecDir comments.
  • Registered +jwt structured syntax suffix.

The specification is available at:

An HTML-formatted version is also available at:

Well here I am!

I am officially a Microsoft employee, holy smokes.  I’m pretty blown away by this initial experience… I’m sure you’ll all view what I say next according to whatever confirmation bias you bring into this — but the initial Microsoft experience is pretty spectacular, and I say this as someone who isn’t pre-conditioned to see everything with rose-colored glasses.  These people take *care* of their people.  I love that.  I also love the charitable giving program.  I don’t know if I’m allowed to describe it, but I can’t wait to max it out.  I love the corporate commitment to sustainability.  If you’re going to be in a bubble, it should be a self-aware bubble, right? This is an incredibly self-aware bubble, and I wouldn’t want it any other way.

My two axes of initial judgement are pretty simple — how do you treat your Continue reading "Well here I am!"

Coherence and Decentralized Systems

Summary: Building decentralized systems requires more than defining a few specifications and hoping for the best. In order to thrive, decentralized systems need coherence, the social organization necessary to get otherwise independent actors to cooperate.

Coherence in Chaos

We take the Internet for granted, not realizing that such a global, decentralized system is a rare thing. Protocols, rightly, get credit, but they alone are insufficient. TCP/IP did not create the Internet. The Internet is not just a set of protocols, but rather a real thing. People and organizations created the Internet by hooking real hardware and communication lines together. To understand the importance of this, we need to understand what's necessary to create social systems like the Internet.

Social systems that are enduring, scalable, and generative require coherence among participants. Coherence allows us to manage complexity. Coherence is necessary for any group of people to cooperate. The coherence necessary to create the Internet Continue reading "Coherence and Decentralized Systems"

Building openssl for libindy and Android

Building of the indy-sdk for Android is currently not supported out of the box. The underlying issue is that libindy is implemented in Rust and the Android platform is currently not supported.

To build openssl for Android on your Ubuntu system take the following steps:
  1. Setup your build environment - missing tools are likely to be noticed by "configure" so you can install them then 
  2. Download openssl (I used version 1.0.2n) and unpack it.
  3. Setup the Android toolchain (command line tools are enough) and NDK toolchain for e.g. arm
    ${NDK_HOME}/build/tools/make_standalone_toolchain.py  --api 14 --arch arm  --install-dir ${NDK_TOOLCHAIN_DIR}/arm --stl=libc++
    or for arm64
    ${NDK_HOME}/build/tools/make_standalone_toolchain.py  --api 21 --arch arm64  --install-dir ${NDK_TOOLCHAIN_DIR}/arm64 --stl=libc++
  4. Edit the script setenv-android.sh

    I have these values:
    _ANDROID_NDK="android-ndk-r16"
    _ANDROID_EABI="arm-linux-androideabi-4.9"
    _ANDROID_ARCH=arch-arm
    _ANDROID_API="android-14"
  5. Run the script '. setenv-android.sh'
  6. run this:
    ./config shared no-ssl2 no-ssl3 no-comp no-hw no-engine      --openssldir=/usr/local/ssl/arm/$ANDROID_API --prefix=/usr/local/ssl/arm/$ANDROID_API
  7. Edit Makefile and add
    "--sysroot=/home/ignisvulpis/NDK_TOOLCHAIN_DIR/arm/sysroot/"
    to
    Continue reading "Building openssl for libindy and Android"

Late-breaking changes to OAuth Token Exchange syntax

OAuth logoThe syntax of two JWT claims registered by the OAuth Token Exchange specification has been changed as a result of developer feedback. Developers pointed out that the OAuth Token Introspection specification [RFC 7662] uses a “scope” string to represent scope values, whereas Token Exchange was defining an array-valued “scp” claim to represent scope values. The former also uses a “client_id” element to represent OAuth Client ID values, whereas the latter was using a “cid” claim for the same purpose.

After consulting with the working group, the OAuth Token Exchange claim names have been changed to “scope” and “client_id”. Thanks to Torsten Lodderstedt for pointing out the inconsistencies and to Brian Campbell for seeking consensus and making the updates.

The specification is available at:

An HTML-formatted version is also available at: