Planet OpenID

November 16, 2015

KDDI joins Verizon and Deutsche Telekom to set the direction for OpenID Connect on mobile platforms

The Japanese Mobile Network Operator and market leader KDDI has joined the Board of Directors of the OpenID Foundation. KDDI joins Verizon and Deutsche Telekom as global telco giants helping set the direction for OpenID Connect on the platform of choice; the mobile device. KDDI’s leadership comes at an opportune time as the MODRNA Working Group (Mobile Operator Discovery Registration and Authentication) development of a profile of OpenID Connect for MNOs providing identity services for RPs (Relying Parties) is rapidly building consensus on optimizing global interoperability.

KDDI brings practical user experience across a broad range of relying party applications. KDDI’s will leverage OpenID Connect throughout its “AU ID” platform including “AU Smart Pass,” “AU Wallet Market,” as well as a portfolio of settlement services on prepaid cards and credit cards for a user base of over 25 million customers. KDDI’s input, like that of others OIDF members like the GSMA, is critical to building reliable, flexible and scaleable deployments.

KDDI’s announcement was a highlight of the OpenID Foundation Japan Conference, a gathering of almost 500 developers, technologists and business leaders in Tokyo. Experts from Google, Microsoft, Ping Identity and others led an in depth review of the status of each OpenID Foundation working groups and conducted hands on self certification testing workshops. A series of presentations highlighted the linkage of technical protocols with trust frameworks governance rules. OpenID Foundation Japan is planning new initiatives around localization of documentation and a new wave of OpenID Connect self certifications by members large and small in early 2016.


The signers: Don Thibeau, ED of OIDF, and Yasuhide Yamamoto, Executive Officer of KDDI.



by jfe at November 16, 2015 02:18 PM

November 14, 2015

Nat Sakimura

Pray for France〜パリ同時多発テロ~テロ時の心得




米国のオバマ大統領は、「これはパリやフランスの人々への攻撃にととまらず、人類すべてと我々が共有する価値観『自由、平等、博愛』への攻撃だ」と声明を出している[2]他、各国首脳が相次いで声明を出しています[3]。911テロの跡地に建ったOne World Trade Center では、アンテナをフランスのトリコロールカラーにライトアップして、連帯を呼びかけています。今夜、スカイツリーも同じような対応をするでしょうか…。




  • 窓には近づかない。(テロリスト・反乱側として警察や軍に射殺される可能性があります。)
  • カメラで外を撮ろうなどと思わない。(スコープで狙っていると思われて射殺されます。)
  • 窓から見通せるところには行かない。(流れ弾に当たります)
  • 跳弾の範囲を考えて居場所を決める。
  • 銃撃戦の可能性があるときには即座に伏せる。(特に味方の突入時。)
  • 知り合いの車らしきものが来ても、乗っている人は別人かもしれないので確実でない場合には門や扉を開けない。
  • 信頼できるソースからの情報を得る。



公式情報は、 から得られます。

スクリーンショット 2015-11-14 11.56.57

[1] TBS『パリで同時多発テロ、銃撃・爆発相次ぎ150人超死亡』(2015/11/14 10:09)
[2] CNN 『パリで銃撃や爆発、153人死亡 劇場やサッカー場など』(2015/11/14 10:36)
[3] 朝日新聞『各国首脳が相次ぎ非難声明、連帯を表明 パリ同時テロ』(2015/11/14 11:26)
[4] 危機管理の専門家に、もっと詳しくテレビなどで発信してもらいたいところ…。

by Nat at November 14, 2015 03:29 AM

November 10, 2015

Kaliya Hamlin

Grace Hopper Celebration and Presentation – Ethical Market Models.

In mid-October I had the opportunity to attend the Grace Hopper Celebration for Women in Computing for the first time.

Here is a link to the paper that I presented – MarketModels-GHC Here are the slides

I also had the pleasure of working on a Birds of a Feather Session with Roshi from Google – she works on their identity team and was the one who asked me work on the session with her along with encouraging me submit a proposal for a lighting talk.
We had a great discussion about the internet of things and considering various ideas about what internet of things things…we might invent and how we might identify ourselves to them.
The conference is really a giant job fair for undergaduate women CS majors. There is not a lot there for mid-career women, all of the ones I spoke to felt this way.  I realize if I was a young woman….at a CS department where most everyone is a man.  Attending this event would make me feel like the whole world opened up…and anything was possible.
The event made me more committed to putting energy into helping She’s Geeky expand and serve more cities and more women and particularly those who are at high risk of leaving the industry – those who have been in the industry for around 10 years.

by Kaliya Hamlin, Identity Woman at November 10, 2015 03:06 AM

Kaliya Hamlin

Thinking Ahead: Sean some people did…you didn’t.

So the Guardian is reporting about Sean Parkers remarks at the Techonomy conference.

Thinking ahead.

None of us could possibly have understood what it would mean to have a billion or two billion people potentially using these platforms regularly,” said Parker. “That wasn’t something that factored into anyone’s analysis in the starting of these companies. You just want to be a successful company. You want to understand the mechanisms that work, you want to play into them, you want to reinforce them, you want to be a successful company.”

While it is refreshing to hear some self reflection after the fact about the consequences of building a social platform driven by profit with an incentive to get people to engage with it – personal and social costs be-dammed.

I think people did for-see and could understand some of the negative effects he is discussing – the problem is they just were not in the mix of young men founding these companies at the time.  The fact is the narrow demographic of who was empowered with funds to create these systems (By men likc Sean Parker and Peter Theil) and who thcy subsequently chose to hire and listen to early on (Read the Boy Kings to get the inside scoop on that) speaks volumes about what was built.

As a side note I developed an outline for building a distributed social network for spiritual activist leaders and their followers in 2003-4. I even raised $35,000 and had two protoypes build in Drupal.    I like to think if I got funding beyond that and had the chance to develop the vision we were thinking about the social consequences.

Communities considering the future of social tools and online communities did think thoughtfully about the future and how things could play out and what was needed to support things evolving well from a user-centric perspective.  A great starting point published in 2003 is the Augmented Social Network: Building Identity and Trust into the Next Generation Internet.

by Kaliya Hamlin, Identity Woman at November 10, 2015 02:39 AM

November 05, 2015

Building on What’s Built: OpenID Certification Momentum

At the OpenID Certification Launch in April 2015, 6 organizations had certified 8 OpenID Connect Provider implementations for 21 conformance profiles. Now, as you can see at, 14 organizations and individuals have certified 16 OpenID Connect Provider implementations for 48 conformance profiles. The OpenID Foundation has championed self-certification as an important new trust building mechanism that can operate at Internet scale, and it’s working well.

The new certifications represent a broad set of industries and application areas: large companies like Deutsche Telekom – a leading European mobile operator, and small companies like Privacy Vaults Online (PRIVO) – which manages parental consent for children’s online access. This latest wave of certifications include more from Microsoft – certifying their on-premises identity software, as well as developers like Cal Heldenbrand – in the real estate industry, and Dominick Baier, Brock Allen, Michael Schwartz, Justin Richer, and Roland Hedberg, each certifying their open source identity software. Congratulations to all for their achievements and for advancing interoperable digital identity across international borders and industry sectors.

Keep those certifications coming! Meanwhile, the ability to self-certify OpenID Connect Relying Parties is being finalized in anticipation of pilot RP certifications in 2016.

Don Thibeau
OpenID Foundation Executive Director

by Don Thibeau at November 05, 2015 07:28 AM

October 22, 2015

Announcing the OIDF iGov Working Group

A recent US NIST announcement describes the newly formed OIDF International Government Assurance Profile (iGov) Working Group which is an international public and private sector collaboration that will develop an interoperable profile of OpenID Connect to allow users to authenticate and share consented attribute information in a consistent and user-centric manner. With over 10 international governments and multiple private sector organizations already participating, iGov will help enable secure and privacy-enhancing authentication and authorization transactions based on common requirements from the global community. The iGov WG Page is set up at: The link to subscribe to the mailing list is:

Those interested in participating will need to submit signed IPR agreements indicating the iGov Profile WG. The link to the IPR agreement is at The IPR agreement can be submitted online via DocuSign. IPR agreements have been received from NIST, Ping, and Microsoft. Once interested parties and OIDF members have signed up they will need to approve the iGov charter. Document contributions to the Working group should be sent to the mailing list, and then can be added to our official document repository.

by jfe at October 22, 2015 09:58 PM

October 13, 2015

Nat Sakimura

Pre-IIW OpenID Workshop @ Mountainview (2015/10/26)


OpenID Foundation Workshop before Fall 2015 IIW Meeting

Hosted by Symantec for the OpenID Foundation

Monday, October 26, 2015 from 11:00 AM to 6:00 PM (PDT)

ここで、iGov WGと、FIDO認証手段などの「Strong Authenticator」とConnectとの組合せを検討するSAP(Strong Authentication Protocol) WGの第1回も開催されます。

Planned Agenda:

11:00 – 11:30   Introduction – Don Thibeau
11:30 – 12:00   OpenID Connect – Mike Jones, John Bradley
12:00 – 01:00   Lunch
01:00 – 02:00   OpenID Connect Conformance Testing – Mike Jones and Roland Hedberg, UMEA University
02:00 – 02:30   iGOV Profile of OpenID Connect – John Bradley, et. al
02:30 – 03:00   MODRNA (Mobile OpenID Connect Profile) – Torsten Lodderstedt, John Bradley
03:00 – 03:30   Break
03:30 – 04:00   Account Chooser – Pamela Dingle
04:00 – 04:30   RISC – Adam Dawes
04:30 – 05:00   Native Applications – Paul Madsen
05:00 – 05:30   Health Relationship Trust Profiles (HEART) – Deb Bucci, Eve Maler

by Nat at October 13, 2015 04:17 AM

October 12, 2015

OpenID Connect’s Real Estate Identity

One of the sure signs of adoption momentum is when other standards organizations, particularly those not typically involved in online identity, implement OpenID Connect and leverage self certification throughout their networks. A new member, Cal Heldenbrand shared the context for a new deployment and the value of self certification in his notes below:

The Real Estate Standards Organization (RESO) is tasked with the difficult goal of standardizing all of the real estate data in the US and Canada. This includes the data payload, the fields, formats, transport mechanism, and authentication/authorization. This is effectively called the Real Estate Transaction System (RETS). RETS is a 16 year-old standard based on XML, and every real estate website uses it.

The world has changed quite a bit since 1999, and we needed something new and easy to use. Mobile friendly, and developer friendly. The initial learning curve for RETS can be a little daunting, and we want to attract new software companies and developers to our industry. We’ve created the RESO RETS Web API to make life a little easier in the real estate sector. The data transport is using OData V4. On the auth side, we started using OAuth2 around January 2014. At that time, OpenID Connect was very cool looking, but I was hesitant to recommend it to RESO until it was a fully finalized, ratified standard.

There are hundreds of software companies working together in our industry. Writing an interoperable OAuth2 protocol using the framework was difficult. Since there is no OAuth2 standard, it seems like every major installation in the world has their own spin on it. That’s bad. It also meant that I couldn’t just copy how someone else did it, I had to make our own.

