Nat Sakimura is a well-known identity and privacy standardization architect at NAT Consulting and the Chairman of the Board of the OpenID Foundation and MyData Japan. Besides being an author/editor of such widely used standards as OpenID Connect, JWT (RFC7519), JWS (RFC7515), OAuth PKCE (RFC7636) ISO/IEC 29100 Privacy Framework, and ISO/IEC 29184 Online privacy notice and consent, he helps communities to organize themselves to realize the ideas around identity and privacy.
As the chairman of the board of the OpenID Foundation, he streamlined the process, bolstered the IPR management, and greatly expanded the breadth of the foundation, spanning over 10 working groups whose members include large internet services, mobile operators, financial institutions, governments, etc.
He is also active in public policy. He is a Digital Special Advisor to the Japanese Fair Trade Commission and serves on numerous governmental committees in Japan. He also advises the OECD’s Working Party on Data Governance and Privacy in Digital Economy as a member of the Internet Technical Advisory Committee (OECD/ITAC).
He is currently the chair of the Japanese National Body to ISO/PC 317 Consumer Protection: Privacy by design for consumer goods and ISO/IEC JTC 1/SC 27, which standardizes security, cybersecurity, and privacy technologies, and a founding board member of the Kantara Initiative.
Personally, he was a flautist and still deeply loves ‘classical’ music (both Western and Japanese), especially the 20th century and later. (Well, is that ‘classical’?) He spent six years in Kenya while he was in junior and senior high school, where he learnt how to horse ride to chase giraffes and still loves the life there.
Publications
- Matsuo, Sakimura, et al.: “Web3 Gaps”. (2024). Nikkei BP
- Sakimura, N: “Digital Identity” (2021), Nikkei BP
- Matsuo, Sakimura (ed): “Blockchain Gaps”. (2021). Springer
- Sakimura, Bradley, Jay: “Financial-grade API Security Profile (FAPI) 1.0 – Part 2: Advanced ” (2021), OpenID Foundation
- Sakimura, Bradley, Jay: “Financial-grade API Security Profile (FAPI) 1.0 – Part 1: Baseline” (2021), OpenID Foundation
- Hokino, Fujiki, Onda, Kaneko, Sakimura, Sato: “A Practical Trust Framework: Assurance Levels Repackaged Through Analysis of Business Scenarios and Related Risks“, SSR, Lecture Notes in Computer Science, Springer
- Sakimura, Bradley, Agaawal: “Proof Key for Code Exchange by OAuth Public Key Client” (2015), RFC7636, IETF.
- Jones, Bradley, Sakimura: “JSON Web Signature” (2015), RFC7515, IETF.
- Jones, Bradley, Sakimura: “JSON Web Token” (2015), RFC7519, IETF.
- Sakimura, Bradley, Agaawal, Jay: “OpenID 2.0 to OpenID Connect Migration 1.0” (2015), OpenID Foundation
- Sakimura: “Privacy Respecting Personal Data Federation Protocol Design” (2015), Digital Practice, Information Processing Society of Japan
- Sakimura, Jones, Bradley, de Madeiros, Mortimore: “OpenID Connect Core” (2014), OpenID Foundation
- Sakimura, Bradley, Jones, Jay: “OpenID Connect Discovery” (2014), OpenID Foundation
- Sakimura, Bradley, Jones: “OpenID Connect Dynamic Registration” (2014), OpenID Foundation
- Ito, Yasuoka, Tomita, Sakimura: “Use of the private infrastructure in the Government: Open (local) Government utilizing the Social CRM” (2011), NRI, Chiteki Shisan Souzou.
- Sakimura: “Les Societe Miserables and the National ID System – The Danger of Identifier Correlation seen in Victor Hugo’s Les Miserables” (2011), Gijutsu Hyouron
- Sakimura: “National ID System and Trust Frameworks” (2010), Horibe Masao Information Law Seminar Proceeding.
- Ohashi, Sakimura, Sakushima, Hori, “On the Substantial Study of Proxing Assurance between OpenID and SAML” (2010) Springer, Communications in Computer and Information Sciences 109.
- Jones, Recordon, Bradley, Sakimura et al. “OpenID Provider Authentication Property Extension” (2008), OpenID Foundation.
- Sakimura, Eijima, “Shifting towards the context-based system through the mobile phone as the user agent” (2006), NRI, Gijutsu Sohatsu.
- Sakimura: “Data Loss Prevention System” (2002), NRI, Chiteki Shisan Souzou.
- Sakimura: “White-collar productivity improvement through the utilization of the noise reduced environment and groupware.” (1997), NRI, Chiteki Shisan Souzou.
Patents / Patent Applications
Patent System Number 1.特許公開2009-230601 Communication systems, methods, authentication and the client. (Pending) 2.特許公開2008-204250 Authentication system and the relying partty methods. 3.特許公開2008-027222 Authentication System, Methods, and program. 4.特許公開2007-109122 Authentication System, Methods, and program. 5.特許公開2007-060172 Authentication Devices, Authentication Methods and Authentication Program. 6.特許公開2007-058469 Authentication System, Server, methods and authentication program. 7.特許公開2007-058468 Card based authentication, authentication system, authentication method and card authentication system. 8.特許公開2005-167700 User Information Management Systems.
Sakimura-san:
Breno de Medeiros is an old friend. He suggested that I contact you about OIDC issuer discovery. We are attempting to implement federated SSO in our IdP. The absence of a viable issuer discovery mechanism is an impediment.
For the user@domain case, there are two fatal problems with the WebFinger approach given in the OIDC Discovery document:
– Some domains do not have an associated website. Requiring a web server for issuer discovery adds a very large and unjustified attack surface to the authentication process.
– A substantial majority of domain owners use cloud hosted site providers, and do not have the authority or permission to deploy a service (such as WebFinger).
I wonder if this may be part of why RFC 8414 places issuer discovery out of scope.
Before I try to resolve this myself, I was hoping for your guidance:
1. Is there an existing group that is already working on this?
2. Would the OpenID Foundation consider revisiting this issue? If not, where should it be explored?
3. Breno mentioned that Asian users may prefer phone numbers rather than the user@domain convention. As a Bell Labs graduate, I tend to think that a robust mechanism for telephone number based discovery must have a separate, carrier-supported mechanism. Is there a source or a document that would help me understand the objectives and the issues?
Thank you!
Jonathan Shapiro, PhD
President
Buttonsmith Inc
I am sorry for the tardy reply. It, unfortunately, ended up in the moderation queue. I will get back to you later, probably tomorrow.
Thanks for getting in touch.
The genesis of using .well-known for the discovery was the comments from the WG that the identity team in many cases do not have control of DNS (which I did not really buy) but they do have control of their identity server, such as id.example.com. The web Finger address really is not an email address. It looks like email, but it is not. Basically, what we need the user to input into web finger is something like @id.exampl.com.
We are currently revising the Discovery mechanism as part of effort for improving Self-Issued OP, so you might want to look at it. (Sorry, I am not following the details.)
As far as telephone number based discovery is concerned, there is a working group in OpenID Foundation called Modrna, standing for Mobile Operator Discovery, Registratio, aNd Authentication. https://openid.net/wg/mobile/
They have a working draft
OpenID Connect MODRNA Discovery Profile
Again, I am not following the details but it is being worked on by Mobile Operators so it should be useful.
I hope these are useful.