Additional COSE algorithms used by W3C Web Authentication (WebAuthn)


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




IETF logoThe new COSE working group charter includes this deliverable:

4. Define the algorithms needed for W3C Web Authentication for COSE using draft-jones-webauthn-cose-algorithms and draft-jones-webauthn-secp256k1 as a starting point (Informational).

I have written draft-jones-cose-additional-algorithms, which combines these starting points into a single draft, which registers these algorithms in the IANA COSE registries. When not already registered, this draft also registers these algorithms for use with JOSE in the IANA JOSE registries. I believe that this draft is ready for working group adoption to satisfy this deliverable.

The specification is available at:

An HTML-formatted version is also available at:

FIDO2 Client to Authenticator Protocol (CTAP) standard published


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




FIDO logoI’m thrilled to report that the FIDO2 Client to Authenticator Protocol (CTAP) is now a published FIDO Alliance standard! Together with the now-standard Web Authentication (WebAuthn) specification, this completes standardization of the APIs and protocols needed to enable password-less logins on the Web, on PCs, and on and mobile devices. This is a huge step forward for online security, privacy, and convenience!

The FIDO2 CTAP standard is available in HTML and PDF versions at these locations:

The W3C Web Authentication (WebAuthn) specification is now a standard!


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




W3C logoI’m thrilled to report that the Web Authentication (WebAuthn) specification is now a W3C standard! See the W3C press release describing this major advance in Web security and convenience, which enables logging in without passwords. Alex Simons, Microsoft Vice President of Identity Program Management is quoted in the release, saying:

“Our work with W3C and FIDO Alliance, and contributions to FIDO2 standards have been a critical piece of Microsoft’s commitment to a world without passwords, which started in 2015. Today, Windows 10 with Microsoft Edge fully supports the WebAuthn standard and millions of users can log in to their Microsoft account without using a password.”

The release also describes commitments to the standard by Google, Mozilla, and Apple, among others. Thanks to all who worked on the standard and who built implementations as we developed the standard – ensuring that that the standard can be used for a broad Continue reading "The W3C Web Authentication (WebAuthn) specification is now a standard!"

W3C Web Authentication (WebAuthn) advances to Proposed Recommendation (PR)


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




W3C logoThe World Wide Web Consortium (W3C) has published a Proposed Recommendation (PR) for the Web Authentication (WebAuthn) specification, bringing WebAuthn one step closer to becoming a completed standard. The Proposed Recommendation is at https://www.w3.org/TR/2019/PR-webauthn-20190117/.

The PR contains only clarifications and editorial improvements to the second Candidate Recommendation (CR), with no substantial changes. The next step will be to publish a Recommendation – a W3C standard – based on the Proposed Recommendation.

Second W3C Web Authentication (WebAuthn) Candidate Recommendation (CR)


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




W3C logoW3C has published a second W3C Candidate Recommendation (CR) for the Web Authentication (WebAuthn) specification. The second Candidate Recommendation is at https://www.w3.org/TR/2018/CR-webauthn-20180807/.

This draft contains a few refinements since the first candidate recommendation but no substantial changes. The new CR was needed to fulfill the W3C’s IPR protection requirements. The few changes were based, in part, upon things learned during multiple interop events for WebAuthn implementations. The working group plans to base coming the Proposed Recommendation on this draft.

Deprecating the Password: A Progress Report


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




EIC logoI gave the well-received presentation “Deprecating the Password: A Progress Report” at the May 2018 European Identity and Cloud Conference (EIC). The presentation is available as PowerPoint (large because of the embedded video) and PDF.

The presentation abstract is:

If you ask almost anyone you meet if they have too many passwords, if they have trouble remembering their passwords, or if they are reusing the same passwords in multiple places, you’re likely to get an ear-full. People intuitively know that there has to be something better than having to have a password for everything they do!

The good news is that passwords are being used for fewer and fewer identity interactions. They are being replaced by biometrics (sign into your phone, your PC, or your bank with your face or fingerprint), local PINs (prove it’s you to your device and it does the rest), and federation (sign in with Facebook,

Mike presenting at EIC 2018
Continue reading "Deprecating the Password: A Progress Report"

Additional RSA Algorithms for COSE Messages Registered by W3C WebAuthn


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




W3C logoThe WebAuthn working group has published the “COSE Algorithms for Web Authentication (WebAuthn)” specification, which registers COSE algorithm identifiers for RSASSA-PKCS1-v1_5 signature algorithms with SHA-2 and SHA-1 hash algorithms. RSASSA-PKCS1-v1_5 with SHA-256 is used by several kinds of authenticators. RSASSA-PKCS1-v1_5 with SHA-1, while deprecated, is used by some Trusted Platform Modules (TPMs). See https://www.iana.org/assignments/cose/cose.xhtml#algorithms for the actual IANA registrations.