Plus, the absence of endpoint metadata means we have to document where everything lives, then ask clients to hard code URLs for every OAuth2 provider. It’s a lot of busywork for a developer to add a new IdP to a software installation.

After OpenID Connect became a finalized standard, I gave a presentation to RESO showing how one website in our industry could accept identities from Google, Microsoft, Amazon, and also from our own OpenID Connect Provider, Spark Platform. Since it’s an actual protocol standard, we could simply plug in IdPs with a small configuration change, and the OpenID Connect client libraries would handle the rest. That’s really powerful. We’re used to SSO integrations taking weeks to complete. With OpenID Connect, that turns into minutes.

One suggestion I do have though — I’d like to see the Discovery specification be part of the required Core. It’s such a simple piece to write, and very integral in the grand scheme of what makes OpenID Connect easy to use.

The certification process was pretty easy as well. I was expecting it to be more intensive! Our environment is Ruby on Rails, and I used Nov’s openid_connect Ruby gem for constructing ID Tokens. Other than that, my Provider is written from scratch. It took me about 2 weeks to have a very simple provider running for demo purposes. Then another 2 weeks to have it fully compliant with the certification tools. This is also along side my usual day job tasks of web operations. I’d have to say this was a breeze compared to the old OpenID 2.0.

Thanks for making a great standard!”

And thanks to Cal and the Real Estate Standards Organization (RESO) team for sharing their use case and feedback.

Don Thibeau
The OpenID Foundation

by jfe at October 12, 2015 01:23 PM

October 06, 2015

Nat Sakimura






by Nat at October 06, 2015 05:22 PM

Nat Sakimura




  1. 公的な相談窓口を名乗る人物から、電話で偽のマイナンバーを伝えられる。
  2. 別の男性から「マイナンバーを貸して欲しい」と頼まれ、教える。
  3. 翌日、「マイナンバーを教えたことは犯罪に当たる」と現金支払いを要求。女性は郵送と手渡しで数百万円を支払う。





[1] 消費者庁『マイナンバー制度に便乗した不正な勧誘や個人情報の取得にご注意ください!』(2015/10/6)

by Nat at October 06, 2015 03:34 PM

September 30, 2015

Nat Sakimura

11月13日 第5回バイオメトリクスと認識・認証シンポジウムで講演します

来る11月13日(金) 15:50分より、「第5回バイオメトリクスと認識・認証シンポジウム」で講演します。


Privacy Trust Frameworks and the Personal Data Utilisation

個人情報保護法が 12 年ぶりに改正され た。改正法では個人識別符号の概念の導入による個人情 報の定義の明確化などが行われたものの、個人情報の性 質によるプライバシーインパクトごとのリスクに応じた 取扱に関しては、要配慮個人情報関連以外は3年後改正 へ先送りとなった。 一方、個人情報の取扱に関しては、個人情報保護法だ けを見ていれば良いというものではなく、他の法令に準 拠するのはもとより、「炎上させない」取り組みも必要と なる。そのためには、取扱に関する透明性とアカウンタ ビリティの確保が必須である。リスクに応じた情報の取 扱い方をラベリングするプライバシー・トラストフレー ムワークはそのための一助となりうるもので、今後の取 り組みが期待される。

バイオメトリクスと認識・認証シンポジウム in 東京 は、11月12日〜13日に、東京大学 本郷キャンパス 武田先端知ビル でおこなわれる、バイオメトリクスおよび関連研究分野を対象としたシンポジウムです。詳細情報はこちら[1]にありますので、みなさん奮ってご参加ください。

[1] 第5回バイオメトリクスと認識・認証シンポジウム

by Nat at September 30, 2015 05:53 AM

September 28, 2015

Nat Sakimura



液体の水と言っても非常に塩(perclorate)の濃度が高いものですが、その証拠を発見したとのことです。もっとも、直接観測したのではありません。化学物質は特有のスペクトルを吸収する性質を持っていますが、火星に季節的に表れるRecurring Slope Lineae (RSL)と呼ばれる筋を、衛星からの画像で分析したところ、percolateであると考えられるとのことです。火星の地表は気圧が低いので、摂氏10度で真水は蒸発してしまうのですが、このpercolate水は零下70度からは24度位まで液体として存在するので、RSLには液体として水が存在していると推測しているらしいです。この水は、一部の山のてっぺんあたりから季節的に流れて細い長い黒い後を残した後、毎年蒸発しているようです。NASAの記者会見[0]では、この水が流れ出す(のか染みだしているのか分かりませんが)様を映像で見せてくれていました。どうやら火星は今まで考えられていたような乾いた星ではなく、湿った大気と土をもった星のようです。






Satellite images have identified narrow streaks that appear on slopes during warm seasons, lengthen, and then fade when conditions become cooler. Photograph: Nasa/JPL/University of Arizona/PA

Satellite images have identified narrow streaks that appear on slopes during warm seasons, lengthen, and then fade when conditions become cooler. Photograph: Nasa/JPL/University of Arizona/PA

[0] いまリアルタイムでNASAの発表を見ています。twitter では #askNASAで質問を受け付けています。録画は、 で見ることができます。Facebookには要約版ビデオがあがっています→

[1] 一方、アメリカのジャーナリストの関心としては、地球から送り込む宇宙船によって火星が生物的に汚染するのではないかということがあるようです。

[2]  Nasa scientists find evidence of flowing water on Mars

by Nat at September 28, 2015 04:09 PM

Nat Sakimura

10月9日 IDマネジメント・カンファレンスのクロージングやります







  1. 清の西用 v.s. 日本の変法
  2. デンマーク:市民ポータル v.s. デジタル・オーストリア
  3. デンマークのリベンジ
  4. 英国の Digital by Default
  5. 日本の設備年齢の増大と国際的な見劣り
  6. デジタル・アイデンティティ・モデルと生産性向上
  7. 法人番号と公表機能
  8. マイナンバー制度とスマホIDP〜未来を拓くマイナンバー
  9. 情報の非対称性とトラスト・フレームワーク
  10. Industrie4.0の推進体制・3つの統合・生産性向上
  11. アリババと盗賊、ローマ軍の鍵配布プロトコル、IBM7090パスワード
  12. しょうがなくやるIdM
  13. お金が儲かるIdM
Version: 1.0
8.5 MiB



by Nat at September 28, 2015 03:10 PM

Nat Sakimura

UPQ A01返送用封筒が思いもよらずアナログ

さて、さっそくですが、UPQ A01の返送用封筒が到着いたしました。




Evernote Snapshot 20150928 225430

Evernote Snapshot 20150928 225430

Evernote Snapshot 20150928 225546



[1] 外村克也『下取りに出す前に実行! Androidスマホを完全に初期化するテク』 x デジタル (2015/9/28取得)

by Nat at September 28, 2015 02:28 PM

September 26, 2015

Nat Sakimura

UPQ Phone A01 開封の儀→ありゃ技適が→リコールの巻

当初の目論見よりも約1ヶ月遅れてUPQ Phone A01が届きました。




バッテリーは、中国製ですね。Made in Chinaじゃなくて、Made in PRCという表示です。PRC=People’s Republic of China、つまり中華人民共和国の略とは今回知りました。Made in Chinaだと売れないのでPRCを使い出したという話も読みましたがどうなんでしょうね。






注目点としては、技適マークですね。認証技術支援センター(018)から取得しているんですが、この下の部分の赤丸で囲ったところ、これがD15-0035018 となっています。この頭のアルファベットは認定を受けた端末の種類を表しています。[1]









というわけで、SIMは入れずに起動。ちょっとかっこいい画面、Designed in Tokyoが良いですね。こういうのが黒から始まって、色んな色を経過していきます。


ちなみに、起動後ですが、初期設定画面が出てきていろいろ設定するのかなと思ったら何事も無く、さくっと立ち上がってしまいました。Google Accountを設定し、メールアカウントも設定すると、一応データ端末としては使えるようになります。ということで、今日はここまで。SIMを入れての続きは…リコール端末が返ってきてからですかね…。

[1] (一財) 電気通信端末機器審査協会『電気通信端末の適合認定等制度について』

[2] ちなみにiPhoneだとこんな風になっております。



by Nat at September 26, 2015 02:35 AM

September 23, 2015

Foundation Activity and Progress Report September 2015

I spoke last week at the European Identity Management Conference in Amsterdam and this week in Florida at the Global Identity Summit, in both venues the adoption and interest in the evolution of OpenID Connect was clearly evident and important. In a panel I chaired, OpenID Foundation member GSMA referenced the important role OpenID Connect plays in their Mobile Connect deployment. Bjorn Hjelm of Verizon shared an overview of the MODRNA WG  and potential synergies with Account Chooser he is testing with Pam Dingle.

Together with leaders from the US NIST, OpenID Foundation will announce the formation of our newest work group, “iGOV” a profile intended to optimize OpenID Connect for government to citizen applications. NIST is organizing a collaboration with UK and European peers. John Bradley has provide important continuity and leadership in this regard and will post the appropriate WG information soon at OpenID Foundation member Justin Richer provides important continuity in these matters that may benefit the HEART WG as well.

Our colleagues at the US NIST plan to include iGOV and OpenID Connect in a workshop planned for January 2016 in the Washington DC area. I will provide more details on OpenID Foundation’s involvement as details become available.

In Amsterdam, the European audience and our colleagues at companies like CA, Ping, Forgerock and others were quite vocal about the importance of the OpenID Foundation providing more information, viability and support of adoption efforts in the UK and Europe. The high viability and potential impact of upcoming EU regulation  of identity systems is a forcing function for interest, investment and education in open identity standards and associated trust frameworks.

The request of European members and potential members was such that I tentatively committed the OpenID Foundation to workshops in Amsterdam and London in the first quarter of 2016. The Foundation will coordinate with member companies like Ping and Forgerock that have company specific efforts now underway to coordinate calendars and content. We hope to build on this interest to optimize the run up to the planned OpenID Foundation Workshop in Munich at the EIC May 10 to 13. The OpenID Foundation will also coordinate with the Open Identity Exchange to find economies of scale and other synergies.

Your comments and contributions are requested.

Don Thibeau

by jfe at September 23, 2015 02:31 PM

September 18, 2015

Nat Sakimura



by Nat at September 18, 2015 12:56 AM

Nat Sakimura

OAuth PKCEがRFC7636として発行されました。

私とJohn Bradley(Ping)とNaveen Agarwal(Google)が共著者としてクレジットされている「OAuth PKCE(ピクシー)」 が、[RFC 7636] として発行されました。元々はOAuth SPOP (Symmetric Proof of Posession)と言っていたものですが、Symmetricに限らない形に拡張したため、Proof Key for Code Exchange (PKCE、ピクシー=妖精)と名を改めて現在に至っています。

この規格はOAuth 2.0 [RFC6749]のPublic Client の Code Interception Attack 脆弱性に対応するもので、ephemeral keyを生成して、これを使ったProof of Possession of Key をします。RFC6749と後方互換性がありますし実装も簡単ですので、以後はすべからずこちらを使えば良いと思います。

Eduardo Gueiros氏、James Manger氏、Brian Campbell氏、 Mike Jones氏William Dennis氏、そしてこの規格のセキュリティ面の検討に参加してくださった皆様に深く御礼申し上げます。また同様に、OAuth working group の皆様、議長、エリア・ディレクター、この規格の策定にかかわられたIETFの皆様にも御礼もうしあげます。

なお、このOAuth PKCEは、 某社の動画サイトアプリ他に既に幅広く採用されていることを申し添えます。

[RFC 7636] Sakimura, N., Bradely, J., and N. Agarwal:Proof Key for Code Exchange by OAuth Public Clients, (2015/9),

[RFC6749] Hardt, D.: The OAuth 2.0 Authorization Framework (2012),

by Nat at September 18, 2015 12:21 AM

September 09, 2015

OIDF Summit in Tokyo November 10, 2015

The OpenID Summit Tokyo 2015 will be held this November 10 and will feature technical discussions about OpenID Connect as well as governance in Identity Ecosystem and the IoT (Internet of Things).

