Nat Sakimura is a well-known identity and privacy standardization architect at NAT Consulting and the Chairman of the Board of the OpenID Foundation and MyData Japan. Besides being an author/editor of such widely used standards as OpenID Connect, JWT (RFC7519), JWS (RFC7515), OAuth PKCE (RFC7636) ISO/IEC 29100 Privacy Framework Amd.1, and ISO/IEC 29184 Online privacy notice and consent, he helps communities to organize themselves to realize the ideas around identity and privacy.

As the chairman of the board of the OpenID Foundation, he streamlined the process, bolstered the IPR management, and greatly expanded the breadth of the foundation spanning over 10 working groups whose members include large internet services, mobile operators, financial institutions, governments, etc.

He is also active in public policy space. He is a Digital Special Advisor to the Japanese Fair Trade Comission and serves as a member of numerous governmental committees in Japanese. He is also advising OECD’s Working Party on Data Governance and Privacy in Digital Economy as a member of the Internet Technical Advisory Committee (OECD/ITAC).

He is currently the chair of the Japanese National Body to ISO/PC 317 Consumer Protection: Privacy by design for consumer goods and ISO/IEC JTC 1/SC 27/WG 5 that standardizes Identity management and privacy technologies and is a founding board member of Kantara Initiative.

Personally, he was a flautist and still deeply loves (both western and Japanese)  ‘classical’ music especially the 20th century and later. (Well, is that ‘classical’?) He spent six years in Kenya while he was in junior and senior high school, where he learnt how to horse ride to go after giraffe, and still loves the life there.


Patents / Patent Applications

Patent System Number
1.特許公開2009-230601	Communication systems, methods, authentication and the client. (Pending)
2.特許公開2008-204250	Authentication system and the relying partty methods. 
3.特許公開2008-027222	Authentication System, Methods, and program. 
4.特許公開2007-109122	Authentication System, Methods, and program. 
5.特許公開2007-060172	Authentication Devices, Authentication Methods and Authentication Program.
6.特許公開2007-058469	Authentication System, Server, methods and authentication program.
7.特許公開2007-058468	Card based authentication, authentication system, authentication method and card authentication system.
8.特許公開2005-167700	User Information Management Systems.

3 Replies to “About Nat Sakimura”

  1. Sakimura-san:

    Breno de Medeiros is an old friend. He suggested that I contact you about OIDC issuer discovery. We are attempting to implement federated SSO in our IdP. The absence of a viable issuer discovery mechanism is an impediment.

    For the user@domain case, there are two fatal problems with the WebFinger approach given in the OIDC Discovery document:

    – Some domains do not have an associated website. Requiring a web server for issuer discovery adds a very large and unjustified attack surface to the authentication process.
    – A substantial majority of domain owners use cloud hosted site providers, and do not have the authority or permission to deploy a service (such as WebFinger).

    I wonder if this may be part of why RFC 8414 places issuer discovery out of scope.

    Before I try to resolve this myself, I was hoping for your guidance:

    1. Is there an existing group that is already working on this?
    2. Would the OpenID Foundation consider revisiting this issue? If not, where should it be explored?
    3. Breno mentioned that Asian users may prefer phone numbers rather than the user@domain convention. As a Bell Labs graduate, I tend to think that a robust mechanism for telephone number based discovery must have a separate, carrier-supported mechanism. Is there a source or a document that would help me understand the objectives and the issues?

    Thank you!

    Jonathan Shapiro, PhD
    Buttonsmith Inc

    1. I am sorry for the tardy reply. It, unfortunately, ended up in the moderation queue. I will get back to you later, probably tomorrow.

    2. Thanks for getting in touch.

      The genesis of using .well-known for the discovery was the comments from the WG that the identity team in many cases do not have control of DNS (which I did not really buy) but they do have control of their identity server, such as The web Finger address really is not an email address. It looks like email, but it is not. Basically, what we need the user to input into web finger is something like

      We are currently revising the Discovery mechanism as part of effort for improving Self-Issued OP, so you might want to look at it. (Sorry, I am not following the details.)

      As far as telephone number based discovery is concerned, there is a working group in OpenID Foundation called Modrna, standing for Mobile Operator Discovery, Registratio, aNd Authentication.

      They have a working draft
      OpenID Connect MODRNA Discovery Profile
      Again, I am not following the details but it is being worked on by Mobile Operators so it should be useful.

      I hope these are useful.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.