self-issued – Musings on Digital Identity (original) (raw)
I gave the following presentation on work in the OpenID Connect working group at the Monday, October 28, 2024 OpenID Workshop at Microsoft:
- OpenID Connect Working Group Update (PowerPoint) (PDF)
I also gave this invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 29, 2024:
- Introduction to OpenID Connect (PowerPoint) (PDF)
There’s more happening in the OpenID Connect working group than at any other time since we started the OpenID Connect work. In fact, two new specifications were adopted today!
Thanks to all who helped us get there!
I’m pleased to report that the “OAuth 2.0 Protected Resource Metadata” specification has been approved by the IESG and is now in the RFC Editor queue.
The version approved by the IESG and sent to the RFC Editor is:
It joins OAuth 2.0 Security Best Current Practice and JWT Response for OAuth Token Introspection, which are also both currently there.
Thanks to the IETF directorate reviewers and IESG members for their feedback that resulted in improvements to the specification!
Aaron Parecki and I published a new version the “OAuth 2.0 Protected Resource Metadata” specification that addresses the review comments received since the IETF Last Call. Per the history entries, the changes were:
- Added metadata values declaring support for DPoP and mutual-TLS client certificate-bound access tokens.
- Added missing word caught during IANA review.
- Addressed ART, SecDir, and OpsDir review comments by Arnt Gulbrandsen, David Mandelberg, and Bo Wu, resulting in the following changes:
- Added step numbers to sequence diagram.
- Defined meaning of omitting
bearer_methods_supported metadata
parameter. - Added internationalization of human-readable metadata values using the mechanism from [RFC7591].
- Added
resource_name
metadata parameter, parallelingclient_name
in [RFC7591]. - Added Security Considerations section on metadata caching.
- Used and referenced Resource Identifier definition.
- Added motivating example of an email client to intro.
The specification is available at:
Orie Steele and I have updated the “Fully-Specified Algorithms for JOSE and COSE” specification to incorporate feedback from IETF 120 in Vancouver. Specifically, the registrations for fully-specified Elliptic Curve Diffie-Hellman (ECDH) algorithms in draft 03 were removed, along with the previously proposed fully-specified ECDH algorithm identifiers, while continuing to describe how to create fully-specified ECDH algorithms in the future, if needed.
The specification is available at:
The OpenID Foundation has approved the Fourth Implementer’s Draft of the OpenID Federation Specification. This is a major step towards having the specification become final.
The previous Implementer’s Draft was in 2021. A lot has happened since then, largely motivated by feedback from actual implementations and deployments. Some highlights of progress made in the spec since then are:
- Changed name from OpenID Connect Federation to OpenID Federation, since Federation can be used for trust establishment for any protocol (including OpenID Connect).
- Introduced distinct Federation endpoints.
- Clearly defined and consistently used the terms Entity Statement, Entity Configuration, and Subordinate Statement.
- Clearly defined which claims can occur in which kinds of Entity Statements.
- Clearly defined Entity Types and the Federation Entity entity type.
- Enhanced description of Trust Mark issuance and usage.
- Defined relationship between metadata and metadata policy.
- Clearly defined interactions between policy operators.
- Defined where constraints may occur.
- Tightened descriptions of Automatic Registration and Explicit Registration.
- Added Historical Keys.
- Defined and used
trust_chain
JWS Header Parameter. - Allowed Trust Chains to start with non-Trust Anchors.
- Clarified use of client authentication.
- Used OAuth Protected Resource Metadata.
- Consistent error handling.
- Added General-Purpose JWT Claims section.
- Comprehensive use of content types and media types.
- IANA registration of parameters, claims, and media types.
- Added and improved many diagrams.
- Substantial rewrites for increased consistency and clarity.
- Added Giuseppe De Marco and Vladimir Dzhuvinov as editors.
As a preview of coming attractions, I’ll note that profiles of OpenID Federation are being written describing how it being used in wallet ecosystems and how it is being used in open finance ecosystems. And we’re creating a list of implementations. Watch this space for future announcements.
Special thanks to all the implementers and deployers who provided feedback to get us to this point!
Orie Steele and I have updated the “Fully-Specified Algorithms for JOSE and COSE” specification to incorporate working group last call (WGLC) feedback. Thanks to all who took the time to comment on the draft. Your feedback was exceptionally actionable and helped to substantially improve the specification. Responses to each WGLC comment thread were sent on the IETF JOSE working group mailing list.