Registration is now open and registration details for the event are available here:

The call for presentations is available here: We are soliciting 15 minute presentations plus a 5 minute Q&A including those on:
– New approaches in patient centric consent; e.g., HEART WG
– OpenID Connect for mobile applications; e.g., MODRNA

Proposed presentations will complement those the OpenID Foundation has already secured:
– General Overview of the OpenID Foundation and its Work Groups by Don Thibeau Executive Director OpenID Foundation
– The market impact of OpenID Connect Self Certification, plans for RP certification and its value in internal OA/QC development processes by Mike Jones of Microsoft;
– New models and initiatives in security, e.g., RISC WG and the curation of best practice reference libraries, e.g., Native Applications WG by John Bradley of Ping Identity

The OpenID Foundation Board of Directors has authorized a delegation to meet with new and current OpenID Foundation Japan members, prospective members, and government agencies like the Ministry of Economy, Industry and Trade, the Ministry of Internal Affairs and Communications, and the National Center of Incident Readiness and Strategy for Cyber Security.

The OpenID Foundation delegation will meet also with Masanori Kusunoki, the new chair of the OpenID Foundation-Japan and an executive advisor to the Japanese Government CIO.

Please feel free to contact me for more information.

Don Thibeau
The OpenID Foundation

by jfe at September 09, 2015 07:01 PM

Nat Sakimura

JSON Web Key (JWK) Thumbprint が、RFC 7638 として発行されました。

Mike Jones と私が共著者としてクレジットされている「JSON Web Key (JWK) Thumbprint」 が、[RFC 7638] として発行されました。

この規格はJSON Web Key (JWK)の安定的なハッシュ値を計算するための方法を規定しています。具体的には、JWKのどのフィールドをハッシュ値計算に使うか、これらフィールドの正規化の方法、その結果得られたUnicode文字列のバイト列への変換方法、そしてそのバイト列からのハッシュ値の得方を記述しています。その結果得られたハッシュ値は、対象となる鍵を持つJWKを識別・選択するために利用可能です。

James Manger氏、 John Bradley氏、今回も獅子奮迅の活躍をした Mike Jones氏、そしてこの規格のセキュリティ面の検討に参加してくださった皆様に深く御礼申し上げます。また同様に、JOSE working group の皆様、議長、エリア・ディレクター、この規格の策定にかかわられたIETFの皆様にも御礼もうしあげます。

なお、このJWK Thumbprintは、 OpenID Connect self-issued ID Token の “sub” (subject) claim 値として使われていることを申し添えます。

[RFC 7638] Jones, M., N. Sakimura:JSON Web Key (JWK) Thumbprint, (2015/9),

by Nat at September 09, 2015 07:57 AM

August 31, 2015

Nat Sakimura


Indiana university と Penn State Universityの研究者たちが、単純かつ高速で、zero day 攻撃をかけるMalwareの多くも検出できる手法を発表しました。

Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale[1] という論文で、その手法が紹介されています。私もまだちゃんと読んでいないのですが、ざっと見る限り、

  1. Android Malwareの大部分は既存のMalwareのリパッケージングである=>Java method を見れば分かる、
  2. 有名なライブラリのメソッド以外で、関係ないAppが同じmethodを使っているのは怪しい、


  1. 最初に、有名なライブラリのメソッドリスト(A)を作っておき、
  2. Google Playストアの各apkファイルのメソッドを抽出(bi)、
  3. 各iについて、ci=bi\Aを求め、
  4. 全てのi,jについて、c∩cj≠∅があるかを確かめる

ことによってチェックするようです。もし c∩cj≠∅があったら怪しいというわけです。


現在のGoogle Playストアの審査体制だと、あるMalwareが排除されても、それは開発者が排除されるだけなので、同じコードが他の申請者から出て通ってしまうというのがままあるそうですので、このような仕組みを審査体制に入れると非常に役立ちそうです。


[1] Chen, K., et al:Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale, Indiana University (2015/8/31)

by Nat at August 31, 2015 08:25 AM

August 19, 2015

Nat Sakimura


Ashley Madison Site Image

(Source) Ashley Maddison 






IoT時代、プライバシーデータの完全な制御も機密の確保もできなくなるでしょう。1999年1月に、サン・マイクロシステムズ社の社長だったスコット・マクニーリーが「ゼロ・プライバシー」という言葉を使いました。「もはやプライバシーなんて無いんだよ(ゼロ・プライバシー)。乗り越えて行けよ。」[3] 彼はこの言葉で袋叩きになったわけですが、今なら皆さんもこのこの言葉を噛みしめることができるのではないでしょうか。今風に言い直すなら、


「他の人がきっと秘密にしておきたいと思ってるだろうなという情報に接したら、見なかったことにしてそっとしておけよ」[4]ということです。そう、これが「プライバシーを尊重する (privacy respecting)」ということ、すなわち「大人のプライバシー」なんですね。



[1] Ashley Madison:

[2] Gizmode:『全米が泣いた。不倫サイトの顧客情報、本当にネット上に暴露される』, CNET:『不倫サイトAshley Madisonの会員情報、ついにネットで公開か–ハッカーらが声明』など、たくさん報道されています。

[3] Scott McNealy: “You have zero privacy. Get over it.” (1999/1) from Wired:”Sun on Privacy: ‘Get Over It'” (1999/1/26)

[4] 「プライバシーの権利は、そっとしておいて貰う権利(Right to be let alone)」だ。Warren & Brandeis の論文[5]の、プライバシーの権利を定義した有名な言葉ですね。味わい深い言葉です。

[5] Warren, S.D.,  Brandeis, L.D.:“The Right to Privacy” (1890), Harvard Law Review. Vol. IV    December 15, 1890  No. 5

by Nat at August 19, 2015 12:05 PM

August 18, 2015

Registration Now Open for OIDF Workshop October 26, 2015

Registration is now open for the OpenID Foundation Workshop being held on October 26, 2015, the Monday before the Fall IIW meeting) at Symantec’s HQ in Mountain View, CA. OpenID Foundation Workshops provide early insight and influence on widely adopted online identity standards like OpenID Connect. The workshop provides updates and hands-on tutorials on new OpenID Connect Self Certification Tests by developer Roland Hedberg and the UMEA University team. We’ll review progress on the MODRNA (Mobile Profile of OpenID Connect) as well as other protocols in the OIDF pipeline like RISC, HEART, Account Chooser and Native Applications. We hope to launch the new iGOV Work Group’s development of a profile of OpenID Connect for government applications. Leading technologists from Forgerock, Microsoft, Google, Ping Identity and the US Government will review work group progress and discuss how they enable new solutions for enterprise and government Internet identity challenges. Thanks to OpenID Foundation Board Members Roger Casals and Brian Berliner and Symantec for hosting the workshop.
Planned Agenda:
11:00 – 11:30 Introduction – Don Thibeau
11:30 – 12:00 OpenID Connect – Mike Jones, John Bradley, Nat Sakimura
12:00 – 01:00 Lunch
01:00 – 01:30 iGOV Profile of OpenID Connect – John Bradley, et. al
01:30 – 02:00 MODRNA (Mobile OpenID Connect Profile) – Torsten Lodderstedt, John Bradley
02:00 – 02:30 Break
02:30 – 03:00 Account Chooser – Pamela Dingle
03:00 – 04:00 RISC – Adam Dawes
04:00 – 04:30 Native Applications – Paul Madsen
04:30 – 05:00 Health Relationship Trust Profiles (HEART) – Deb Bucci, Eve Maler, HMG Cabinet Office Chairs
05:00 – 06:00 OpenID Connect Conformance Testing – Mike Jones and Roland Hedberg, UMEA University

by jfe at August 18, 2015 09:19 PM

August 17, 2015

Nat Sakimura


どうやら、多くの企業の「ビッグデータ」はだだ漏れているようです。スイス・チューリヒのセキュリティ企業BinaryEdge[1] の調査の結果[2]、大量のデータがそのままインターネットにさらされているようなのです。その総量はなんと1.1ペタバイト。

同社の調査は、Fortune 500企業からベンチャーまで幅広い企業のインターネットに晒されているホストをスキャンし、公開されているMongoDB, Memchached, Elastic Search, Redis Cache などからメタデータを引き抜いてくるというものでした。(同社は、データ自体は取得していないことを明言しています。)


  • 35,330件のRedis Cache、
  • 39,134件のMongoDB、
  • 118,574件のMemcached、
  • 8,990件のElastic Search


この調査に対して、The Registerが更に取材をして記事[4]を書いています。それによると、メタデータの内容から、

  1. 「ユーザ名」「パスワード」「セッション・トークン」など;
  2. 医療機関のものには、「患者」「医師リスト」など;
  3. 銀行のものには、「coin」「money」など;
  4. ロボット製造業のものには、「設計図」「プロジェクト名」など;

の項目が晒されているとのことです。このブログの読者には、1. とか 2. とかが特に興味があるところでしょうか。パスワードが漏れているのは論外として、セッション・トークンも、セッション乗っ取りに使えそうです。また、「患者」などは医療データが晒されている可能性を示唆していますね。重大なプライバシー侵害の恐れがあります。




[1] BinaryEdge

[2] Binary Edge:Data, Technologies and Security – Part 1 (2015-08-17),

[3] 上記の結果には、当該IPレンジをスキャンして欲しくないという企業は含まれていないそうなので、実際にはもっと多くのサーバがデータを晒していると思われるそう。

[4] Leyden, John:Misconfigured Big Data apps are leaking data like sieves, The Register (2015-08-13),

by Nat at August 17, 2015 06:55 AM

August 10, 2015

Nat Sakimura


The HTC One Maxの指紋読取装置が指紋を誰でも読める形で保存していたことが発覚 写真提供: HTC

The HTC One Maxの指紋読取装置が指紋を誰でも読める形で保存していたことが発覚 写真提供: HTC

The guardian の記事[1]によりますと、HTCのスマホが利用者の指紋画像を誰でも読み出せる形で保存していたことが発覚したようです。発見したのはFireEyeの4人の研究者達で、8月5日にBlackHat[2]で論文[3]が発表されました 。指紋画像は /data/dbgraw.bmp に暗号化もされず World Readable でおいてあるそうです。したがって、アプリ等から自由に読み出せるとのこと。






