Subscribe: Comments for Mike Jones: self-issued
http://self-issued.info/?feed=comments-rss2
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
comment  issued  jones issued  jones  jose  jws signing  jwt  mike jones  mike  openid connect  signing  token  working group 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Comments for Mike Jones: self-issued

Comments for Mike Jones: self-issued



Musings on Digital Identity



Last Build Date: Wed, 13 Jul 2016 10:30:56 +0000

 



Comment on Token Binding for Access Tokens, Refresh Tokens, and ID Tokens by Token Binding for the Apache webserver | Hans Zandbelt

Wed, 13 Jul 2016 10:30:56 +0000

[…] For 1. I added preliminary support for Token Binding in the Apache HTTP web server in a fork on Github here and for 2. I was able to use a nightly build of Chromium to prove that it actually works. This means that mod_auth_openidc’s session cookies can no longer be replayed outside of the original browser (without relying on obscure low-security tricks that exist today such as browser fingerprinting). I’m hoping to build out support to include “referred tokens” so that also 3rd-party issued id_tokens and Auth 2.0 tokens can be bound to the browser/Apache server as specified by http://self-issued.info/?p=1577. […]



Comment on The JWT, JOSE, and OAuth Assertions drafts have all been sent to the RFC Editor by JOSE – JSON Object Signing and Encryption | 007 Software

Thu, 21 Apr 2016 19:51:42 +0000

[…] JOSE standard seems to be quickly approaching the final revisions and we will most probably see more of it on the web. Implementations for most of the popular […]



Comment on W3C Web Authentication Working Group by Mike Jones

Wed, 17 Feb 2016 20:54:31 +0000

The W3C blog post about the working group formation is at https://www.w3.org/blog/news/archives/5295.



Comment on OAuth Discovery by Mike Jones: self-issued » OAuth 2.0 Mix-Up Mitigation

Mon, 11 Jan 2016 09:22:51 +0000

[…] the authorization server return the client ID and its issuer identifier (a value defined in the OAuth Discovery specification) so that the client can verify that it is using a consistent set of authorization server […]



Comment on JWT and JOSE are now RFCs! by Mike Jones: self-issued » CBOR Web Token (CWT)

Thu, 12 Nov 2015 20:27:17 +0000

[…] (COSE) Working group on creating a Concise Binary Object Representation (CBOR) equivalent of the JSON-based cryptographic data formats produced by the JSON Object Signing and Encryption (JOSE) Working group. I’m happy to […]



Comment on Working Group Draft for OAuth 2.0 Act-As and On-Behalf-Of by amiri-ge

Wed, 28 Oct 2015 14:53:23 +0000

I have some questions about your "OAuth 2.0 Token Exchange" draft. In section 2 the draft says "The request JWT MUST be signed by the issuer so the identity of the requesting party can be validated". And in section 2.1 it mentions that the "act_as" parameter, which is part of the request described above, "MUST contain a Security Token that is a JWT." Here's what I find confusing: if the request is signed by the issuer, then the issuer must also populate the "act_as" property in the request. So how would the requester tell the issuer what JWT it wants in the "act_as" property? My expectation for act as functionality is more along these lines: 1. The requester already has some token that belongs to the identity they wish to impersonate (e.g. the requester is a back-end service that verifies the tokens). 2. The requester can use the token described above in a request to alter the scopes and conditions of the token so that it can use it to consume some other resource. 3. The requester must prove to the STS that it has the privilege to make the request. If anything, the requester should sign the security_token_request to authenticate itself and prove that the request is legitimate. But even this seems to go against the grain of OAuth which: 1. In general relies on the transport to provide mitigation against tampering and information disclosure. 2. Authenticates clients using their id and secret. I would appreciate your thoughts on this matter. Perhaps there might be some way for us to connect so that we can have this discussion using a more convenient medium.



Comment on JWS Signing Input Options initial working group draft by Mike Jones: self-issued » JWS Unencoded Payload Option specification

Mon, 10 Aug 2015 04:10:20 +0000

[…] former JWS Signing Input Options specification has been renamed to JWS Unencoded Payload Option to reflect that there is now only one JWS Signing […]



Comment on JWS Signing Input Options Specification by Mike Jones: self-issued » JWS Signing Input Options initial working group draft

Thu, 23 Jul 2015 16:15:45 +0000

[…] The initial working group version of JWS Signing Input Options has been posted. It contains no normative changes from draft-jones-jose-jws-signing-input-options-00. […]



Comment on Perspectives on the OpenID Connect Certification Launch by Certification Accomplishments and Next Steps | OpenID

