Bookmarks (10)

The OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0 specification has started its 60-day review to become an OpenID Final Specification. Recent steps leading up to this were: I added Context Class definitions to the Authentication Context Class Reference Values (“acr” values) defined by the specification, which enabled me to finally register them in […]

As has become traditional, I gave the following presentation at the Monday, April 7, 2025 OpenID Workshop at Google: OpenID Connect Working Group Update (PowerPoint) (PDF) I also gave this invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 8, 2025: Introduction to OpenID Connect (PowerPoint) (PDF)

A significant event in digital identity occurred without fanfare today. Presentation Exchange was removed from the OpenID for Verifiable Presentations specification. It had once-upon-a-time been the only query language used for verifiable credential presentation. In October 2024, the Digital Credential Query Language (DCQL) was added alongside it. Today, after much discussion by the working group, […]

The FIDO Alliance has completed the CTAP 2.2 Specification. The closely-related third version of the W3C Web Authentication (WebAuthn) specification is also nearing final status; this WebAuthn Level 3 working draft is currently going through the review steps to become a W3C Recommendation. So what’s new in the third versions? Changes between CTAP 2.1 and […]

Orie Steele and I want to thank Deb Cooley for her Area Director review of the “Fully-Specified Algorithms for JOSE and COSE” specification. Addressing it simplified the exposition, while preserving the essence of what the draft accomplishes. Specifically, the resulting draft significantly simplified the fully-specified encryption description and removed the appendix on polymorphic ECDH algorithms. […]

Emil Lundberg and I have published the COSE Algorithms for Two-Party Signing specification. Its abstract is: This specification defines COSE algorithm identifiers used when the signing operation is performed cooperatively between two parties. When performing two-party signing, the first party typically hashes the data to be signed and the second party signs the hashed data […]

Vladimir Dzhuvinov and I led a discussion on The Cambrian Explosion of OAuth and OpenID Specifications at the 2025 OAuth Security Workshop in Reykjavík. The abstract for the session was: The number of OAuth and OpenID specifications continues to grow. At present there are 30 OAuth RFCs, two more in the RFC Editor queue, 13 […]

The W3C Verifiable Credentials Working Group has published a Snapshot Candidate Recommendation of the Controlled Identifiers specification. This follows the five Candidate Recommendation Snapshots published by the working group in December 2024. Two of these specifications, including Securing Verifiable Credentials using JOSE and COSE, depend upon the Controlled Identifiers spec. The planned update to the […]

Kim Cameron first told me what Digital Identity is on February 1, 2005. He said that the Internet was created without an identity layer. He encouraged me “You should come help build it with me.” I’ve been at it ever since! What I wrote about digital identity a decade ago remains as true today: An […]

The W3C Verifiable Credentials Working Group published the Snapshot Second Candidate Recommendation of the Securing Verifiable Credentials using JOSE and COSE specification just before the holidays. This was one of five Candidate Recommendation Snapshots published by the working group at the same time, including for the Verifiable Credentials Data Model 2.0, which I’m also an […]