[1] The Guardian: “HTC stored user fingerprints as image file in unencrypted folder”, (2015/8/10)

[2] BlackHat Briefings – August 5-6,

[3] Zang, Y., Zhaofeng, C., Xue, H., Wei, T.: “Fingerprints On Mobile Devices: Abusing and Leaking”, (2015/8)

[4] Biggs, J.:”HTC Is Now Essentially Worthless (And Insecure)”, (2015/8/10), TechCrunch,

by Nat at August 10, 2015 05:53 PM

Nat Sakimura





1 国会へではなく、世界中の中国大使館に圧力をかける

2 火力発電止めて全部原子力発電でいくことを主張する







第二十六条 すべて国民は、法律の定めるところにより、その能力に応じて、ひとしく教育を受ける権利を有する。すべて国民は、法律の定めるところにより、その保護する子女に普通教育を受けさせる義務を負ふ。義務教育は、これを無償とする。

第二十七条 すべて国民は勤労の権利を有し、義務を負ふ。賃金、就業時間、休息その他の勤労条件に関する基準は、法律でこれを定める。児童は、これを酷使してはならない。

第三十条 国民は、法律の定めるところにより、納税の義務を負ふ

のように国民の義務を規定している。ちなみに、対応するGHQ草案には国民の義務は無い。現行憲法の26条、27条に対応するのはArticle XXIV (24条)だが、以下のようになっている。


Article XXIV. In all spheres of life, laws shall be designed for the promotion and extension of social welfare, and of freedom, justice and democracy.Free, universal and compulsory education shall be established.The exploitation of children shall be prohibited.The public health shall be promoted.Social security shall be provided.Standards for working conditions, wages and hours shall be fixed.




第二十六条 すべて国民は、法律の定めるところにより、その能力に応じて、ひとしく教育を受ける権利を有する。政府は無償かつ普遍的な強制的教育を提供しなければならない。すべて国民は、法律の定めるところにより、その保護する子女に普通教育を受けさせる義務を負ふ。義務教育は、これを無償とする。[4]

第二十七条 すべて国民は、勤労の権利を有する。し、義務を負ふ。政府は、賃金、就業時間、休息その他の勤労条件に関する基準は、法律でこれを定めるを法律で定めなければならない。政府は、児童の搾取を禁ずる法律を制定しなければならないは、これを酷使してはならない

第三十条 国民は、法律の定めるところにより、納税の義務を負ふ。(削除)



[1] 永江一石『なぜ安保法案の容認派はデモに不快感を覚えるのかということと、安保法案の代替案について』 (2015/8/9)

[2] まぁ、全部は無理としても、依存率は下げられるので、ホルムズ海峡の武力による通行の維持は今ほど重要でなくなる。

[3] 自由民主党『日本国憲法改正草案』(2012/4/27)舛添要一「憲法の基本を知らない国会議員たち」他の言うように、憲法が根本的に分かってない。

[4] 義務教育を国民の義務として書かなければ、学校に行かせない親や行かないこどもが出るではないかという人が出てくると思うので先手をとって。そんなのは、普通の法律に書けば良いことであって、憲法に書くことじゃないです。

※ アイキャッチ画像は、はてなココ氏の作品です。CC3.0-BYで提供されています。元画像のリンクはこちらです:

by Nat at August 10, 2015 12:52 PM

July 24, 2015

The Path Forward for Self-Certification

The increasing adoption of OpenID Connect deployments has required the OpenID Foundation to develop new certification models that support the practical business, legal and technical realities of today’s Internet scale deployments. Throughout 2015, the pilot phase of OpenID Connect self-certification has been testing the efficiencies, cost effectiveness and trustworthiness of this new approach. Early adopters helped “test the tests” and put a wide range of solutions through the first iteration of OpenID Connect self-certification.

OpenID Connect self-certification is underway for the first set of OP tests with additional OP and new RP pilot testing planned later for this year. Certification costs/fees to be determined by the Executive Committee will reference the guidelines below as adopted by the OpenID Foundation Board. In this way, OpenID Connect self-certification is breaking new ground and setting precedents for certification in the foundation’s future.

OpenID Foundation Self-Certification Guidelines
1. Adoption is the foundation’s highest priority.
2. The foundation’s goals include incentivizing membership, certification of multiple profiles per implementation and international participation.
3. Certification Profiles are rolled out in three phases: pilot by early adopters, membership beta and general availability.
4. OpenID certification pilots and betas are to be available to all members in good standing.
5. Upon completion of the beta and pilot phases, certification for those profiles will be made available to non-members.
6. All fees are waived during the pilot phase; fees will be charged during the beta and general availability phases.
7. The Foundation intends to authorize fees sufficient to cover the costs of operating a certification program once the corresponding pilot phase is complete.
8. OpenID Foundation certification fees are to be the same for all members.
9. Certification fees are due at the time of submission and are charged per implementation.
10. Certification(s) will be approved once payment is received.

The Executive Committee is now working through the actions needed to make the planned OP and RP self-certification available to members and non-members and fully operationalize the OpenID Connect self-certification program. Your feedback is welcome at

Don Thibeau

by jfe at July 24, 2015 02:42 PM

July 23, 2015

Introducing RISC: Working together to protect users

According to a recent Gallup poll, more people are worried about their online accounts being hacked than having their home broken into.With more and more of our digital lives accessible online, attackers are redoubling efforts to steal our personal information, and increasingly exploiting the interconnectedness of web services and apps to “leapfrog” from one account to the next.

Attackers often target multiple accounts across service providers for a single individual, knowing that users normally register for all their internet services with just a few email addresses. For example, a victim’s social networking account may send password recovery information to their email account, or they might log into her photo sharing account using their social network credentials. When criminals exploit these linkages, a single weak link can create a cascade of account takeovers.

That’s why the OpenID Foundation is pleased to announce a new effort dedicated to tackling this problem by working together on account defense. This month, a consortium of technology companies including Aol, Confyrm, Deutsche Telekom, Google, LinkedIn, Microsoft, Nomura Research Institute, and Ping Identity chartered an initiative to design an “early warning system” that safely and securely raises the alarm when accounts are at risk.

This Risk & Incident Sharing and Collaboration Working Group (RISC) initiative has set its initial mission as the development of standards designed to enable providers to prevent attackers from compromising linked accounts across multiple providers and coordinate in restoring accounts in the event of compromise.

The RISC group takes the approach that through open collaboration, the internet industry can design and deploy mechanisms that significantly lessen the impact of account hijacking. The effort focuses on sharing security events that occur at the individual account level, like the fact that a specific account was put on hold because of a suspected compromise. The group will also work with an attention to minimizing impacts on user privacy. The RISC group is not focused on identification or defense against malware or other system or network level attacks.

To learn more about the working group please visit the OpenID Foundation RISC Workgroup or contact Don Thibeau Executive Director,

by Adam Dawes at July 23, 2015 07:13 PM

July 16, 2015

Kaliya Hamlin

I’m Quoted in Guardian Article re: Ellen Pao

Yesterday a reporter called me up and asked me for comment on Ellen Pao. I said “What did you expect?” It became the headline! – I continued “Ellen was at the center of a high-profile sexual discrimination suit versus a major VC firm and she was put in charge of the teenage boy section of the internet. What did you expect was going to happen? It was inevitable that they would turn on her,”

You can read the whole article here – I wasn’t the only one unsurprised by what happened. :)

‘What did you expect?’ Women in tech reflect on Ellen Pao’s exit from Reddit

by Kaliya Hamlin, Identity Woman at July 16, 2015 07:29 PM

Kaliya Hamlin

Enabling Multi-Stakeholder Consensus on Cybersecurity Issues

My friend Allen who was at Brookings got a job with NTIA to figure out what issues to focus on and how to get multi-stakeholder collaboration on cyber security issues.  Because he asked me to respond I took the time to give him my thoughts and input drawing on my experience with the attempts by NSTIC to do this same thing.  Here is the PDF document. IPTF-Kaliya-2

I will in time work to publish it in blog sized sections online so it is more internally linkable (starting with an index from this post). Until then enjoy.

by Kaliya Hamlin, Identity Woman at July 16, 2015 06:36 PM

July 08, 2015

Nat Sakimura

Internet Identity年表 | @_Nat Zone

そろそろ知っている人がだんだんいなくなってきそうなので、Internet Identity年表をまとめ始めました。個人的に重要だと思うイベントを独断と偏見で収録しています。まだまだ不完全ですので、「ここにこんなのがあったよ」などは、日付、見出し、出典(リンクなど)、それが重要だと思う理由を、(この記事ではなく)Internet Identity年表のコメント欄に書き込んでください。

by Nat at July 08, 2015 05:07 AM

Nat Sakimura

Internet Identity年表

そろそろ知っている人がだんだんいなくなってきそうなので、Internet Identity年表をまとめ始めました。個人的に重要だと思うイベントを独断と偏見で収録しています。まだまだ不完全ですので、「ここにこんなのがあったよ」などは、日付、見出し、出典(リンクなど)、それが重要だと思う理由を、この記事のコメント欄に書き込んでください。

# Contributionが結構あるようだったら、別途 Bitbucketか何かでプロジェクトをつくろうと思います。

by Nat at July 08, 2015 05:04 AM

June 22, 2015

Kaliya Hamlin

Internet Identity Workshop #21 Registration is open

Here is the registration for the 21st Internet Identity Workshop.
Join us its going to be great.

by Kaliya Hamlin, Identity Woman at June 22, 2015 10:09 PM

June 21, 2015

Nat Sakimura

1passwordのWebSocket 不認証脆弱性について

さて、MacOS XとiOSのXARA脆弱性について[1]では、もと記事[2]で1passwordを作っているAgileBItsも対策はムズカシイと言っているということについて、「なんでかなー」と疑問を呈したわけですが、AgileBitsの説明[3]を読みに行ってわかりました。そりゃそうだ、ってなもんです。あと、論文の著者たちの書き方は、自分たちの業績を売り込むためなんでしょうが、ちょっと誤解を招くなと。

この論文の著者たちが指摘する1passwordの脆弱性というのは、1passwordブラウザ拡張から1password miniへの通信がマルウェアによって傍受される可能性があるというものでした。1pasword miniは6263番ポートでWebSocketを開けて待ち受けているはずなんですが、1password miniがこのポートを専有する前にマルウェアで専有してしまえば、1passwordブラウザ拡張が送ってくるパスワード他をかっぱらうことができるというものです。逆に言うと、ユーザが入力してかつ1passwordに新たに保存することに決めたたパスワードをかっぱらうことしかできませんです。1passwordに保存済みのパスワードが漏れてしまうわけではありません。

これに対して私はMacOS XとiOSのXARA脆弱性について[1]で「インストール時に1passwordアプリにキーペアを生成させて、公開鍵をブラウザ拡張に持たせて、ブラウザ拡張からポート6263への通信を全てその公開鍵で暗号化してしまうんですけどね。」と書きました。確かにそれはそうなんです。ただ、AgileBits的には、それじゃダメでしょうと。


そんな変なプログラムを仕込まれてしまう状況では、1passwordのブラウザ拡張から1password miniに送られるWebSocketの通信を横取りするよりも、ブラウザへのパスワード入力をそのまま引っこ抜くほうが楽で確実でしょうというわけですね。そりゃそうだ。1password miniが使うポートを乗っ取るのよりも、入力されたパスワードを全て引っこ抜く方がカバレージ全然広いし確実ですからね。




by Nat at June 21, 2015 04:02 PM

June 18, 2015

Nat Sakimura

MacOS XとiOSのXARA脆弱性について

今日(6月18日)午後、GigaZineで「iOSとOS XでiCloud・メール・ブラウザ保存のパスワードが盗まれる脆弱性が発覚、Appleは半年以上も黙殺」[1]というセンセーショナルな記事が出ました。まぁ、Webメディアだからしょうがないかという感じではありますが、記事を読んだだけでは何のことやらさっぱりなので、読みましたよ、元の論文。


  • Xing, Bai, Li, Wang, Chen, Liao: “Unauthorized Cross-App Resource Access on MAC OS X and iOS” [2]




  1. Password Stealing (Keychainのアクセス・コントロール脆弱性)[MacOS X]
  2. Container Cracking (Apple App Storeの、BundleID確認の手違い) [MacOS X]
  3. IPC Interception (3.a WebSocket non-authentication, and 3.b local OAuth redirect) [MacOS X]
  4. Scheme Hijacking [MacOS X, iOS]

このうち、少なくとも3.b と4は実は私たちは少なくとも2013年11月から知っていたもので、現在規格策定の最終段階に入っているOAuth PKCE[3]が解決しようとしている問題そのものです。また、「対処方法は無い」と書かれていますが、正確に言うと、エンドユーザとしてすぐに出来る対処方法は無い、ですね。開発者として自分のアプリが脆弱性を持たないようにする方法はあります。これも以下で紹介します。



[3] Sakimura, N., Bradley, J, and N. Agaawal:”Proof Key for Code Exchange by OAuth Public Clients”, IETF, (2015)

by Nat at June 18, 2015 03:49 PM

June 17, 2015

Nat Sakimura



J.S.バッハの通称「ゴールドベルグ変奏曲」の正式名称は「2段鍵盤付きクラヴィチェンバロのためのアリアと種々の変奏」 (Clavier Ubung bestehend in einer ARIA mit verschiedenen Veraenderungen vors Clavicimbal mit 2 Manualen)  (BWV 988)であり、全4巻からなる「クラヴィーア練習曲集」の第4巻をなす。1742年に出版されたこの曲は、チェンバロ時代が終わりピアノ時代になってからは長らく忘れられていた曲だが、モダンチェンバロをつかったランドフスカの演奏もさることながら、なんといってもグレン・グールドのデビュー録音の大ヒットによって広く知られるようになった曲と言って良いだろう。


Goldberg Variations (CD)

   明確なリズム、引き込まれるような鋭利なアプローチ、そして対位法による演奏で、衝撃のデビューを飾った1955年のゴールドベルク変奏曲と比べると、この1981年の再録音は驚くほど違った演奏になっている。1981年の方は、もっとゆっくりしたペースで、シンプルに表現されており、装飾には深い熟考のあとがうかがえる。また、テンポが見事に組み立てられている(人によっては、やや大げさに聞こえるかもしれないが…)。1955年の時は反復は一切なかったが、今回はカノン、フゲッタ、その他のフーガ調の変奏でAパートの反復が見られる。素早く手を交差させながら正確に鍵盤をタッチする指さばきは健在で、感嘆せずにはいられない。しかし、ゆっくりなテンポの時の方がこの曲の舞踏的要素をうまく表現しているようだ。(Jed Distler,
List Price: ¥ 1,623
New From: ¥ 751 In Stock
Used from: ¥ 680 In Stock



Bach: Goldberg Variations & Italian Concerto etc (MP3 ダウンロード)

New From: ¥ 1,800 In Stock
Used from: Out of Stock



Scarlatti Sonatas (MP3 ダウンロード)

New From: ¥ 1,600 In Stock
Used from: Out of Stock


Bach: Goldberg Variations, BWV 988 (MP3 ダウンロード)

New From: ¥ 1,500 In Stock
Used from: Out of Stock


という訳で、ブゾーニの残した数少ない録音の中で、生前のブゾーニの演奏を知るブゾーニの孫弟子、Gunnar Johansenがブゾーニを伝える唯一のピアノロール録音と語る録音で最後は締めることにしよう。

リストの「鬼火」。F. ブゾーニの演奏で、どうぞ。うまい、よねぇ。ケレン味なくすごくあっさりひいていながらダイナミックで。


[1] 当時は彼の兄がアメリカの初代有色人種大統領になるとはつゆ知らず…(笑

[2] イタリア・Radio 3「An Interview with Martha Argerich」(2000/2/16) 同門のアバドと一緒にインタビューを受けている。

[3] 硬質の音とともに、スカルラッティを得意とするところ、そしてアルゲリッチを上回るとまで言われるテクニックも、ホロヴィッツを彷彿とさせるのだろう。

by Nat at June 17, 2015 06:15 PM

Nat Sakimura





[パリ 12日 ロイター] – 個人情報保護を扱うフランスの独立行政機関CNILは、米グーグル(GOOGL.O: 株価, 企業情報, レポート)に対し、現状にそぐわない過去の個人情報に関して削除を求められた場合、欧州だけでなく全世界のネット検索結果から削除するよう指示した。15日以内に従わない場合、制裁措置に踏み切るという。(出所)ロイター


「あなた既に転出されてますが」 私の住民票、誰がなぜ


これ、ISO/IEC 29115とかの身元確認プロセスでLevel 2以上をやっていたらこういうことは基本起きないはずなんですけどね。結局、「誰が確認したか」よりも「どのように確認したか」の方がよほど大切ということの証左であります。住民基本台帳はマイナンバーカードを発行する際の基本的なデータベースなわけですから、ここの運用はもっとしっかりやらないと。ちなみに、本気で高いレベルのクレデンシャルを発行しようと思ったら、根本的にやり方変えないとだめです。まずは公務員あたりから身元確認をやり直して、そこをトラストアンカーにして徐々に広げていかないとね。






Today, Justice Ministers in the Council reached a General Approach on the new data protection rules confirming the approach taken in the Commission’s proposal back in 2012. Trilogue negotiations between the Council, the European Parliament and the EU Commission will start next week on 24 June. (出所)Privacy Laws & Business

EUカウンシルが新データ保護法への方針に同意したとのこと[1]。2012年のコミッション提案の多くを踏襲しているとのこと。(例:EU Directive→EU Regulation,(EU市場でサービス提供する)域外企業に対する適用、(制限付き)忘れられる権利、データポータビリティ)。


by Nat at June 17, 2015 03:10 AM

June 16, 2015

Kaliya Hamlin

We “won” the NymWars? did we?

Short answer No – I’m headed to the protest today at Facebook.

A post about the experience will be up here by tomorrow. I’ll be tweeting from my account there which is of course @identitywoman


Post from Sept 2014

Mid-July,  friend called me up out of the blue and said “we won!”

“We won what” I asked.

“Google just officially changed its policy on Real Names”

He said I had  to write a post about it. I agreed but also felt disheartened.
We won but we didn’t it took 3 years before they changed.

They also created a climate online where it was OK and legitimate for service providers to insist on real names.

For those of you not tracking the story – I along with many thousands of people had our Google+ accounts suspended – this posts is an annotated version of all of those.

This was the Google Announcement:

When we launched Google+ over three years ago, we had a lot of restrictions on what name you could use on your profile. This helped create a community made up of real people, but it also excluded a number of people who wanted to be part of it without using their real names.

Over the years, as Google+ grew and its community became established, we steadily opened up this policy, from allowing +Page owners to use any name of their choosing to letting YouTube users bring their usernames into Google+. Today, we are taking the last step: there are no more restrictions on what name you can use.

We know you’ve been calling for this change for a while. We know that our names policy has been unclear, and this has led to some unnecessarily difficult experiences for some of our users. For this we apologize, and we hope that today’s change is a step toward making Google+ the welcoming and inclusive place that we want it to be. Thank you for expressing your opinions so passionately, and thanks for continuing to make Google+ the thoughtful community that it is.

There was lots of coverage.

Google kills real names from ITWire.

Google Raises White Flag on Real Names Policy in the Register.

3 Years Later Google Drops its Dumb Real Name Rule and Apologizes in TechCrunch.

Change Framed as No Longer Having Limitations Google Offers Thanks for Feedback in Electronista

Google Stops Forcing All Users to Use Their Real Names in Ars Technica

The most important was how Skud wrote a “real” apology that she thought Google should have given:

When we launched Google+ over three years ago, we had a lot of restrictions on what name you could use on your profile. This helped create a community made up of people who matched our expectations about what a “real” person was, but excluded many other real people, with real identities and real names that we didn’t understand.

We apologise unreservedly to those people, who through our actions were marginalised, denied access to services, and whose identities we treated as lesser. We especially apologise to those who were already marginalised, discriminated against, or unsafe, such as queer youth or victims of domestic violence, whose already difficult situations were worsened through our actions. We also apologise specifically to those whose accounts were banned, not only for refusing them access to our services, but for the poor treatment they received from our staff when they sought support.

Everyone is entitled to their own identity, to use the name that they are given or choose to use, without being told that their name is unacceptable. Everyone is entitled to safety online. Everyone is entitled to be themselves, without fear, and without having to contort themselves to meet arbitrary standards.

As of today, all name restrictions on Google+ have been lifted, and you may use your own name, whatever it is, or a chosen nickname or pseudonym to identify yourself on our service. We believe that this is the only just and right thing to do, and that it can only strengthen our community.

As a company, and as individuals within Google, we have done a lot of hard thinking and had a lot of difficult discussions. We realise that we are still learning, and while we appreciate feedback and suggestions in this regard, we have also undertaken to educate ourselves. We are partnering with LGBTQ groups, sexual abuse survivor groups, immigrant groups, and others to provide workshops to our staff to help them better understand the needs of all our users.

We also wish to let you know that we have ensured that no copies of identification documents (such as drivers’ licenses and passports), which were required of users whose names we did not approve, have been kept on our servers. The deletion of these materials has been done in accordance with the highest standards.

If you have any questions about these changes, you may contact our support/PR team at the following address (you do not require a Google account to do so). If you are unhappy, further support can be found through our Google User Ombuds, who advocates on behalf of our users and can assist in resolving any problems.

BotGirl chimed in with her usual clear articulate videos about the core issues.

And this talk by Alessandro Acquisti surfaced about. Why privacy matters

Google has learned something from this but it seems like other big tech companies haven not.

by Kaliya Hamlin, Identity Woman at June 16, 2015 04:34 AM

June 11, 2015

Nat Sakimura


TBSNews iの報道[1]によると、政府が今年11月に沖縄県でサイバーセキュリティに関する国際会議を開催するとのことです。


おりしもその前の週は横浜でIETF (インターネット技術タスクフォース)の横浜会合をやっています。IETFは、で利用される技術を策定する組織で、インターネットはIETFによって作られていると言っても過言ではありません。年に3回、世界回り持ちで総会を開き、最新の技術策定を行っています。もしオープン参加ならば、この横浜会合に来日したインターネット技術界の重鎮が参加しに行くことも考えられそうです。


この会議、Strictly Invitation Only だそうです。情報サイトは:

[1] TBSNews i 『サイバーセキュリティ国際会議、沖縄で開催へ(2015/6/11)

by Nat at June 11, 2015 08:15 AM

June 10, 2015

Nat Sakimura









[1] 時事通信『会員情報、最大1万2000件流出=PCウイルス感染、警視庁捜査-東商』 (2015/6/10取得)

[2] 時事通信『再発防止求める=東商情報流出-菅官房長官』

by Nat at June 10, 2015 02:55 PM

Nat Sakimura

「番号」設計のあるべき姿 〜 年金番号漏洩事件によせて





  1. 主キーとなる識別子、「個人番号」を作る。これは基本不変。変えたくないので、使う「番号」(以後、「番号」)の内部的管理にしか使わない。もちろん門外不出。
  2. 「番号」は、発行日、有効化日、停止日、再有効化日、廃止日[3]を持ち、主キーに紐付けて管理する。
  3. 「番号」には、ユニークな形式を導入する。たとえば、3桁目がカタカナで、4桁目がチェックサム、とか。これは、データが漏洩した時に、この形式のものは検索エンジンに引っかからないようにとかするため。
  4. 「番号」は有効期限を持つ[4]
  5. 「番号」はいつでも変更可能。管理システムは、変更するためのAPIを持つ。
  6. 組織は「番号」を受け取ったら、(「番号」管理組織の提供する)組織別「番号」発行APIに、「番号」「組織番号」「組織クレデンシャル」を提示し、当該個人の「組織別番号」を取得する。「番号」は即時廃棄する[5]。以後、当該組織は、この「組織別番号」を利用する。
  7. ある組織が他の組織から情報を要求する場合には、認可サーバから当該データを取得するための「許可番号」[6]を取得し、これを使ってデータを要求する。情報提供組織はこの「許可番号」を認可サーバに提示し、誰のデータを提供すればよいのかを知り、当該データを提供する。
  8. 原則、データは主担当組織のみが持つことにし、各組織は必要に応じて取得、利用、その後速やかに廃棄する。



  1. ある組織がお漏らししても、そのデータは他の組織が持つデータと結合することはできない。つまり、プライバシーインパクトが低いので、コストが安く済む。
  2. お漏らしした組織の「組織別番号」を変更しても、他の組織には影響ないので、いくらでも変更可能。これも、コスト安につながる。
  3. お漏らしされたデータそのものは、検索エンジン等に引っかからないようにできる。また、回収も楽。これなんざ、今は望むべくも無いですね。[7]
  4. 「番号」は定期的に変わるので、これを使って、過去と現在を結びつける異時点間名寄せによる「無情社会」[8]を生みにくい。これもコスト安につながる。
  5. そもそも、各組織は自分が主担当のデータしか持っていないので、現在のように各組織がデータをコピーして持っている場合に比べて、データ漏洩時のプライバシーインパクトが低い。





[1] 郷原信郎 『「流出した基礎年金番号は変更」「変更通知は郵送」で本当に大丈夫なのか』(2015/6/9), ハフィントン・ポスト,

[2] 崎村夏彦『「番号」は漏れると危ないのか?』(2015/6/9), @_Nat Zone,

[3] 日じゃなくて、本当はせめて秒だけど。

[4] EUでは一番最近と思われるeIDカードの発行にあたって、ドイツは「番号」を書面番号とした。したがって、再発行で変わる。これはとても正しい。

[5] これ、米国国防総省の社会保障番号の利用ガイドラインでも基本そうなっています。ちなみに、「番号」を組織に渡すのもリスクだと考える場合、個人が「組織別番号」を取得して組織に渡す方式があります。SAMLのNameIdentifierとか、OpenIDのPPIDって、そういう仕組です。自動化されているので、個人は気づかないでしょうが。

[6] 専門的には、Access Token といいます。

[7] 悪意があって、「番号」を他のものに付け替えられたらだめですがね。

[8] 崎村夏彦『無情社会と番号制度〜ビクトル・ユーゴー「ああ無情」に見る名寄せの危険性』(2010/12/13), @_Nat Zone,

[9] エンタープライズなXML/SOAPシステムとかね。あれは、せいぜい200万人とか向けのシステムですから。XMLベースだと、余計なデータと演算が多くなっていけません。あれで1億人やるのは大変…。

[10] あと、各組織(雇用者、金融機関など)がマイナンバーを保存してまうとかも、あれだなぁ…。

by Nat at June 10, 2015 02:29 PM

June 09, 2015

Nat Sakimura






by Nat at June 09, 2015 02:40 PM

Nat Sakimura

Microsoft Azure や Dropboxが、クラウドプライバシー コントロール国際基準 ISO/IEC 27018 に準拠

Microsoft Azure が、クラウド唯一のプライバシー コントロール国際基準 ISO/IEC 27018 [1]に準拠した初のクラウド コンピューティング プラットフォームとして確認されましたらしい。認証はBSIがやっているそうだ。しかも今年の2/16と旧聞。見てたかもしれないが、流していたのだな。

さらに、今週気がついたのだが、Dropbox もまたISO/IEC 27018認証を取得しているらしい。BSI大忙しですな。JIPDECさんもやらないのですかね。Pマークがあるから無理か?

ISO/IEC 27018購入ページ

ISO/IEC 27018購入ページ。PDFだけでなく、ePub版もあるのが便利

ISO/IEC 27018 というのは、ISO/IEC 27002 がカバーしていないプライバシー部分を、ISO/IEC 29100 のプライバシー・フレームワークに沿って足しているものだ。対象は、ISO/IEC 29100 でいうところの PII Processor、いわゆる「委託先」である。委託先ではないデータコントローラを対象にする規格は、ISO/IEC 29151として策定が進んでいる。実はISO/IEC 27018は、策定が始まるところから日本の委員はもとより、国際委員みなで「びみょ~」「いるのか?クラウド特有のなんて無いだろ。」と言いながら、「まぁ、27017でセキュリティをやるならそれとセットで整合性のために」スタートした規格だ。ナイロビ会合でしたかねぇ。審議はSC 27/WG 5(私が国内主査をしているWG)でやっていた[1]のだが、まぁ、あまりやることがないので非常に高速にとっとと決まったという経緯がある。さらに、全体の枠組みとしては上述の29151が担当なので、そこが終わらないうちにやるのはどうかという話もある。なので、「うちはISO/IEC 27018対応!」とか言われると「びみょ~」という気分になるのだが、それでももちろんやらないよりは良いので…。

Microsoft Azure Japan Team Blog (ブログ) です。このBlog (ブログ) は Microsoft Azure に関する最新情報や、開発に役立つ情報を提供します。

情報源: Microsoft Azure が、クラウド唯一のプライバシー コントロール国際基準 ISO/IEC 27018 に準拠した初のクラウド コンピューティング プラットフォームとして確認されました – Microsoft Azure Japan Team Blog (ブログ) – Site Home – MSDN Blogs


[1] ISO/IEC 27018 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

[2] 国内委員会の主担当はHPの佐藤さん。

by Nat at June 09, 2015 09:18 AM

Nat Sakimura





1. なりすましによる被害



  1. 望まない情報、特に「付随する情報」の開示
  2. 取得した「付随する情報」を使った脅迫、意思への介入
  3. 金融取引をなりすまして行われることによる経済的被害


2. 変更による救済可能性







3. 情報自体の価値



4. 結論




[1] 不正アクセスで125万件の個人年金情報流出 日本年金機構」日本経済新聞(2015/6/1) より 2015/6/9取得
[2] 米国社会保障番号(SSN)の民間利用制限なしという神話
[3] ISO/IEC 24760 などでは、識別情報という言葉を「識別子名:値」の名前:値ペアの「値」を指すのに使っていますので、ちょっと注意が必要です。
[4] マイナンバーは原則「生涯不変」だそうですが、以前から言っている通り気軽に変えられるようにしたほうが良いですね。システム的には大した話しじゃ無いので。

by Nat at June 09, 2015 05:32 AM

June 07, 2015

Nat Sakimura


clamdscan は clamav というウィルススキャナのdaemonを使って、メールなどのウィルスのチェックをするものです。Courier-mtaを使っていると多くの場合mailfilter を使ってローカルデリバリーをしていると思います。clamav を使うのに一番簡単そうなのは、この設定ファイル .mailfiter に設定してここから使うこと[1]だと思うのですが、そうすると

lstat() failed: Permission denied. ERROR




これによると、まず次のような /usr/bin/ を用意します。

# Created by Tom Walsh, slim at
# slightly modified by Wolfgang Ziegler, nuppla at

# RUN=clamscan
# Enable this line, if you are using the clamav-daemon.

MSG=$(< /proc/self/fd/0) # stdin -> $MSG
SCAN=$(echo "$MSG" | $RUN - --stdout --disable-summary)
VIRUS=$(echo "$SCAN" | awk '{print $2}')
SUBJECT=$(echo "$MSG" | reformail -x Subject:)

if [ "$EXIT" == "1" ]; then
 MSG=$(echo "$MSG" | reformail -i"X-Virus-Status: INFECTED")
 MSG=$(echo "$MSG" | reformail -i"Subject: $(echo "$SUBJECT")")
 MSG=$(echo "$MSG" | reformail -i"X-Virus-Status: CLEAN")

echo "$MSG"
exit 0


chmod +x /usr/bin/


if ( /^X-Virus-Status:.*INFECTED/ )
        log "Clamdscan: Virus found\n"
        to $SPAM

たぶん、これで動いているかな…。Clamav は一応zipの中味まで見てくれるので、その点が良いですね。

.exe とかの添付が付いたメールだけをを叩き落とすだけ[2]なら、何もclamavにご登場いただくまでもなく、次のような感じでよいです。

# attachments are in the body, so :b flag
if ( /^Content-type: (audio|application)/:b \
     && /name=.*\.(bat|com|exe|hta|pif|scr|shs|vb[es]|ws[fh])/:b )
        xfilter "${REFORMAIL} -a'$SPAMHEADER potential virus attachment'"
        log "Illegal Extention\n"
        to $SPAM

絶対こういうメールは受け取ら無いぞという場合、to $SPAMでなくてexitしてしまっても良いのですが、本文だけは読みたいこともありますものね。reformailでattachmentセクションを落とすというのもありそうですが、サボっててやっていません。

[1] メールサーバ自体に入れろよと言うのもありますが、個人レベルだとこっちの方が簡単だったので。perlmailfilter 使ってやるのも、テスト用サーバを建てたりする余裕ができたらやってみます。

[2] 年金機構の漏洩問題で数日前から話題ですね。

by Nat at June 07, 2015 07:57 AM

June 05, 2015

Nat Sakimura

アメリカの不動産業界がWeb APIの認証にOpenID Connectを採用

Peter Williams氏の報告[1]によると、アメリカの不動産業界がWeb APIの認証にOpenID Connectを採用することを決定したようです。知らなかったんですが、不動産業界って、GDPベースでは米国最大のセクターなんですね。米国商務省経済分析局の 2014年ベースの統計[2]でGDPの13%を占めています。2番めのセクターが政府セクターで、12.9%。


米国産業別GDP(2014) ー不動産業界は13%でGDP比率トップ

Williams氏の上記報告によると「5年がかり」の検討の結果[3]、不動産標準グループはOAuthのカスタムプロファイルを廃止して、OpenID Connectに標準化することを決めたとのこと。MicrosoftやAmazonのサポートによって、導入が非常に容易になったのが決め手だったようです。

Cal Heldenbrand氏曰く

皆に賞賛を。これは、標準全般の大きな勝利だ。特に、簡単に使えて相互運用性に優れた標準の。OpenID Connectを使って仕事することが、SAMLでやるのよりどれだけ楽しかったか、いくら言っても言い足りない。[3]


[1] Peter Williams, “Realty adoption”,

[2] 米国商務省経済分析局『Gross-Domestic-Product-(GDP)-by-Industry Data』, 『GDP by Industry / VA, GO, II 1997-2014: 71 Industries (XLSX)』

[3] Cal Heldenbrand氏によると、「いや、20分だったよ」とのことですがww。

by Nat at June 05, 2015 05:40 AM

June 01, 2015

Kaliya Hamlin

#mynameis my statement for the virtual press kit

I just wrote this up for the virtual press kit for the #mynameis protest.

With its real name / authentic name policy Facebook is violating the rights and dignity of thousands if not millions. Individuals of all stripes have authentic names that are not found on any of their legal paperwork.  In common law countries we have the right to define our own name and there rights need to be respected online.

Identity is contextual. That is the same person may use different names authentically in different social contexts – within the Drag Queen and LGBT community – one name Lil Hot Mess for example and in a professional day job a completely different name – more likely one on formal legal paperwork but not necessarily.  These different contexts have their own contextual authenticity.

Google+ when it began several years ago also had a real name or what they called common name policy and instead users send in government issued ID via e-mail.  Many resisted these policies and eventually years later they changed their policies.   The movement around their policies was called the #Nymwars and several people organized to found the Nym Rights group. We fully support the #MyNameIs campaign and its efforts.

The freedom to choose our own names is the digital civil rights issue of our time. Without the freedom to choose our own name(s) online and the right associated with that choose our digital identities subject to termination for arbitrary reasons.  In the physical world – if our body is assaulted, or killed whoever does will suffer consequences. We must struggle for our rights in the digital world and the freedom to choose our own names – without these rights and freedoms our right to express ourselves – to speak up in a free society will be severely weakened.

Kaliya, Identity Woman
Independent Advocate for the Rights and Dignity of Our Digital Selves.

by Kaliya Hamlin, Identity Woman at June 01, 2015 09:46 PM

May 26, 2015

Enhancing OAuth Security for Mobile Applications with PKSE

OAuth 2.0 is the preferred mechanism for authorizing native mobile applications to their corresponding API endpoints. In order to be authorized, the native application attaches an OAuth access token to its API calls. Upon receiving a call, the API extracts the token, validates it (checks issuer, lifetime, associated authorizations, etc) and then determines whether the request should be allowed or denied.

Of course, before the native application can use an access token on an API call, it must necessarily have first been issued that token. OAuth defines how the native application, with a user’s active involvement, interacts with an Authorization Server (AS) in order to obtain a set of tokens that represent that user and their permissions. The best practice for native applications leverages a version of OAuth called the ‘authorization code grant type’ – which in this context consists of the following steps

  1. Upon installation, the native application registers itself with the mobile OS as the handler for URLs in a particular scheme, e.g. those starting with ‘com.example.mobileapp://’ as opposed to ‘http://’.
  2. After installation, the native application invites the user to authenticate.
  3. The native application launches the device system browser and loads a page at the appropriate AS.
  4. In that browser window, the AS
    • authenticates the user. Because authentication happens in a browser, the AS has flexibility in the how & where the actual user authentication occurs, i.e., it could be through federated SSO or could leverage 2 Factor Authentication etc. There are advantages to using the system browser and not an embedded browser – notably that a) any credentials presented in the browser window are not visible by the application b) any session established in the browser for one native application can be used for a second, enabling a SSO experience
    • may obtain the user’s consent for the operations for which the native application is requesting permission
  5. If step 4 is successful, the AS builds a URL in the scheme belonging to the native application and adds an authorization code to the end of the URL, e.g. ‘com.example.mobileapp://oauth?code=123456. The AS directs the user’s browser to redirect to this URL
  6. The browser queries the mobile OS to determine how to handle this URL. The OS determines the appropriate handler, and passes the URL to the appropriate application
  7. The native application parses the URL and extracts the authorization code from the end
  8. The native application sends the authorization code back to the AS
  9. The AS validates the authorization code and returns to the native application an access token (plus potentially other tokens)
  10. The native application then stores that access token away in secure storage so it can be subsequently used on API calls.

The current reality is that there is a security risk associated with Steps 6-8 above that could result in a malicious application being able to insert itself into the above flow and obtain the access token – and so be able to inappropriately access the business or personal data stored behind the API. The risk arises due to a combination of factors

  1. The nature of how native applications are distributed through public stores prevents individual instances of applications having unique (or secret) credentials. Consequently, it is not currently practical to expect that the native application can authenticate to the AS when exchanging the code for tokens in Step 8. As a result, if a malicious application is able to get hold of the code, it will be able to exchange that code for the desired tokens.
  2. In Step 6, the handoff of the authorization code can be intercepted if a malicious application is able to ‘squat’ on the URL scheme, i.e., get itself registered as the handler for those URLs. The mobile OSs differ in how they protect against such squatting – for instance, Android prompts the user to choose from between multiple apps claiming the same scheme, iOS does not.
  3. The current industry reality is that access tokens are predominantly ‘bearer’ tokens, i.e., any actor that can gain possession of an access token can use it on API calls with no additional criteria (such as signing some portion of the API call with a key associated with the token).

PKSE (Proof Key for Code Exchange by OAuth Public Clients) is an IETF draft specification designed to mitigate the above risk by preventing a malicious application, having obtained the code by scheme squatting, being able to actually exchange it for the more fundamental access token.

PKSE allows the native application to create an ephemeral one-time secret and use that to authenticate to the AS on Step 8 in the above. A malicious application, even if able to steal the code, will not have this secret and so will be unable to trade the stolen code for the access token.pkce

If using PKSE, the overall flow is identical to the above, but with additional parameters added to certain messages. When the native application first loads the AS page in the browser (Step 3 above), it generates a code_verifier string (and may transform it through some mechanism) and passes that as a parameter on the URL. The AS stores away this string before returning the code back to the native application. When the native application then exchanges the code for the access token (Step 8 above), it will include the code_verifier string on that call. If the code_verifier is missing or doesn’t match that previously recorded, the AS will not return the access token.
Even if a malicious application is able to obtain a code, without the corresponding code_verifier it will be unable to turn that code into an access token, and so unable to access the business or personal data accessed through the APIs.

PKSE promises to provide an important security enhancement for the application of OAuth 2.0 to native applications by mitigating the risk of authorization codes being stolen by malicious applications installed on the device. In fact, the PKSE ‘trick’, that of using transient client secrets in order to authenticate to an AS when the client has no long-term secret, is being used in other applications, e.g. the Native Applications (NAPPS) WG underway in the OpenID Foundation .

by jfe at May 26, 2015 11:48 AM

May 20, 2015

Nat Sakimura


ietf-logoずいぶん長くかかりましたが[1]、JSON Web Signature (JWS)とJSON Web Token (JWT) がようやく Standard Track の RFC[2]になりました。それぞれ、[RFC7515]と[RFC7519]です。




[1] JSON Simple Sign が2010年だから、5年がかりですね…。IETFでJOSE WGができたのが2011年11月、えらく長くかかりました。
[2] RFCには、Informational, Experimental, Standard と3つのトラックがあり、いわゆる「標準」とされるのはStandard Trackだけです。良く引用されるRFCも、多くはInformationalだったりするので、注意してみてみてください。

by Nat at May 20, 2015 02:35 AM

May 13, 2015

Certification pilot expanded to all OIDF members

The OpenID Foundation has opened the OpenID Certification pilot phase to all OpenID members, as the Board previously announced we would do in May. This enables individual and non-profit members to also self-certify OpenID Connect implementations. The OpenID Board has not yet finalized beta pricing to cover the costs of certification applications during the next phase of the 2015 program. OpenID Foundation Members’ self-certification applications will be accepted at no cost during this pilot phase. We look forward to working with all members on the continued adoption of the OpenID Certification program, including individual and open source implementations.

Don Thibeau
OpenID Foundation Executive Director

by Don Thibeau at May 13, 2015 09:52 AM

May 06, 2015

Certification Accomplishments and Next Steps

OpenID Certified markI’d like to take a moment and congratulate the OpenID Foundation members who made the successful OpenID Certification launch happen. By the numbers, six organizations were granted 21 certifications covering all five defined conformance profiles. See Mike Jones’ note Perspectives on the OpenID Connect Certification Launch for reflections on what we’ve accomplished and how we got here.

We applied the meme “keep simple things simple” that was the touchstone when designing OpenID Connect to its certification program. But for as much as we’ve already accomplished, there’s plenty of good things to come. The next steps are to expand the scope of the Certification program along several dimensions, per the OpenID board’s deliberately phased certification rollout plan. I’ll take the rest of this note to outline these next steps.

One dimension of the expansion is to open the program to all members, including non-profit and individual members. This second phase will be open to OpenID Foundation members, acknowledging the years of work that they’ve put into creating OpenID Connect and its certification program.

Closely related to this, the foundation is working to determine our costs for the certification program in order to establish a beta pricing program for the second phase. The board is on record as stating that pricing will be designed with two goals in mind: covering our costs and helping to promote the OpenID Connect brand and adoption.

Putting a timeline on this, the Executive Committee plans to recommend a beta pricing program for the second phase during its meeting on June 4th for adoption by the Board at its meeting during the Cloud Identity Summit on June 10th. We look forward to seeing certifications of open source, individuals’, and non-profits’ implementations during this phase, as well as continued certifications by organizations.

Another dimension of the expansion is to begin relying party certifications. If you have a relying party implementation, we highly encourage you to join us in testing the tests, just like the pilot participants did for the OpenID Provider certification test suite. Please contact me if you’re interested.

See the FAQ for additional information on OpenID Certification. Again, congratulations on what we’ve already accomplished. I look forward to the increasing adoption and quality of OpenID Connect implementations that the certification program is already helping to achieve.

by Don Thibeau at May 06, 2015 08:08 AM

April 27, 2015

Final OAuth 2.0 Form Post Response Mode Specification Approved

The OAuth 2.0 Form Post Response Mode specification has been approved as a Final Specification by a vote of the OpenID Foundation members. A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision.

This specification defines how to return OAuth 2.0 Authorization Response parameters (including OpenID Connect Authentication Response parameters) using HTML form values that are auto-submitted by the User Agent using HTTP POST.

