On October 7th, 2023, our friend Victoria Bertoci passed away of cancer. A couple of weeks prior to that he reached out to Jim and I asking to record an episode about an RFC that he had been working on, with a plan to release it today, October 9th, 2023. To be honest, in the moment it felt a little bit like a goodbye and I'm glad we were able to connect one last time.
The conversation, you'll hear in a bit was recorded on September 23rd, 2023, and he passed away just a couple of weeks later. We are honoring his memory by releasing this episode as we had agreed to do. Victorio may be gone, but he will not be forgotten. This is identity at the center. If it has anything to do with I am, this is the go to podcast now. Your hosts, Jim McDonald and Jeff Steadman, welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim.
Hey, Jeff, how are you? Oh, not so bad yourself. I'm doing all right. I'm looking forward to, you know, getting this episode out to everybody. He was a really important one. And I hope everyone enjoys it. Yeah, so just kind of kicked down the 4th wall. We just had a conversation with Victoria Butochi, who I'm sure most people in the industry know. We talked about the new R FC-9470-O OFF 2.0 Step up authentication challenge protocol that just got released.
And he also gave us an update on where he stands from the health situation. So I'm sure people in the industry are interested to hear about that. Yeah, why don't we just get right into it? So without further ado, let me introduce the Victorio and we'll hear that conversation next. So we've got Victoria Vertochi. He's a principal architect at OFF 0 and Octa product unit. He's been on the show a few times at this point. Welcome back to the show, Vertorio.
Thank you. Thank you, Jeff. And Jim, last time I believe it was in a suit in Vegas during some Gartner event, I believe it definitely was a Gartner event, that's for sure. That was a fun time and you're you're working on a new thing. This is one of the conversations we're going to talk about today is around this this new Oauth to Step Up Authentication Challenge protocol that you have an RFC out for RFC 9470 and we'll have a link in our show notes for
people to check that out. I guess why don't we start the basics? What is this? What are you doing? Absolutely. The first thing I'd like to say is that I'm no longer working on it because it is finally an official spec. Congratulations. Thank you. Thank you. It took a remarkably short time because I think that we introduced the idea in May of 2022. So it's actually remarkable that it went through so well and this spec is.
I'd say one of the typical things that I like to do, I like to look at the current situation and see things that are unaddressed. And in particular, there is this idea of a step up authentication. That is an incredibly important scenario because of course we observe it happening all the time and yet it was absolutely no standard for it. So everyone that uses features of a particular platform that we want to use to achieve it.
Which means that there is no interoperable way to do it, which means that its usage is more limited than it should be. And so with my friend Brian Campbell in Absolute Luminaire in the Space of OR, we looked into these and we said, you know what, why don't we formalize the simplest way to deal with this? And that's exactly what we've done. And basically the main point is. You can use the POP
authentication statically. So imagine that you have an app that calls one method that is read only and one method that is right. You can have a static table that says whenever someone asks for this particular thing, they need to do this level of authentication or this other level of authentication and that's fine. But the reality is that things are not that simple because when at runtime. You have an app that is calling something. There are information that are
only available at that moment. If I'm buying something, the cost of the things that I'm buying is only available now that I'm performing the call. When I asked for the token, there was not such information. Or now you know that with a I anomaly detection there are all these risk engine evolution components that you can place in front of your API. And visa component analyzes what you're sending and if it decides that the risk is high, basically it can just refuse a token.
That on paper would be perfectly fine. So basically what we have done was we extended the error system of off to add another component. So when you call an API using off and the API refuses. Because they can send you this header, this HTTP header with some extra information. So we extended this adding the requirements that the API has
internal authentication. So now you can send back this thing called ACR value, which is a buffer, A parameter and a claim that basically points to one particular authentication ceremony that is known by the authorization server. So when the client attends the call, gets back his header and the error. Now they can turn around, go back to the authorization server and include this information.
So that if for example the requirement is that they have to do with both, then the authorization server will know how to do it. And the interesting part is that we are extending all authorization server to accept this parameter. But this parameter already exists in Open Any Connect. I mean, you can do exactly what I just described when you're asking for an ID token. So all we did there was to extend all proper to support this parameter. And I'm a big pragmatist, like I
don't like buying the Sky stuff. And the larger majority, well, I cannot say it, but a big number of authorization server implementations out there are also open any connect. Implementations and so that means that substantially this stuff is right there, like you don't have to write extra code and the code that you have to write on the resource server of API to send back this error and the code you have to put on the client to accept and forward these requests are trivial,
super simple. So now you can build systems that are very sophisticated in behavior at runtime. But are incredibly easy to implement, and in fact I know that even before this became RFC, there were a number of people that implemented early drafts just because they needed it. And this is like a I'm so glad that I had the chance to see this fruit, because it's such an important an important spec. What do you think? Yeah, Victoria, you had the. Had the podcast.