The updated draft attempts to discuss the full range of the problems created by polymorphic algorithm identifiers. Guided by working group feedback, it strikes an engineering balance between which of these problems to fix immediately in the specification and which to describe how future specifications can fix later as the need arises.
I look forward to discussing next steps for the specification at IETF 120 in Vancouver.
The specification is available at:
The “OAuth 2.0 Protected Resource Metadata” specification has been updated to address feedback from our document shepherd Rifaat Shekh-Yusef in advance of IETF 120 in Vancouver. All changes were strictly editorial.
The specification is available at:
The CBOR Web Token (CWT) Claims in COSE Headers specification has been published as RFC 9597! This closes a gap for COSE relative to JOSE, adding the ability to use CWT claims in COSE header parameters, just as JWT claims can be used in JOSE header parameters.
The specification abstract is:
This document describes how to include CBOR Web Token (CWT) claims in the header parameters of any CBOR Object Signing and Encryption (COSE) structure. This functionality helps to facilitate applications that wish to make use of CWT claims in encrypted COSE structures and/or COSE structures featuring detached signatures, while having some of those claims be available before decryption and/or without inspecting the detached payload. Another use case is using CWT claims with payloads that are not CWT Claims Sets, including payloads that are not CBOR at all.
Special thanks to my co-author Tobias Looker, who had a use case for this functionality and wrote an RFC with me defining it (his first!). It was a pleasure working with Tobias on the draft as we navigated the ins and outs of working group feedback and IETF processes. The spec was refined by the journey we took together. And as with CBOR Object Signing and Encryption (COSE) “typ” (type) Header Parameter (now RFC 9596) that immediately preceded it, I believe the CBOR and COSE ecosystems are better for it.
The CBOR Object Signing and Encryption (COSE) “typ” (type) Header Parameter specification has been published as RFC 9596! This closes a gap for COSE relative to JOSE, adding the ability to use media types to declare the content of the complete COSE object.
The specification abstract is:
This specification adds the equivalent of the JSON Object Signing and Encryption (JOSE) “typ” (type) header parameter to CBOR Object Signing and Encryption (COSE). This enables the benefits of explicit typing (as defined in RFC 8725, “JSON Web Token Best Current Practices”) to be brought to COSE objects. The syntax of the COSE type header parameter value is the same as the existing COSE content type header parameter.
Special thanks to my co-author Orie Steele, who pointed out the gap and proposed that we close it. He was an active participant and insightful partner in making this RFC happen (his first!). The CBOR and COSE ecosystems are better for it.
We held the second and third of the three planned tenth anniversary celebrations for the completion of OpenID Connect at the 2024 Identiverse conference and European Identity and Cloud Conference. That concludes celebrations in Asia, the Americas, and Europe!
At both Identiverse and EIC, panelists included Nat Sakimura, John Bradley, and myself. Chuck Mortimore joined us at Identiverse. And Torsten Lodderstedt added his perspectives at EIC. We shared our perspectives on what led to OpenID Connect, why it succeeded, and what lessons we learned along the way.
The most common refrain throughout our descriptions was the design philosophy to “Keep simple things simple”. This was followed closely by the importance of early feedback from developers and deployers.
Chuck reached back in time to his OpenID slides from 2011. He reflected on what he was thinking at the time versus what actually happened (and why). Torsten pointed out the importance of cooperation, certification, security analysis, open standards, and an approachable community. At Identiverse, Nat reached back 25 years, examining the intellectual underpinnings and history of OpenID. And at EIC, Nat tackled assertions that OpenID Connect can be complex. John concluded by observing that the OpenID idea is greater than any particular specification.
Our recent OpenID Connect 10th anniversary sessions were:
- Identiverse: Panel PowerPoint PDF
- EIC: Panel PowerPoint PDF
They build upon the celebration at the OpenID Summit Tokyo 2024.
Thanks to the organizers of all these events for sponsoring the celebrations!
