.Nat Zone | Digital Identity et al. - Part 2

.Nat Zone Digital Identity et al.

: Code phishing attack on OAuth 2.0 [RFC6749]

2016/01/22 identity, OAuth, OpenID Connect, security code phishing, mix-up, OAuth IdP Mix-up attack

Code phishing attack is the attack that the adversary obtains the code and client credentials from the legitimate client and uses them against the honest token endpoint to obtain tokens thereby accessing the protected resources illegitimately. Assumptions There are not much …

: IdP Mix-up Attack on OAuth [RFC6749]

2016/01/15 OAuth, OpenID Connect, security OAuth IdP Mix-up attack

On Sunday 10, 2016, OAuth Security Advisory: Authorization Server Mix-Up was issued. Nov Matake wrote an excellent article about it in Japanese. To help understand the readers of the attack, I am translating the portion of his blog post explaining the …

: Happy New Year!

2016/01/01 identity, privacy

2015 was a hectic year: Bunch of the specs that I have been working on (JWS [RFC7515], JWT [RFC7519], OAuth PKCE [RFC7636], JWK Thumbprint [RFC7638]）got published and the work to convert ISO/IEC 29100 Privacy Framework into Japan Industry Standard started. We had OpenID Summit Tokyo 2015 …

: On the XARA vulnerability on MacOS X and iOS

2015/06/19 identity, OAuth, OpenID Connect security, XARA

Just came across this article: Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X, by The Register. Since the news itself did not explain the nature of the attack well enough, I went onto reading the full paper: Xing, …

: Apple’s answer to the in-secure use of in-app browser? — iOS 9 introduces SFSafariViewController

2015/06/09 OAuth, OpenID Connect

Apple forcing developpers to use in-app browser instead of spawning Safari has been known as an extremely insecure practice for sometime. There many reasons that this was a bad practice both from security and usability point of view: An app …

: JWS, JWT, and others now RFC!

2015/05/20 identity, OAuth ietf, JWS, JWT, OAuth, RFC

It has taken soooo long [1], but JSON Web Signature (JWS), JSON Web Token (JWT) , together with other JW* suite finally are Standard Track RFC[2] now. They are [RFC7515] and [RFC7519] respectively. For those of you who are not familiar with JWS and …

: Review Comments for draft-ietf-oauth-proof-of-possession-02

2015/03/26 OAuth IETF 92

Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) draft 02 has been under WGLC till yesterday (March 24, 2015). During the OAuth WG meeting at IETF 92 on Monday, I was asked to do a review of the document (See the minutes). …

: Seasons Greetings 2014

2014/12/24 Music Christmas, flute, seasons greeting, video

Seasons greetings video as a replacement to a greeting card. The Christmas Song was written by Mel Torme & Robert Wells on a hot summer day in 1944[1]. There was no air conditioner at the time and they tried to feel …

: Making a Javascript OpenID Connect Client in 4 steps

2014/12/10 identity, OpenID Connect

When John, Breno, and I started the OpenID Connect work, one of the target was to make it as simple as putting two files on the client file system and calling a few functions from the calling page. With OpenID …

: Autumn Greetings from Japan

2014/11/10 misc

Japan is now fully in Autumn. Leaves are turning and colours are beautiful. It is unfortunate that I cannot spend much time in Japan right now. In fact, I am now in Narita Airport waiting for my flight to Hawaii, …

« Previous 1 2 3 … 19 Next »