Identity Unlocked was a fantastic podcast to get into a lot of the standards. I think you know I I listened to a lot of episodes and really enjoyed it. I also realized that sometimes that Lane was going a little fast for me. So forgive me if some of my questions are very basic, but I'm trying to understand within the Oauth 2 world. It seems like Okay we have the Oauth 2 standard and now we have Rfcs that go on top of that. At some point will they be rolled into Oauth 3 or Oauth
2.1? How exactly? If you could very simply explain how is that going to work. So the general idea we've off is that offer is a framework, there is a course back, a couple of course backs that define the core scenarios. And then define the rule of the games when you want to extend this back. We didn't want to boil the ocean by taking everything into account. And in fact The thing is that the new scenarios that are part of the extensions are scenarios
that emerged. Has the industry evolved so we couldn't have everything packed into there. So by design, technically we could go forever with these off to the core and extensions now. A small group of I don't know Good Samaritans and don't know how to define them decided to created off to the one version of the spec which substantially takes some of the most fundamental extensions and the security best practices and integrate that into the off to the one. I don't think there is much talk
of the off free. That's all because of the the challenge that you have in here is also that the bigger the install base you have the more you cannot make a radical changes because you'd break stuff. In fact, there have been a tense to start from scratch but the outside of off. But we didn't go very far because off works and. People keep adding stuff on it and now it's not just a matter of techies.
There are things like a Foppi, the financial grade API's which is the final operating but is all based on off which is now used officially for certifying the banks and insurances and similar. So you build on top of these and then you have to be very careful into not breaking people, especially because often. We are techies and we have a bit of a city, you know, putting the books in the bookshelf in the
right height order and similar. But in fact, if you do that and then you break the actual business scenarios, then we are not in a good place. I think that's the part that is sometimes confusing for people is this idea of a core framework and then the extensions. And I feel like at some point the extensions become so popular and so prevalent and at what point do they become part of the core frameworks? I think is I think that's always a challenge, right?
Because I think you probably want to maintain compatibility, right, as much as possible going backwards. But at some point, you know, you get, you know, step up authentication. This is not a new thing, right? It's been around for a while, but now it's an actual, you know, RFC, it's part, it's an extension, It's how people can take use it in a standard way, which is fantastic.
Do we run the risk of, I guess what risk do we run if we don't continue to either build extensions like that and sort of agree on the way that those methodologies work versus yeah, it's time for a Oauth 2.1 or 3.0 or whatever it may be to push either security or interoperability forward? Right, so here there is a the formal aspect and then there is a bit of like readability aspect. Formally, the extensions are always incremental. So normally you don't break anything.
It's only forward compatible, but never backward compatible. And the consolidation can happen for things that are absolutely obvious, like for example, Pixie is a method for protecting the code physician code, and at first it was devised for one particular scenario, but it turned out that there are certain attacks that happen all the time. And so Pixie is one of the things that is being now
integrated enough to that one. So now if you want to be compliant with off to that one, you must support Pixie. The thing is that most implementations they do already because it was an important requirement, the consolidation in the two. That one is a bit trying to make it easier to discover that those things exist, because now you have like Visa. Huge graph of extensions that it's hard to navigate. So off to that. One is bringing in some of the fundamentals, the things that
really you shouldn't miss. But it's more of a readability thing because in theory, even if you just keep doing extensions, everything is there. So I think you mentioned that you that this started in May I believe is that when this picked up I. Believe that's. That's when it started. Somewhere around there. But still from, I mean that's only four months to get it into.
I know wait may or 22/22/22, so all right so year and but still that's still relatively quickly right for something like this to move forward? It's super, super quick, yes. Why do you think that is? Like, why? Why would? Why did this one move so much more quicker than maybe other ones? Scope. A scope was very small, a scenario was very clear and. So there was very little
controversy. The interesting part is that the controversy demonstrated that everyone thinks slightly different of what step up means and so a lot of the worker was into reaching common ground. Like for example, the idea of step up is a misnomer because there is no intrinsic hierarchy of methods that might be the exact same 2 tokens. That the pending of the mood of the API. You can accept one and not accept the other and one hour later vice versa. So you cannot say that one
method is higher than the other. But in the vast majority of cases it's usually a step up, as in the classic I move from read only to write and then there are also lots of other complications like when I get these new token. Should I also hold on to the to the old one? And normally the answer is yes, because when you token might be specialized for that particular call or might have like a shorter like a might be short lived and so the user experience will be bad.