I was honored to give the keynote presentation Standards are About Making Choices at the 2024 European Identity and Cloud Conference (PowerPoint) (PDF). The abstract was:
When building machines, we take for granted being able to use nuts, bolts, wires, light bulbs, and countless other parts made to industry standards. Standards contain choices about dimensions of screw threads, nut sizes, etc., enabling a marketplace of interoperable parts from multiple suppliers. Without these choices, every part would be custom manufactured. The same is true of the identity and security standards we use to build identity systems.
However, the identity and security standards at our disposal differ wildly in the degree to which they do and don’t make choices. Some consistently define ONE way to do things, resulting in everyone doing it that way (interoperability!). Others leave critical choices unmade, passing the buck to implementers and applications (your mileage may vary).
In this talk, I’ll name names and take prisoners, critiquing existing and emerging standards through the lens of the choices they made and failed to make. Hold on to your hats as we examine the pros and cons of the choices made by OAuth, SAML, X.509, OpenID Connect, Verifiable Credentials, DIDs, WebCrypto, JOSE, COSE, and many others through this lens!
I believe you’ll agree with me that making choices matters.
The conference keynote description includes a recording of the presentation.
Thanks to MATTR for providing a designer to work with me on the presentation, enabling the visual design to transcend my usual black-text-on-white-background design style!
I gave the following presentation in the session Using Standards: Some Assembly Required at the 2024 Identiverse conference (PowerPoint) (PDF). The abstract was:
- Standards are about making choices. When building machines, we take for granted being able to use nuts, bolts, wires, light bulbs, and countless other parts made to industry standards. Standards contain choices about dimensions of screw threads, nut sizes, etc., enabling a marketplace of interoperable parts from multiple suppliers. Without these choices, every part would be custom-manufactured. The same is true of the identity and security standards we use to build the Identity Engine. However, the identity and security standards at our disposal differ wildly in the degree to which they do and don’t make choices. Some consistently define ONE way to do things, resulting in everyone doing it that way (interoperability!). Others leave critical choices unmade, passing the buck to implementers and applications (your mileage may vary). In this talk, I’ll name names and take prisoners, critiquing existing and emerging standards through the lens of the choices they made and failed to make. Hold on to your hats as we examine the pros and cons of the choices made by OAuth, SAML, X.509, OpenID Connect, Verifiable Credentials, DIDs, WebCrypto, JOSE, COSE, and many others through this lens! I believe you’ll agree with me that making choices matters.
The audience was highly engaged by the process of giving existing and emerging standards letter grades based on the choices they made (or failed to make)!
The OpenID Connect working group has started working group last call (WGLC) for a proposed Implementer’s Draft of the OpenID Federation specification. As described in the WGLC message:
OpenID Federation -35 has been published at https://openid.net/specs/openid-federation-1_0-35.html and https://openid.net/specs/openid-federation-1_0.html. This draft is being proposed as the fourth (and hopefully final) Implementer’s Draft of the specification.
An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. The two-week working group last call ends on Friday, May 31, 2024. Unless reasons are identified during the last call to substantially revise the specification, the 45-day OpenID Foundation-wide review of the specification for approval as an OpenID Implementer’s Draft will shortly follow.
Special thanks to all the implementers and deployers who provided feedback to get us to this point!
The Securing Verifiable Credentials using JOSE and COSE specification (a.k.a. VC-JOSE-COSE) has reached W3C Candidate Recommendation status. The Candidate Recommendation milestone is described in the W3C Process document. Please review the Candidate Recommendation of VC-JOSE-COSE. Thanks especially to Gabe Cohen, Orie Steele, and Brent Zundel for doing the hard work of getting us to this point!
Since I last wrote about this work, the W3C Verifiable Credentials Data Model (VCDM), which is also at Candidate Recommendation stage, has been narrowed to only use JSON-LD to represent credentials. VC-JOSE-COSE secures VCDM payloads with JOSE, SD-JWT, or COSE signatures. While I’m admittedly not a fan of JSON-LD, to the extent that Verifiable Credentials using the VCDM are in use, I’m committed to finishing a solid VC-JOSE-COSE specification so there is a simple, secure, standards-based way to sign these credentials.
Of course, there are lots of Verifiable Credential formats to choose from, and more on the way. Choices already existing include ISO mDoc, IETF SD-JWT, IETF JSON Web Proof (JWP), and W3C VCDM. The IETF is also planning to create a CBOR-based selective disclosure representation in the newly formed SPICE working group. It will be interesting to see how these all shake out in the marketplace!
