OAuth and OpenID Connect Token Binding specs updated

OAuth logoThe OAuth 2.0 Token Binding specification has been updated to enable Token Binding of JWT Authorization Grants and JWT Client Authentication. The discussion of phasing in Token Binding was improved and generalized. See the Document History section for other improvements applied.

The specification is available at:

An HTML-formatted version is also available at:

An update to the closely-related OpenID Connect Token Bound Authentication 1.0 specification was also simultaneously published. Its discussion of phasing in Token Binding was correspondingly updated.

The OpenID Connect Token Binding specification is available in HTML and text versions at:

Thanks to Brian Campbell for doing the bulk of the editing for both sets of revisions.

OpenID Presentations at October 16, 2017 OpenID Workshop and IIW

OpenID logoI gave the following presentations at the Monday, October 16, 2017 OpenID Workshop at PayPal:

I also gave the following “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 17th:

Boston is the Top Radio Market for Sports

So I did some research, and Boston wins, big:

Boston 11.0
Philadelphia 8.7
Minneapolis 6.9
Detroit 6.4
Middlesex-Somerset-Union, NJ 6.4
Oklahoma City 6.2
Baltimore 6.1
Nashville 5.9
New York 5.8
Pittsburgh 5.8
Kansas City 5.8
Dallas-Fort Worth 5.7
Nassau-Suffolk, NY 5.5
Chicago 5.4
San Francisco 5.4
Columbus 5.4
Atlanta 4.9
Denver 4.7
Washington DC 4.3
Buffalo 4.2
Seattle 4.0
Portland 4.0
San Jose 4.0
Cleveland 3.9
Raleigh-Durham 3.9
Indianapolis 3.8
St. Louis 3.5
Green Bay 3.5
Houston-Galveston 3.4
Phoenix 3.2
Sacramento 3.1
Memphis 2.8
Los Angeles 2.5
Tampa-St.Petersburg 2.3
San Diego 2.2
Miami 1.9
Cincinatti 1.7
Las Vegas 1.6
Orlando 1.4
Milwaukee-Racine 1.3
Charlotte 1.2
Salt Lake City Continue reading "Boston is the Top Radio Market for Sports"

Minimize Ladder Length over Wall

Some time ago somebody had to solve this math optimization question for their studies and told me about it.

So there is a wall with height h, which has the distance a from a very high "building" and your task, should you accept it, is to find the shortest ladder over the wall that touches the ground and the "building".

So the function to minimize is L = sqrt((x+a)^2+(h+y)^2).
Because we know that y/a = h/x it follows that y = ah/x.
Using this the length become L = sqrt((x+a)^2+(h+ah/x)^2)
The minimum of that function is not changed if we leave out the sqrt and the derivation of (x+a)^2+(h+ah/x)^2 is (2 (a + x) (-a h^2 + x^3))/x^3
So the minimum x is where this function equals zero, which is if x³ = ah²,
and the length then is L = (a^(2/3) + h^(2/3))^3
Now the thing that I
Continue reading "Minimize Ladder Length over Wall"

Data is the New Love

dat is the new love

Personal data, that is.

Because it’s good to give away—but only if you mean it.

And it’s bad to take it, even it seems to be there for the taking.

I bring this up because a quarter million pages (so far) on the Web say “data is the new oil.”

That’s because a massive personal data extraction industry has grown up around the simple fact that our data is there for the taking. Or so it seems. To them. And their apologists.

As a result, we’re at a stage of wanton data extraction that looks kind of like the oil industry did in 1920 or so:

It’s a good metaphor, but for a horrible business. It’s a business we need to reform, replace, or both. What we need most are new industries that grow around who and what we are as individual human beings—and as a society that values

Continue reading "Data is the New Love"

Is Sovrin Decentralized?

Summary: To determine whether Sovrin is decentralized, we have to ask questions about the purpose of decentralization and how Sovrin supports those purposes.

People sometimes ask "Is Sovrin decentralized?" given that it relies on a permissioned ledger. Of course, the question is raised in an attempt to determine whether or not an identity system based on a permissioned ledger can make a legitimate claim that it's self-sovereign. But whether or not a specific system is decentralized is just shorthand for the real questions. To answer the legitimacy question, we have to examine the reasons for decentralization and whether or not the system in question adequately addresses those reasons.

This excellent article from Vitalik Buterin discusses the meaning of decentralization. Vitalik gives a great breakdown of different types of decentralization, listing architectural decentralization, political decentralization, and logical decentralization.

Of these, logically decentralized systems are the most rare. Bitcoin and other Continue reading "Is Sovrin Decentralized?"

The 10-Year Platform: Shutting Down KRE

Summary: The original pico engine, KRE, is no more. But the ideas and capabilities of the platform live on in the new pico engine.

A few years ago, I announced on this blog that Kynetx was done. But the platform we'd created, the Kynetx Rules Engine, or KRE, lived on. Today I am annoucing that KRE is dead too. We shut it down last week.