So all these considerations came to light as part of the discussion, but in the end there was no controversy about the need for this particular thing. And also like record was literally trivia at the same time of the of the of the our publication. They also published the POP which is an incredibly important spec, but instead it took a very long time. It took a very long time because
it's complex. Basically the pop allow you to do send their constraint protection on the tokens, so if someone steals the token if they don't have the right key material. They cannot reuse it and it's all negotiated at runtime, so you don't need it to do complicated stuff like distributing certificates. It's an incredibly important spec, which is also called for the by Brian Campbell, which has his hands everywhere.
And yeah, actually my spec, our spec was dependent on the POP because we had the reference in our. References section to depot and we couldn't go RFC until they would get an RFC number. And so it was a week in which I was refreshing every day. I paid you to see if they actually, that sounds to me like the equivalent of like Google searching like your own name and looking for, you know what's the news about me today is you're looking for like, did this thing
get passed or not? Believe it or not, years ago I used it to do it. Now it's pointless because there is so much auto generated spam content that if you do want, but I occasionally do it on Slack because there will be discussions in which people mention me but they don't act mention me. And it's so easy because once you land in there and you say, ha ha, and people sometimes don't realize we were on a public channel.
And so I like, I like the acknowledgements that you made at the end of the RFC spec, thanking the Academy, the viewers at home and the shampoo manufacturers. I thought that was really funny. That was actually Brian's idea. And was it OK? Brian this week wrote a blog post about the spec and about myself and my state of health, and he wrote it on the official Ping blog, which is about that. Absolutely, really good. Absolutely remarkable.
Do you want to give an update on what's been going on with your health? Sure. Well, they this, the basic story is pretty simple. At the end of June, I discovered that I have pancreatic cancer, which is one of the worst kinds. We've spread to the liver and the lungs and I started treatment. I cut my hair myself and there is a video of Instagram that shows. That I do it.
It's a time lapse is it will be funny if it was not be tragic but but at the beginning of August the cancer caused a very severe bleeding like I almost bleed out and I was one week intubated and my organs shut down. But somehow the doctors. I am with the Virginia Mason in Seattle. They are incredible. The doctor somehow saved me, but this thing left me with 20 pounds thinner, like my muscle is gone.
My kidneys started working very recently and so right now I am recovering from that event and until until I'm strong enough to to restart chemo. But unfortunately the meanwhile what's happening is that the cancer is gone, is still ongoing because it's completely unchecked. So when people ask me how are you? Or they see that I moved it from the hospital to the house, they think like it's improvement. And it's true, like I feel a little better every day, but I'm still.
It's like if you break your your arm on the Titanic and then every day your arm feels better, but the Titanic is still going. To water the iceberg. So I am in this kind of tricky situation, which as you can imagine is not fantastic. But at the same time, I have to admit that I had an incredible life. Like I started as a 10th of 10 kids of a janitor, so as you can imagine, sleeping in six people
in the same room. I started working at age 15 for covering my studies and like I did all sorts of jobs and I would have never, ever dreamed of achieving the level of success that I got. Absolutely never. I am incredibly grateful when I when I made some messages on social about my condition, I received literally thousands of messages. Thousands. And a lot of them were from people I know, all mentors, I had colleagues and also my company. Octa is being incredible in this.
I'm being supported in ways that I'm in all everyday. But the thing that hit me was that so many of those messages were of strangers that told me how I influenced their career, that some of their life choices. And they went very specific saying I was at that conference in that session and he said his
finger. And I decided that this was going to be my career and now a director in post X. So it's an incredible blessing to have done this and although it's very hard to accept once mortality, the reality is that we can work out at anytime and be hit by a bus. The only difference between the ME and normal people is that now I'm forced to think about my mortality every day. But in practice there is not like nothing much difference.
It's easy to say it's harder to internalize, but I'm trying very hard. I'm doing Visa Up from Sam Harris, one of my favorite philosophers called the Waking Up. It's a meditation up and it's so much better than everything else I've tried. So if people are interested in mindfulness, highly recommend it. Victoria, I know you touched so many people. I want to bring up 1.