Thanks to John Fontana, Jeff Hodges, Tony Nadalin, Jim Schaad, Göran Selander, Wendy Seltzer, Sean Turner, and Samuel Weiler for their roles in registering these algorithm identifiers.

The specification is available at:

An HTML-formatted version is also available at:

W3C Web Authentication (WebAuthn) specification has achieved Candidate Recommendation (CR) status


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




W3C logoThe W3C Web Authentication (WebAuthn) specification is now a W3C Candidate Recommendation (CR). See the specification at https://www.w3.org/TR/2018/CR-webauthn-20180320/ and my blog post announcing this result for the WebAuthn working group at https://www.w3.org/blog/webauthn/2018/03/20/candidate-recommendation/.

This milestone represents a huge step towards enabling logins to occur using privacy-preserving public/private key pairs securely held by authenticators, rather than passwords. Its contents have been informed by what we learned during several rounds of interop testing by multiple browser and authenticator vendors. The Web Authentication spec has also progressed in parallel with and been kept in sync with the FIDO2 Client To Authenticator Protocol (CTAP) specification, so that they work well together.

W3C Web Authentication (WebAuthn) specification almost a Candidate Recommendation (CR)


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




W3C logoThe eighth working draft of the W3C Web Authentication (WebAuthn) specification has been published. The WebAuthn working group plans to submit this draft for approval by the W3C Director (Tim Berners-Lee) to become a W3C Candidate Recommendation (CR), after a few days’ review by the working group.

This milestone represents a huge step towards enabling logins to occur using public/private key pairs securely held by authenticators, rather than passwords. Its contents have been informed by what we learned during several rounds of interop testing by multiple browser and authenticator vendors. The Web Authentication spec has also progressed in parallel with and been kept in sync with the FIDO 2 Client To Authenticator Protocol (CTAP) specification, so that they work well together.

Seventh working draft of W3C Web Authentication (WebAuthn) specification


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




W3C logoThe W3C Web Authentication working group has published the seventh working draft of the W3C Web Authentication (WebAuthn) specification. See the release page for a description of the changes since WD-06. The working group plans for the next version published to be a W3C Candidate Recommendation (CR). No breaking changes are expected between WD-07 and CR.

Sixth working draft of W3C Web Authentication specification


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




W3C logoThe W3C Web Authentication working group has published the sixth working draft of the W3C Web Authentication specification. It now can request that the authenticator support user verification – meaning that it can be used as the sole or first authentication factor. It now also uses the standard CBOR COSE_Key key representation [RFC8152]. Like WD-05, implementation and interop testing for WD-06 is planned.

Twitter Markup


This post is by Axel Nennker from ignisvulpis


Click here to view on the original site: Original Post




Twitter Cards are around for some time now and I recently wondered how commonly used they are?

There is a nice blog post on Blogger on how to integrate them there but clearly there should be ways for e.g. newspapers to promote their reports by providing summaries and a main image and author information that is not @Twitter specific?  Microformats and schema.org to the rescue?

What does Google do? It seems that JSON-LD is the recommended format.

How would a Twitter Card look in JSON-LD?

Twitter Cards or Rich Cards or @w3c Cards?

Time to standardize!

Recent Travels Pt1: IIW


This post is by Kaliya Hamlin, Identity Woman from Identity Woman


Click here to view on the original site: Original Post




IIW is always a whirlwind and this one was no exception. The good thing was that even with it being the biggest one yet it was the most organized with the most team members.  Phil and I were the executive producers. Doc played is leadership role.  Heidi did an amazing job with production coordinating the catering, working with the museum and Kas did a fabulous job leading the notes collection effort and Emma who works of site got things up on the wiki in good order.

We had a session that highlighted all the different standards bodies standards and we are now working on getting the list annotated and plan to maintain it on the Identity Commons wiki that Jamie Clark so aptly called "the switzerland" of identity.

 

 

 

 

 

 

 

 

 

 

We have a Satellite event for sure in DC January 17th - Registration is Live.

We are working on pulling one together in Toronto Canada in

early February, and Australia in Late March.

ID Collaboration Day is February 27th in SF (we are still Venue hunting).

I am learning that some wonder why I have such strong opinions about standards...the reason being they define the landscape of possibility for any given protocol. When we talk about standards for identity we end up defining how people can express themselves in digital networks and getting it right and making the range of possibility very broad is kinda important.  If you are interested in reading more about this I recommend Protocol:  and The Exploit. This quote from Bruce Sterling relative to emerging AR [Augmented Reality] Standards.

If Code is Law then Standards are like the Senate.