Despite the demise of Kynetx, the platform continued to be open and available. Fuse was still running on it and my students were using it for class and research. But Fuse stopped working for good last spring when the MVNO we were using to process cellular data from the car devices shut down. And the new pico engine is working so well that we use it for everything now.

KRE was started in 2007 and envisioned as a cloud-based programming platform for events. While we Continue reading "The 10-Year Platform: Shutting Down KRE"

A dark review for United’s Boeing 787

I’ve been wanting to fly on the Boeing 787 “Dreamliner” ever since I missed a chance to go on an inaugural junket aboard one before Boeing began delivery to the airlines. But I finally got my chance, three days ago, aboard United Flight 935 from London to Los Angeles.

Some context: United is my default airline by virtue of having flown 1.5 million miles with them, which has earned me some status. Specifically, I get on shorter lines, don’t get charged for bags, and have some choice about where I sit, which defaults to Economy Plus: the section of Economy that features a bit more leg room and is typically located which is behind business/first, now called Polaris.

I should add that I actually like United, and have had few of the bad experiences people tend to associate with big old airlines. And plenty of good ones. And not

Continue reading "A dark review for United’s Boeing 787"

Initial Working Group Draft of Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

IETF logoThe initial working group draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been posted. It contains the same normative content as draft-jones-ace-cwt-proof-of-possession-01. The abstract of the specification is:

This specification describes how to declare in a CBOR Web Token (CWT) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. This specification provides equivalent functionality to “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” (RFC 7800), but using CBOR and CWTs rather than JSON and JWTs.

I look forward to working with my co-authors and the working group to hopefully complete this quickly!

The specification is available at:

An HTML-formatted version is also available at:

“Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages” is now RFC 8230

IETF logoThe “Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages” specification is now RFC 8230 – an IETF standard. The abstract for the specification is:

The CBOR Object Signing and Encryption (COSE) specification defines cryptographic message encodings using Concise Binary Object Representation (CBOR). This specification defines algorithm encodings and representations enabling RSA algorithms to be used for COSE messages. Encodings are specified for the use of RSA Probabilistic Signature Scheme (RSASSA-PSS) signatures, RSA Encryption Scheme – Optimal Asymmetric Encryption Padding (RSAES-OAEP) encryption, and RSA keys.

Some of these values are already being used by the sixth working draft of the W3C Web Authentication specification. In addition, the WebAuthn specification defines algorithm values for RSASSA-PKCS1-v1_5 signatures, which are used by TPMs, among other applications. The RSASSA-PKCS1-v1_5 signature algorithm values should also be registered shortly.

Thanks to Kathleen Moriarty for her Area Director sponsorship of the specification!

Let’s get some things straight about publishing and advertising


Synopsis—Advertising supported publishing in the offline world by sponsoring it. In the online world, advertising has been body-snatched by adtech, which tracks eyeballs via files injected into apps and browsers, then shoots those eyeballs with “relevant” ads wherever the eyeballs show up. Adtech has with little or no interest in sponsoring a pub for the pub’s own worth. Worse, it encourages fake news (which is easier to produce than the real kind) and flooding the world with “content” rather than old-fashioned (and infinitely more worthwhile) editorial. When publishers agreed to funding by adtech, they sold their souls and their readers down a river full of fraud and malware, as well as indefensible manners. Fortunately, readers can bring both publishers and advertisers back into a soulful reunion. Helpfully, the GDPR makes it illegal not to, and that will be a huge issue as the deadline for compliance (next May 25th) approaches.


Continue reading "Let’s get some things straight about publishing and advertising"

Equifax and Correlatable Identifiers

Summary: We can avoid security breachs that result in the loss of huge amounts of private data by creating systems that don't rely on correlatable identifiers. Sovrin is built to use non-correlatable identifiers by default while still providing all the necessary functionality we expect from an identity system.

Yesterday word broke that Equifax had suffered a data breach that resulted in 143 million identities being stolen. This is a huge deal, but not really too shocking given the rash of data breaches that have filled the news in recent years.

The typical response when we hear about these security problems is "why was their security so bad?" While I don't know any specifics about Equifax's security, it's likely that their security was pretty good. But the breach still occurred. Why? Because of Sutton's Law. When Willie Sutton was asked why he robbed banks, he reputedly said "cause that's where Continue reading "Equifax and Correlatable Identifiers"

OAuth Authorization Server Metadata spec incorporating Area Director feedback

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to incorporate feedback from Security Area Director Eric Rescorla. Thanks to EKR for his useful review. A number of defaults and restrictions are now better specified.

The specification is available at:

An HTML-formatted version is also available at:

Sovrin Self-Sustainability

Summary: For Sovrin to become a global, public utility that helps everyone create and manage self-sovereign identities, it must be independent and self-sustaining. This post outlines four idependence milestopnes for Sovrin Foundation.