So I was talking with Steven Strong, who I know you worked with at All Zero and later Octa, and he was like the story was very supposed like the first time he met you. He sat down I guess in the cubicle across from you and he's like, who's this guy? I thought it was just such a a cool and kind of cute story because you guys became very good friends and you know Steve and I know is a listener of the show and I I I'm sure he'll enjoy that that I brought.
That up, I remember seeing you at so many conferences and I would attend all of your. Talk your your talks, right. Your presentations because you had such a different way of approaching it. It was funny and it was entertaining. And I think we've modeled a little bit of this that, you know this this sort of podcast sort of off of that thing. Like yeah, you know it's identity actions, management. We can have fun still or at least try to make it entertaining.
And yeah, I think I finally, you know, worked up the courage at some point to kind of introduce myself and, you know, your support for what we've been doing here and just the industry at large has been, I mean just. Outstanding. So I don't think I can add more to that other than just you know it's, it's how much you've meant to the industry.
I think it's been great that you've been getting the outpouring of support that you have from folks all over the world and people who took the time to actually write things and reach out and stuff like that. It's, you know, it's a difficult situation sometimes, but being aware of it, I think is always validating too as well, right? Absolutely. And you guys are doing an incredible job. I'd save it.
Now if you were to stop doing what you're doing, there would be a hole and you'd see people like running around like the headed chickens because like you really are of a spoke of the identity wheel and your podcast is so important and you guys are doing such a good job with it. I know that people absolutely love it and I love it. Well, we appreciate. That thank you. Yeah. Thank you so much. You want to wrap up on a lighter
note. I know that you and I, but way more you than me. Let's just be very clear here are into the VR and the AR spaces and things like that. Apple Vision Pro is coming out at some point here in the near future. What is going to be the first thing that you do with it? Because I know you're getting it
right, Yes, absolutely. I don't think that the API would allow it, but the first thing I'd like to do it is instead of the eyes that under the original screen, how do you do the googly eyes so that when you move around the googly eyes. But apart from that, I think that that thing has an enormous potential for a R For me like a VR is a fun about celipsy stick and AR is truly where you can augment.
Then like I think that the ones we love viable hardware like that finger is great in terms of output. I believe that it can give a right experience, but you can't go on there on the bus, on the bus with it. Whereas instead I think that the augmented reality is going to be as much of A cognitive revolution as writing has been. Because I just think you can add a layer of meaning to absolutely
everything apart from the like. Forget the privacy stuff, which of course is going to be such a huge huge problem. But imagine everything like how you approach a machine and on top of it there are the instructions and how to operate it. Or in a simple guidance for going around or attaching notes like or like a. Think of truly augmented cognition like this system sees everything you have seen and save it somewhere.
And then when I see it again at the border of your vision, they are like these all the distances that you can go and refer to. Like I'm convinced that the generation that will have access to viable hardware plus the A I can now can help query with enormous amount of information that you load. They will be different like they grow up just like the brain of people changed. You know there was no grammar like people winged it when we were talking before writing
instead after writing. Not just the grammar, but a lot of interesting changes happened in recognition. If you read the shallows from don't remember the name of the guy that speaks about cognitive revolutions, I'm convinced that that one will be big and our generation might not even approve. Like imagine someone that once they take off their glasses they are only a fraction of
themselves. But on the other hand, it's kind of like when people started saying, oh, but if you Google everything, you don't learn anything. Well, but it's so convenient and as it turns out, we the generation of people that only Googles it doesn't study in depth, they seem to be doing OK. So anyway, yes, I'm very excited what they are. Yeah, I am too. My problem with it isn't the technology itself, other than
the way it looks. I just feel awkward being on the bleeding edge of things sometimes. So I remember when I first got my air pods. I had them before like anybody else did. I got locked out. And you know, they were very high in demands. And, you know, I'm a Apple fanboy and I've never putting them on O'Hare airport. And people were staring at me like, oh, he's got the apple air pots, you know, It was like whispers and hushed tones and like reverence. And it made me very
uncomfortable and selfconscious. And I'm thinking about strapping these. I mean, they're big, this ski mask goggle, right? You know what it looks like, and I just don't know. Using in public terrifies me right now because of the looks I'm not going to get. I don't think that you'll see a lot of stuff in public. You might see it in some workplaces for people that want to be bleeding as what why they're so big and they are such
short autonomy. Also think that the apps at first will not be geared to outdoor use. Will mostly be things like place this new piece of furniture in your in your room so that you know exactly what it will look like once you buy it. Stuff like that, probably. Well, they're definitely playing up to like, the media consumption angle, right? Being able to like watch Netflix on this certain size screen, and I travel a lot by plane, I think that would be pretty cool and nice.
