The OpenID Enhanced Authentication Profile (EAP) Working Group recommends approval of the following specifications as OpenID Implementer’s Drafts:
- OpenID Connect Token Bound Authentication 1.0
- OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0
The first specification enables OpenID Connect implementations to apply Token Binding to the OpenID Connect ID Token. This use of Token Binding protects the authentication flow from man-in-the-middle and token export and replay attacks.
The second specification enables OpenID Connect Relying Parties to request that specific authentication context classes be applied to authentications performed; specifically, an authentication context class reference value is defined that requests that phishing-resistant authentication be performed and another is defined that requests that phishing-resistant authentication with a hardware-protected key be performed. These policies can be satisfied, for instance, by using W3C Web Authentication (WebAuthn) or FIDO authenticators.
An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This note starts the 45-day public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures. Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven-day voting period during which OpenID Foundation members will vote on whether to approve these drafts as OpenID Implementer’s Drafts. For the convenience of members, voting will actually begin a week before the start of the official voting period.
The relevant dates are:
- Implementer’s Drafts public review period: Monday, April 22, 2019 to Thursday, June 6, 2019 (45 days)
- Implementer’s Drafts vote announcement: Friday, May 24, 2019
- Implementer’s Drafts voting period: Friday, June 7, 2019 to Friday, June 14, 2019 (7 days)*
* Note: Early voting before the start of the formal voting will be allowed.
The EAP working group page is https://openid.net/wg/eap/. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not a current OpenID Foundation member, please consider joining to participate in the approval vote.
You can send feedback on the specifications in a way that enables the working group to act upon it by (1) signing the contribution agreement at https://openid.net/intellectual-property/ to join the working group (please specify that you are joining the “EAP” working group on your contribution agreement), (2) joining the working group mailing list at https://lists.openid.net/mailman/listinfo/openid-specs-eap, and (3) sending your feedback to the list.
— Michael B. Jones – OpenID Foundation Board Secretary