Here is the script of the Chair’s remark at the opening of the Open Data in Fianance Conference in London (June 15, 2016) 09:00 –…
View More Open Data in Finance Conference: Chair’s Welcome
Author: Nat
Having been working on Digital Identity since 2000.
Co-author of various identity related specifications like OpenID Connect, JSON Web Token.
Chair of the OpenID Foundation (2011-)
Vice Chair of the OpenID Foundation (2010),
Founder of OpenID Foundation Japan (2008-),
Trustee of Kantara Initiative (2009-).
GSA 18F’s unauthorized Slack use caused breach of 100 GSA Google Drives?
@JamieXML pinged me about the @18F breach that I completely missed. I quickly googled it and found this article. IG report:18F’s unauthorized Slack use caused…
View More GSA 18F’s unauthorized Slack use caused breach of 100 GSA Google Drives?Authorization Delegation: A financial accounts aggregation use case
I have many bank accounts. If I wanted to use a new and shiny graphing service, I have to get authorization from each banks individually.…
View More Authorization Delegation: A financial accounts aggregation use case
Cut and pasted code attack in OAuth 2.0 [RFC6749]
The so called ‘cut and pasted code attack’ also known as ‘Frankenstein Monster Attack’ is an attack that the adversary swaps the ‘code’ in the…
View More Cut and pasted code attack in OAuth 2.0 [RFC6749]
Code phishing attack on OAuth 2.0 [RFC6749]
Code phishing attack is the attack that the adversary obtains the code and client credentials from the legitimate client and uses them against the honest token…
View More Code phishing attack on OAuth 2.0 [RFC6749]
IdP Mix-up Attack on OAuth [RFC6749]
On Sunday 10, 2016, OAuth Security Advisory: Authorization Server Mix-Up was issued. Nov Matake wrote an excellent article about it in Japanese. To help understand the…
View More IdP Mix-up Attack on OAuth [RFC6749]
Happy New Year!
2015 was a hectic year: Bunch of the specs that I have been working on (JWS [RFC7515], JWT [RFC7519], OAuth PKCE [RFC7636], JWK Thumbprint [RFC7638])got published and the work to convert…
View More Happy New Year!
On the XARA vulnerability on MacOS X and iOS
Just came across this article: Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X, by The Register. Since the news itself did not explain…
View More On the XARA vulnerability on MacOS X and iOSApple’s answer to the in-secure use of in-app browser? — iOS 9 introduces SFSafariViewController
Apple forcing developpers to use in-app browser instead of spawning Safari has been known as an extremely insecure practice for sometime. There many reasons that…
View More Apple’s answer to the in-secure use of in-app browser? — iOS 9 introduces SFSafariViewController
JWS, JWT, and others now RFC!
It has taken soooo long [1], but JSON Web Signature (JWS), JSON Web Token (JWT) , together with other JW* suite finally are Standard Track…
View More JWS, JWT, and others now RFC!
You must be logged in to post a comment.