And I think it's like I'm gonna look like a real dork. You know, wearing, wearing these things and I think at some point. Yeah, I actually years ago brought by Oculus and used it on the plane and yeah, they wear the stairs and similar. The interesting thing is what was my first Oculus but that they pass through so that you could see the surroundings. And I remember a flight attendant that came to me and looked at me completely convinced that I couldn't see her.
And I turn to her and saying can I help you? And she was. And I wrote a blog post about the experience and then I can tell you how. But I've been shown that in the triage list of the of the Oculus they were references to parts of my blog. And so I think I can claim that some of the features that we have now came from my blog complaining about it on the play. That's that's a good claim to fame. I I'm excited about it. I think it'll be I'm torn whether or not I'll be in the
first Gen. or not. I know it's going to be you know extremely expensive for a first Gen. product. I think the rumor of I've heard is summer routine like 3000 and $4000 to start, which leads me to believe it's going to be probably more expensive. You know, past that for whatever addons and stuff like that, but it seems like such a cool thing and. You know, I'm sitting here in a hotel room, we're recording this.
I can absolutely see a point where instead of me looking at my laptop screen is we're doing this over a R through and my screen is my AR glasses or whatever. You know, I'm having to be using that becomes the monitor for your computing life, right? Maybe it runs off of a pack like your iPhone or you know in the Samsung world they have like decks, which is kind of like a quasi desktop type environment thing. And it's super cool and super exciting for me and I can't wait.
But at the same time, I know it's going to be interesting watching the social sort of acceptance of, oh, there goes that weirdo with the glasses again versus there goes that weirdo not wearing the glasses again, you know. Yeah, remember the glass holes? Yep, Yep. Yeah. Google Glasses and they're they're short commercial lifespan, I think they've taken on. Some some use cases in the
enterprise and kind of thing. Yeah, they tried, but I think I heard recently that they are winding that part down as well. Pity like a Google add really interesting stuff for for VR. Like a Tilt Brush is a fantastic drawing, but he's investing most of that stuff. When I got my HTC Vive, which is sort of which would have been the Oculus competitor at the time, Tilt Brush was the thing that I would show off to people as like, this is what this is about, like Imagine, right?
It was very much a tech demo, but there were some really talented artists doing some crazy stuff within it. And for people aren't familiar, Tilt Brush is kind of like this three if you took like Windows Paint or Microsoft Paint and turned it into a 3D scenario where you have like a brush and you can choose different styles and colors. But you paint in 3D inside of a cube, and there were some amazing things that you could do, You know, with that sort of
concept. There's almost like 3D modeling, but by hand. Oh yeah, And now there are so many apps, including modelers, that are absolutely incredible. I wish I'd have more time. And now that I have short hair, I can actually use this thing better. Before with all the fluff it was always if I use it then my volume. I wasn't at the bright side, Jim. I know you're you're you're not super into the ARVR stuff, but what are your thoughts? Conceptually, I love it. I mean, I think it.
I think as humans we're already able to have so many more experiences than people in the past that have, especially in terms of travel. You want to go to the beach, get on an airplane, go to the beach. You want to go to the mountains? You want to go to other countries. You can do all those things. I think with it VR you could potentially go anywhere. So you know, I think that's a
really exciting thing. I think also using it for exactly the the thing you brought up in terms of having meetings and things like that, I think all that's exciting. So yeah, I love the concept. All right. Well, why don't we go ahead and leave it there for this week. Pretorio, as always, thank you so much for joining us. I'll have a. Bunch of links on our show notes based on this conversation. So congratulations again on the RFC 9470. I'll put a link to that.
I'll put a link to Brian's Ping blog posts sort of about the about what's been going on and then anything else that we mentioned, I'll dig up and and put links for that as well. So thank you so much for taking the time with us. Any final thoughts as we wrap things up for this week? Thank you so much for having me. Sorry for my short winded voice, but as always is great to chat with you guys. Thank you. We love you, Victorio. Thank you for coming on the show again.
We're gonna go. Out and leave it there. So thanks, Victorio. Thanks, Jim. And yeah, I'm gonna do just a normal outro just be like that's it. So we'll talk with everyone in the next one. Thank you guys. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on identity at the center.