The Sovrin Foundation began life about a year ago. We launched the Sovrin Network just last month. For Sovrin to achieve its goal of providing self-sovereign identity for all, the Foundation and the Network have to be independent and self-sustaining.

The idea for Sovrin-style identity and the technology behind it was developed by Evernym. To their credit, Evernym’s founders, Jason Law and Timothy Ruff, recognized that for their dream of a global identity system to become reality, they’d have to make Sovrin independent of Evernym. At present, Evernym continues to make huge contributions to Sovrin in time, code, money, and people. Our goal is to reduce these contributions, at least as a percentage of the total, over time.

Continue reading "Sovrin Self-Sustainability"

Some new ways to look at infrastructure

Nothing challenges our understanding of infrastructure better than a crisis, and we have a big one now in Houston. We do with every giant storm, of course. New York is still recovering from Sandy and New Orleans from Katrina. Reforms and adaptations always follow, as civilization learns from experience.

Look at aviation, for example. Houston is the 4th largest city in the U.S. and George Bush International Airport (aka IAH) is a major hub for United Airlines. For the last few days traffic there has been sphinctered down to emergency flights alone. You can see how this looks on FlightAware’s Miserymap:

Go there and click on the blue play button to see how flight cancellations have played over time, and how the flood in Houston has affected Dallas as well. Click on the airport’s donut to see what routes are most affected. Frequent fliers like myself rely on tools like this

Continue reading "Some new ways to look at infrastructure"

How the personal data extraction industry ends

Who Owns the Internet? — What Big Tech’s Monopoly Powers Mean for our Culture is Elizabeth Kolbert‘s review in The New Yorker of several books, one of which I’ve read: Jonathan Taplin’s Move Fast and Break Things—How Facebook, Google, and Amazon Cornered Culture and Undermined Democracy.

The main takeaway for me, to both Elizabeth’s piece and Jon’s book, is making clear that Google and Facebook are at the heart of today’s personal data extraction industry, and that this industry defines (as well as supports) much of our lives online.

Our data, and data about us, is the crude that Facebook and Google extract, refine and sell to advertisers. This by itself would not be a Bad Thing if it were done with our clearly expressed (rather than merely implied) permission, and if we had our own valves to control personal data flows with scale across all the companies we deal with, rather Continue reading "How the personal data extraction industry ends"

What happened to nonviolence?

Two graphs tell some of the story.

First is how often “nonviolence” and “non-violence” appeared in books until 2008, when Google quit keeping track:

Second is search trends for “nonviolence” and “non-violence” since 2004, which is when Google started keeping track of trends:

Clearly nonviolence wasn’t a thing at all until 1918, which is when Mohandas Gandhi started bringing it up. It became a big thing again in the 1960s, thanks to Martin Luther King Jr. and the civil rights movement he led during the Vietnam war.

Then, at the close of the 60s, it trailed off. Not that it ever went away, but it clearly retreated.


Here’s the part of the story that seems clearest to me, and to the late Bill Hicks:

Spake Bill, “We kill those people.”

I was only a year old when Gandhi was shot, so I don’t remember that one; but Continue reading "What happened to nonviolence?"



I’m blogging mostly at doc.blog these days. Just letting you know.

Nothing wrong here. Partly it’s easier there. I can just post, y’know? Like tweeting, but without the icky limits.

But mostly it’s that I see the future of blogging there, rather than on WordPress and platforms like it.

I mean, they’re fine for publishing, and I won’t stop doing that, here and in other places.

But I want to get back to blogging. Like I did in the old days at doc.weblogs.com, only for the Now we all live in.

I’ll explain more later. Right now I have an eclipse to drive to.

The Case for Decentralized Identity

Summary: We cannot decentralize many interesting systems without also decentralizing the identity systems upon which they rely. We're finally in a position to create truly decentralized systems for digital identity.

I go back and forth between thinking decentralization is inevitable and thinking it's just too hard. Lately, I'm optimistic because I think there's a good answer for one of the sticking points in building decentralized systems: decentralized identity.

Most interesting systems have an identity component. As Joe Andrieu says, "Identity is how we keep track of people and things and, in turn, how they keep track of us." The identity component is responsible for managing the identifiers and attributes that the system needs to function, authenticating the party making a request, and determining whether that party is authorized to make the request. But building an identity system that is usable, secure, maximizes privacy is difficult—much harder than most Continue reading "The Case for Decentralized Identity"

CBOR Web Token (CWT) specification addressing all known issues

IETF logoA new CBOR Web Token (CWT) draft has been published that updates the diagnostic notation for embedded objects in the examples. Thanks to Samuel Erdtman for making these updates. Thanks to Carsten Bormann for reviewing the examples!

This addresses all known issues with the specification. I believe that it is now time to request publication.

The specification is available at:

An HTML-formatted version is also available at: