The OAuth 2.0 Token Binding specification has been updated to enable Token Binding of JWT Authorization Grants and JWT Client Authentication. The discussion of phasing in Token Binding was improved and generalized. See the Document History section for other improvements applied.
Some time ago somebody had to solve this math optimization question for their studies and told me about it.
So there is a wall with height h, which has the distance a from a very high "building" and your task, should you accept it, is to find the shortest ladder over the wall that touches the ground and the "building". So the function to minimize is L = sqrt((x+a)^2+(h+y)^2). Because we know that y/a = h/x it follows that y = ah/x. Using this the length become L = sqrt((x+a)^2+(h+ah/x)^2) The minimum of that function is not changed if we leave out the sqrt and the derivation of (x+a)^2+(h+ah/x)^2 is (2 (a + x) (-a h^2 + x^3))/x^3 So the minimum x is where this function equals zero, which is if x³ = ah², and the length then is L = (a^(2/3) + h^(2/3))^3 Now the thing that I
That’s because a massive personal data extraction industry has grown up around the simple fact that our data is there for the taking. Or so it seems. To them. And their apologists.
As a result, we’re at a stage of wanton data extraction that looks kind of like the oil industry did in 1920 or so:
It’s a good metaphor, but for a horrible business. It’s a business we need to reform, replace, or both. What we need most are new industries that grow around who and what we are as individual human beings—and as a society that values
Summary: To determine whether Sovrin is decentralized, we have to ask questions about the purpose of decentralization and how Sovrin supports those purposes.
People sometimes ask "Is Sovrin decentralized?" given that it relies on a permissioned ledger. Of course, the question is raised in an attempt to determine whether or not an identity system based on a permissioned ledger can make a legitimate claim that it's self-sovereign. But whether or not a specific system is decentralized is just shorthand for the real questions. To answer the legitimacy question, we have to examine the reasons for decentralization and whether or not the system in question adequately addresses those reasons.
This excellent article from Vitalik Buterin discusses the meaning of decentralization. Vitalik gives a great breakdown of different types of decentralization, listing architectural decentralization, political decentralization, and logical decentralization.
Despite the demise of Kynetx, the platform continued to be open and available. Fuse was still running on it and my students were using it for class and research. But Fuse stopped working for good last spring when the MVNO we were using to process cellular data from the car devices shut down. And the new pico engine is working so well that we use it for everything now.
I’ve been wanting to fly on the Boeing 787 “Dreamliner” ever since I missed a chance to go on an inaugural junket aboard one before Boeing began delivery to the airlines. But I finally got my chance, three days ago, aboard United Flight 935 from London to Los Angeles.
Some context: United is my default airline by virtue of having flown 1.5 million miles with them, which has earned me some status. Specifically, I get on shorter lines, don’t get charged for bags, and have some choice about where I sit, which defaults to Economy Plus: the section of Economy that features a bit more leg room and is typically located which is behind business/first, now called Polaris.
I should add that I actually like United, and have had few of the bad experiences people tend to associate with big old airlines. And plenty of good ones. And not
The initial working group draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been posted. It contains the same normative content as draft-jones-ace-cwt-proof-of-possession-01. The abstract of the specification is:
This specification describes how to declare in a CBOR Web Token (CWT) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. This specification provides equivalent functionality to “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” (RFC 7800), but using CBOR and CWTs rather than JSON and JWTs.
I look forward to working with my co-authors and the working group to hopefully complete this quickly!
The “Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages” specification is now RFC 8230 – an IETF standard. The abstract for the specification is:
The CBOR Object Signing and Encryption (COSE) specification defines cryptographic message encodings using Concise Binary Object Representation (CBOR). This specification defines algorithm encodings and representations enabling RSA algorithms to be used for COSE messages. Encodings are specified for the use of RSA Probabilistic Signature Scheme (RSASSA-PSS) signatures, RSA Encryption Scheme – Optimal Asymmetric Encryption Padding (RSAES-OAEP) encryption, and RSA keys.
Some of these values are already being used by the sixth working draft of the W3C Web Authentication specification. In addition, the WebAuthn specification defines algorithm values for RSASSA-PKCS1-v1_5 signatures, which are used by TPMs, among other applications. The RSASSA-PKCS1-v1_5 signature algorithm values should also be registered shortly.
Thanks to Kathleen Moriarty for her Area Director sponsorship of the specification!
Synopsis—Advertising supported publishing in the offline world by sponsoring it. In the online world, advertising has been body-snatched by adtech, which tracks eyeballs via files injected into apps and browsers, then shoots those eyeballs with “relevant” ads wherever the eyeballs show up. Adtech has with little or no interest in sponsoring a pub for the pub’s own worth. Worse, it encourages fake news (which is easier to produce than the real kind) and flooding the world with “content” rather than old-fashioned (and infinitely more worthwhile) editorial. When publishers agreed to funding by adtech, they sold their souls and their readers down a river full of fraud and malware, as well as indefensible manners. Fortunately, readers can bring both publishers and advertisers back into a soulful reunion. Helpfully, the GDPR makes it illegal not to, and that will be a huge issue as the deadline for compliance (next May 25th) approaches.
Summary: We can avoid security breachs that result in the loss of huge amounts of private data by creating systems that don't rely on correlatable identifiers. Sovrin is built to use non-correlatable identifiers by default while still providing all the necessary functionality we expect from an identity system.
The typical response when we hear about these security problems is "why was their security so bad?" While I don't know any specifics about Equifax's security, it's likely that their security was pretty good. But the breach still occurred. Why? Because of Sutton's Law. When Willie Sutton was asked why he robbed banks, he reputedly said "cause that's where Continue reading "Equifax and Correlatable Identifiers"
The OAuth Authorization Server Metadata specification has been updated to incorporate feedback from Security Area Director Eric Rescorla. Thanks to EKR for his useful review. A number of defaults and restrictions are now better specified.
Summary: For Sovrin to become a global, public utility that helps everyone create and manage self-sovereign identities, it must be independent and self-sustaining. This post outlines four idependence milestopnes for Sovrin Foundation.
The idea for Sovrin-style identity and the technology behind it was developed by Evernym. To their credit, Evernym’s founders, Jason Law and Timothy Ruff, recognized that for their dream of a global identity system to become reality, they’d have to make Sovrin independent of Evernym. At present, Evernym continues to make huge contributions to Sovrin in time, code, money, and people. Our goal is to reduce these contributions, at least as a percentage of the total, over time.
Nothing challenges our understanding of infrastructure better than a crisis, and we have a big one now in Houston. We do with every giant storm, of course. New York is still recovering from Sandy and New Orleans from Katrina. Reforms and adaptations always follow, as civilization learns from experience.
Look at aviation, for example. Houston is the 4th largest city in the U.S. and George Bush International Airport (aka IAH) is a major hub for United Airlines. For the last few days traffic there has been sphinctered down to emergency flights alone. You can see how this looks on FlightAware’s Miserymap:
Go there and click on the blue play button to see how flight cancellations have played over time, and how the flood in Houston has affected Dallas as well. Click on the airport’s donut to see what routes are most affected. Frequent fliers like myself rely on tools like this
The main takeaway for me, to both Elizabeth’s piece and Jon’s book, is making clear that Google and Facebook are at the heart of today’s personal data extraction industry, and that this industry defines (as well as supports) much of our lives online.
Our data, and data about us, is the crude that Facebook and Google extract, refine and sell to advertisers. This by itself would not be a Bad Thing if it were done with our clearly expressed (rather than merely implied) permission, and if we had our own valves to control personal data flows with scale across all the companies we deal with, rather Continue reading "How the personal data extraction industry ends"
Clearly nonviolence wasn’t a thing at all until 1918, which is when Mohandas Gandhi started bringing it up. It became a big thing again in the 1960s, thanks to Martin Luther King Jr. and the civil rights movement he led during the Vietnam war.
Then, at the close of the 60s, it trailed off. Not that it ever went away, but it clearly retreated.
Here’s the part of the story that seems clearest to me, and to the late Bill Hicks:
Summary: We cannot decentralize many interesting systems without also decentralizing the identity systems upon which they rely. We're finally in a position to create truly decentralized systems for digital identity.
I go back and forth between thinking decentralization is inevitable and thinking it's just too hard. Lately, I'm optimistic because I think there's a good answer for one of the sticking points in building decentralized systems: decentralized identity.
Most interesting systems have an identity component. As Joe Andrieu says, "Identity is how we keep track of people and things and, in turn, how they keep track of us." The identity component is responsible for managing the identifiers and attributes that the system needs to function, authenticating the party making a request, and determining whether that party is authorized to make the request. But building an identity system that is usable, secure, maximizes privacy is difficult—much harder than most Continue reading "The Case for Decentralized Identity"
A new CBOR Web Token (CWT) draft has been published that updates the diagnostic notation for embedded objects in the examples. Thanks to Samuel Erdtman for making these updates. Thanks to Carsten Bormann for reviewing the examples!
This addresses all known issues with the specification. I believe that it is now time to request publication.