John Bradley and I convened a session on Trust Establishment with OpenID Federation at the Internet Identity Workshop (IIW) on Thursday, April 18, 2024. The material used to drive the discussion was:
- Trust Establishment with OpenID Federation (PowerPoint) (PDF)
The session was well attended and the discussion lively. Numerous people with trust establishment problems to solve contributed, including experts from the SAML federation world, people involved in digital wallet projects, and several people already using or considering using OpenID Federation. Thanks to all who participated!
As has become traditional, I gave the following presentation at the Monday, April 15, 2024 OpenID Workshop at Google:
- OpenID Connect Working Group Update (PowerPoint) (PDF)
I also gave this invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 16, 2024:
- Introduction to OpenID Connect (PowerPoint) (PDF)
I gave a presentation on Fully-Specified Algorithms for JOSE and COSE at the 2024 OAuth Security Workshop in Rome. The slides used to update participants on the progress of the work are available as PowerPoint and PDF.
Thanks to the organizers for another great OAuth Security Workshop! And special thanks to the colleagues from Fondazione Bruno Kessler who did a great job with local arrangements in Rome!
I’m pleased to report that the COSE “typ” (type) Header Parameter Specification has been approved by the IESG and is now in the RFC Editor queue.
The version approved by the IESG and sent to the RFC Editor is:
It joins CBOR Web Token (CWT) Claims in COSE Headers in the RFC Editor queue. Because of the reference to this spec by CWT Claims in Headers, they form a cluster, and therefore will become RFCs at the same time.
My co-authors and I published updated versions of eight specifications in preparation for IETF 119 in Brisbane. The specifications span three working groups: JOSE, COSE, and OAuth. The updated specifications and outcomes when discussed at IETF 119 are as follows.
1, 2, & 3: JSON Web Proof, JSON Proof Algorithms, and JSON Proof Token. Updates were:
- Normatively defined header parameters used
- Populated IANA Considerations sections
- Allowed proof representations to contain multiple base64url-encoded parts
- Specified representation of zero-length disclosed payloads
- Added Terminology sections
- Updated to use draft-irtf-cfrg-bbs-signatures-05
- Updated to use draft-ietf-cose-bls-key-representations-04
- More and better examples
- Improvements resulting from a full proofreading
Continued reviews and feedback from implementations are requested.
4: Fully-Specified Algorithms for JOSE and COSE. Updates were:
- Published initial working group document following adoption
- Added text on fully-specified computations using multiple algorithms
- Added text on KEMs and encapsulated keys
- Updated instructions to the designated experts
It was agreed during the JOSE meeting to describe what fully-specified algorithms for ECDH would look like, for consideration by the working group.
5: OAuth 2.0 Protected Resource Metadata. Updates were:
- Switched from concatenating
.well-known
to the end of the resource identifier to inserting it between the host and path components of it - Have
WWW-Authenticate
returnresource_metadata
URL rather thanresource
identifier
It was decided to start working group last call during the OAuth meeting.
6: COSE “typ” (type) Header Parameter. Updates were:
- Added language about media type parameters
- Addressed working group last call comments
- Changed requested assignment from 14 to 16 due to conflict with a new assignment
- Addressed GENART, OPSDIR, and SECDIR review comments
This document is scheduled for the April 4, 2024 IESG telechat.
7: Barreto-Lynn-Scott Elliptic Curve Key Representations for JOSE and COSE. Updates were:
- Changed to use key type
EC
for JOSE and equivalentEC2
for COSE for uncompressed key representations - Changed identifier spellings from “Bls” to “BLS”, since these letters are people’s initials
We received feedback to not add compressed key representations to the draft.
8: Use of Hybrid Public-Key Encryption (HPKE) with JavaScript Object Signing and Encryption (JOSE). Updates were:
- Use existing
"alg": "dir"
value for HPKE Direct Encryption mode - Aligned choices more closely with those of Use of Hybrid Public-Key Encryption (HPKE) with CBOR Object Signing and Encryption (COSE)
- Defined both Integrated Encryption mode and Key Encryption mode
- Added IANA Considerations section
- Removed Post-Quantum Considerations
It was decided to start a working group call for adoption during the JOSE meeting.
Thanks to all who contributed to the progress made on these specifications, both before and during IETF 119!