I gave a presentation at the OAuth Security Workshop 2017 (July 2017, 7). Since Professor Basin (ETH Zurich) and Professor Cremers (Oxford University) were there, I took the opportunity to present a paper based on theirs, which I recklessly used as a basis for my presentation on RFC14…
Further display How to make OAuth secure in the future: OAuth Security Workshop 2017
API Days 1200, a conference with 2016 participants, will be held on December 12th and 13th at Tapis Rouge in Paris. The catchphrase is "API automation for IT, business, and society as a whole." I was at the "WORKSHOP CA" in the afternoon of the first day to give a talk on "Operation..."
Further display We will be appearing at API Days Paris with a talk entitled "Financial Grade OAuth and OpenID Connect"
"JSON Web Key (JWK) Thumbprint", in which Mike Jones and I are credited as co-authors, has been published as [RFC 7638]. This standard specifies a method for computing a stable hash value of a JSON Web Key (JWK). In particular...
Further display JSON Web Key (JWK) Thumbprint was published as RFC 7638.
Connecting beyond silos. The first identity summit in Japan, bringing together industry, government and academia, "Japan Identity & Cloud Summit 2013" will be held on March 3th and 4th at the Hitotsubashi University Academic Center in Tokyo. As one of the program committee members, I have been involved in creating the program for the past few months.
Further display Beyond silos, connecting. Japan's first Identity Summit brings together industry, government and academia - JICS2013
A good article by John Bradley [2.0] about how using OAuth 1's implicit grant flow for authentication opens a huge security hole big enough for a car to drive through. The comments are also worth reading. I checked it out and it was a complete disaster. I need to fix the RP side, so...
Further display Using plain OAuth 2.0 for authentication would create a security hole big enough to drive a car through.
In the context of the national ID system, the "number" system (sometimes mistakenly called the common number system), there is a system infrastructure called the "information sharing infrastructure." The orange box in the diagram below (from the interim report of the Cabinet Secretariat's Information Sharing Infrastructure Technology Working Group) is this. It seems that this part is the "information sharing infrastructure" that has been...
Further display Is the information sharing infrastructure of the "number" system complex?According to an article in TechCrunch, Twitter is finally getting serious about elaborating on OAuth access permissions. According to this, the consent screen will be changed from the previous extremely simple one to the detailed one shown below, and DM access will be automatically granted from apps that do not require it.
Further display Twitter to automatically delete DM access for appsI've summarized the OAuth Wrap Web App Profile in a sequence diagram. #I wish this was in the spec itself... Points to note:
Further display OAuth Wrap Web App Profile Summary
To post a commentLog Inplease.