Wed, 06 May 2015 08:11:22 +0000

[…] granted 21 certifications covering all five defined conformance profiles. See Mike Jones’ note Perspectives on the OpenID Connect Certification Launch for reflections on what we’ve accomplished and how we got […]



Comment on Liberty Alliance SAML 2.0 Interoperability Testing Results by Mike Jones: self-issued » Perspectives on the OpenID Connect Certification Launch

Fri, 01 May 2015 05:44:35 +0000

[…] I most appreciated about the certification program was made by Eve Maler, herself a veteran of valuable certification programs past, who said “You made it as simple as possible and so every interaction added value”. High […]



Comment on 10 Years of Digital Identity! by Mike Jones: self-issued » "It’s worth noting that this past week the Internet Identity Workshop held its 20th meeting. They’ve been held like clockwork every

Mon, 13 Apr 2015 14:16:57 +0000

[…] Mike Jones: self-issued » "It’s worth noting that this past week the Internet Identity Workshop held its 20th meeting. They’ve been held like clockwork every spring and fall for the past 10 years, providing an indispensable, irreplaceable venue for identity practitioners to come together and get things done. My past 10 years wouldn’t have been remotely the same without the past 10 years of IIW." 10 Years of Digital Identity! http://self-issued.info/?p=1367 […]



Comment on The JWT, JOSE, and OAuth Assertions drafts have all been sent to the RFC Editor by JOSE – JSON Object Signing and Encryption | 007 Software

Wed, 01 Apr 2015 17:30:25 +0000

[…] JOSE standard seems to be quickly approaching the final revisions and we will most probably see more of it on the web. Implementations for most of the popular […]



Comment on The JWT, JOSE, and OAuth Assertions drafts have all been sent to the RFC Editor by JOSE – JSON Object Signing and Encryption | Red Hat Security

Wed, 01 Apr 2015 13:31:35 +0000

[…] JOSE standard seems to be quickly approaching the final revisions and we will most probably see more of it on the web. Implementations for most of the popular […]



Comment on Second Release Candidates for final OpenID Connect specifications by Mike Jones: self-issued » Third Release Candidates for final OpenID Connect specifications

Sun, 15 Mar 2015 06:45:57 +0000

[…] release candidates for final OpenID Connect specifications is now available. The changes since the second release candidates have mostly been to incorporate review comments on the Discovery, Dynamic Registration, and […]



Comment on The JWT, JOSE, and OAuth Assertions drafts have all been sent to the RFC Editor by JWT and JOSE specifications approved for publication as RFCs | Pedro Félix's shared memory

Sun, 18 Jan 2015 15:20:26 +0000

[…] seems the JSON Web Token (JWT) specs are finally ready to become RFCs. I’ve wrote about security tokens before in the past: it was 2008, XML, SAML and WS-Security […]



Comment on Second OpenID Connect Implementer’s Drafts Approved by Mike Jones: self-issued » OpenID Connect Specs Nearing Completion

Sun, 13 Oct 2013 08:29:15 +0000

[…] a few local changes will still be made this week to address issues that have been identified since the approval of the Implementer’s Drafts, I fully expect that the working group will decide at the in-person working group meeting just over […]



Comment on WebFinger is now RFC 7033! by WebFinger 協定 | Gea-Suan Lin's BLOG

Sat, 28 Sep 2013 21:59:40 +0000

[…] 2013 年,基於 OpenID 協定的 WebFinger 出現了!而且是進入 Standards Track 狀態了:「WebFinger is now RFC 7033!」。 […]



Comment on WebFinger is now RFC 7033! by Mike Jones

Sat, 28 Sep 2013 01:14:35 +0000

Also see Paul Jones' post at http://www.packetizer.com/news/39/ietf-publishes-webfinger-specification/ and Joseph Smarr's post at https://plus.google.com/u/0/+jsmarr/posts/gsEwh4YeW4k.



Comment on JOSE -14 and JWT -11 drafts with additional algorithms and examples published by Peter Bernhardt

Thu, 29 Aug 2013 12:46:50 +0000

I have a scenario where I need to represent a complex claim in a JWT. Something that might look like this in SAML: The best I can do as a JWT claims is this: "urn:oasis:names:tc:xacml:2.0:subject:role": "46255001" Do you have a recommendation for how to convey the code system used to represent the value of this claim?



Comment on JOSE -14 and JWT -11 drafts with additional algorithms and examples published by Peter Bernhardt

Thu, 29 Aug 2013 12:45:06 +0000

I have a scenario where I need to represent a complex claim in a JWT. Something that might look like this in SAML: The best I can do as a JWT claims is this: "urn:oasis:names:tc:xacml:2.0:subject:role": "46255001" Do you have a recommendation for how to convey the code system used to represent the value of this claim?