The voting results were:

  • Approve – 39 votes
  • Object – 1 votes
  • Abstain – 3 votes

Total votes: 43 (out of 164 members = 26% > 20% quorum requirement)

— Michael B. Jones – OpenID Foundation Board Secretary

by Mike Jones at April 27, 2015 08:50 PM

April 22, 2015

Nat Sakimura

グーグル、マイクロソフト、ペイパル、野村総合研究所などの実装がOpenID Connect適合性試験に合格

OpenID Certified ロゴ
(図1)OpenID Certified ロゴ

米OpenID® Foundationは現地時間22日、OpenID Connect実装適合性自己認証プログラムを発表しました。これは、OpenID Foundationが提供するオンライン・テストに実装が合格したことを、その証憑と合わせてOpenID Foundationに提出・宣言することによってOpenID Certifiedのマーク(図1)の使用が可能になるものです。

現在提供されているテストにはOP Basic, OP Inplicit, OP Hybrid, OP Config, OP Dynamicの5種類があり、第一弾として、グーグル、野村総合研究所、ForgeRock、ペイパル、マイクロソフトの実装が、下記の表のように合格しています。

(表1)第一弾OpenID Certification合格実装一覧

会社/組織 実装名 OP Basic OP Implicit OP Hybrid OP Config OP Dynamic
ForgeRock OpenAM 13 13-Apr-2015 13-Apr-2015 13-Apr-2015 13-Apr-2015
Google Google Federated Identity 20-Apr-2015 21-Apr-2015 15-Apr-2015
Microsoft ADFS for Windows 10 7-Apr-2015
Microsoft Azure Active Directory 8-Apr-2015
野村総合研究所[1] phpOIDC 10-Apr-2015 10-Apr-2015 10-Apr-2015 10-Apr-2015 10-Apr-2015
Uni-ID 10-Apr-2015
PayPal Login with PayPal 15-Apr-2015
Ping Identity PingFederate 10-Apr-2015 10-Apr-2015 10-Apr-2015 9-Apr-2015

このプログラムによって、OpenID Connectを実装している事業者は、自身の実装がOpenID Connect標準仕様を満たすことを宣言することができます。このCertificationプログラムに参加することで、異なる実装間での相互運用性がより確実なものになるでしょう。

OpenID Certificationテストスイートは、デジタルアイデンティティに関わるシステム間の相互運用性を促進する目的で、スウェーデンのウメオ大学 (Umeå University) およびEUのGÉANTプロジェクトの協力により、オープンソースソフトウェアとして開発されました。

OpenID Connectは、セキュアでモバイルフレンドリーかつプライバシーにも配慮した、Identity技術のオープンスタンダードです。昨年のRSA Conference 2014での仕様確定以降、この仕様はGoogle Sign-in、Microsoft Azure ADなど多くのサービスで採用されてきました。実装の適合性を実際にテストできるようになったことによって、より簡単に相互接続できるようになることが期待できます。

今回発表されたのはOpenID Provider実装向けのもののみですが、2015年5月には、Relying Party向けの認証を開始される予定です。


[1] 総務省 平成24年度 戦略的国際連携型研究開発推進事業における、野村総合研究所とウメオ大学の共同研究により開発されたオープンソース実装です。

by Nat at April 22, 2015 02:54 PM

April 19, 2015

Nat Sakimura

【個人情報保護法改正】第三者提供記録義務について【Part 2】


1. これは名簿屋対策で、本人同意がある場合は除外するはずではなかったか?



2. だとすると、SNSの公開プロフィールページなども記録義務が提供元にかかるが、現実的ではないのではないか?







第二十五条 個人情報取扱事業者は、個人データを第三者(第二条第五項
 2 個人情報取扱事業者は、前項の記録を、当該記録を作成した日から個



[1] 崎村夏彦『[個人情報保護法改正] 匿名加工情報と第三者提供記録について』 (2015/3/12)

[2] 吉田 利宏 『元法制局キャリアが教える 法律を読む技術・学ぶ技術[第2版]』 による。この解釈について板倉弁護士(産総研高木先生経由)と鈴木教授(直接)にも確認してみた。板倉弁護士の見解は「『氏名 OR 規則で定める事項(∋名称)』、『規則で定める事項(∋氏名 OR 名称)』双方あり得る。『A又はBその他の規則で定めるC』というときに、AやBは例示であって入らない場合もある」。これに対して鈴木教授の見解は、「理論的に例示列挙だとしても、典型例として条文冒頭に掲げておいて、省略していいゎという運用は、は?という感じでありえんだろうと。」とのことで、悩ましい。

by Nat at April 19, 2015 03:56 PM

April 17, 2015

The OpenID Foundation Launches OpenID Connect Certification Program

OpenID Certified mark

Google, Microsoft, Ping Identity, ForgeRock, Nomura Research Institute, and PayPal OpenID Connect Deployments First to Self-Certify Conformance

RSA Conference 2015, San Francisco, CA – April 22, 2015 – Today the OpenID® Foundation introduced OpenID Connect Certification – a program that enables organizations to certify that their OpenID Connect implementations conform to specified profiles of the OpenID Connect standard. The certification program is a tool to ensure that implementations by different parties will successfully interoperate.

OpenID Connect is a secure, mobile-ready, privacy-enhancing open identity standard. It has been widely adopted since its finalization last year during the 2014 RSA Conference.

The OpenID Certification program provides important assurances to the global community of developers that the Internet identity services that certifying organizations have deployed reliably conform to the OpenID Connect standard. The goal is that OpenID Certified implementations will “just work” with one another.

Google, Microsoft, ForgeRock, Ping Identity, Nomura Research Institute, and PayPal are the first industry leaders to participate in the OpenID Connect Certification program and certify that their implementations conform to one or more of the profiles of OpenID Connect standard.

Overview of OpenID Connect Certification Program Process

The OpenID Connect Certification program is based on self-certification – a formal public declaration by an entity that its specific identified deployment of a product or service meets the requirements of specified conformance profiles of the OpenID Connect standard, as demonstrated by passing a set of self-administered conformance tests for those profiles. With self-certification, the organization implementing an OpenID Connect deployment tests its own deployment via the OpenID Connect Conformance Test Suite™ software and verifies that it conforms to one or more defined OpenID Connect profiles. Once the tests for a profile are successfully completed, the organization signs and submits to the OpenID Foundation a Certification of Conformance attesting that it successfully completed the software tests, and asserting that its deployment conforms to the designated OpenID Connect profile. Following submission of the required materials, the self-certifications are published. These certifications are also registered by the OpenID Foundation at the Open Identity Exchange’s publically accessible identity registry, known as OIXnet.

The OpenID Foundation is taking a phased approach to rolling out the OpenID Connect Certification program. The initial phase is now complete, launching with the certification of OpenID Connect identity providers by Google, Microsoft, ForgeRock, Ping Identity, Nomura Research Institute, and PayPal. The next phase will add relying party certification and make self-certification available to all OIDF members in good standing starting in May 2015. The planned third phase in the roadmap will make the OpenID Connect Certification program generally available in January 2016.

The OpenID Certification testing suite is open source software that was developed in cooperation with Umeå University in Sweden, with its development also partially supported by the European Union GÉANT project under a grant to promote interoperability of digital identity systems.

Comments by Industry Leaders

“The rapid adoption of OpenID Connect worldwide required us to create light-weight certification processes to meet the growing volume, velocity and variety of online transactions,” said Don Thibeau, Executive Director of the OpenID Foundation. “Self-certification is an important tool created and vetted by industry leaders. These intense competitors have come together to build a more secure and trusted Internet identity ecosystem.”

“Widely-available secure interoperable digital identity is the key to enabling easy-to-use, high-value cloud-based services and applications available for people to use on the devices they love,” said Alex Simons, Director of Program Management for Microsoft Active Directory. “Certification of Azure Active Directory and additional products to come helps assure developers, customers, and partners that OpenID Connect will just work.”

“This program enables us to build conformance testing into our ongoing engineering process which ensures that Google’s system for managing users’ account information remains interoperable with apps and web sites across the Internet,” said Eric Sachs, Product Management Director for Identity.

“Ping Identity lives and breathes open identity standards. They are key to the expertise and experience that we provide to our clients. The OpenID certification of Ping deployments is proof positive of the interoperability today’s enterprise requires,” said Andre Durand, CEO of Ping Identity.

“ForgeRock is at the center of multiple open standards communities globally as we pride ourselves on our open architecture and user-centric focus. We see OpenID Connect self-certification providing the reliability and consistency that the market demands,” said Lasse Andresen, CTO of ForgeRock.

“As a leader in payment services, PayPal is continually investing in its security infrastructure to ensure consumers have a seamless experience whether they’re on their mobile, online or in store. We have always embraced open standards, and this initiative further raises the bar on assurance for our consumers when they use PayPal across the digital ecosystem,” said Raj Mata, Sr. Director, Platform Product Management. “PayPal is excited to be part of this effort to make interoperable digital identity a reality across platforms and vendors.”

“NRI Group has been working on the identity standards for over a decade and is happy to ‘Self-certify’ both our open source implementation and the product provided through NRI Secure Technologies, our security solution subsidiary,” said Hiroshi Masutani, Senior Managing Director of Nomura Research Institute. “Self-certification is a low overhead, low cost, scalable open source option that’s another tool to provide robust services based on an open standard. The registration of the OpenID Connect self-certifications will increase trust through transparency and enable increased interoperability.”

“The OIXnet Registry and the OpenID Connect test suite will be hosted by Symantec to ensure the security of the trust framework resources and certifications,” said Vice Chairman of OIX Paul Agbabian, VP, Fellow, and CTO, Enterprise Security Business at Symantec. “As a global leader in security, we are excited to lend our expertise and be a part of these valuable efforts.”

About OpenID Connect

OpenID Connect is a secure, mobile-ready, privacy-enhancing open identity standard. OpenID Connect has been widely adopted since its finalization in 2014.

Further information about OpenID Connect and the OpenID Connect Self-Certification program is available at and

About the OpenID Foundation

The OpenID Foundation is an international non-profit organization of individuals and companies committed to enabling, promoting and protecting OpenID technologies. Formed in June 2007, the foundation serves as a public trust organization representing the open community of developers, vendors, and users. The OIDF assists the community by providing needed infrastructure and help in promoting and supporting expanded adoption of OpenID technologies. This entails managing intellectual property and brand marks as well as fostering viral growth and global participation in the proliferation of OpenID.

OpenID is a registered trademark of the OpenID® Foundation.

# # #

News Media Contacts:

Jeff Fishburn
OnPR for OpenID Foundation

Don Thibeau
Executive Director, OpenID Foundation

by Don Thibeau at April 17, 2015 01:00 PM

Final OpenID 2.0 to OpenID Connect Migration Specification Approved

The OpenID 2.0 to OpenID Connect Migration specification has been approved as a Final Specification by a vote of the OpenID Foundation members. A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision.

This specification defines how to migrate from OpenID 2.0 to OpenID Connect.

The voting results were:

  • Approve – 28 votes
  • Disapprove – 0 votes
  • Abstain – 4 votes

Total votes: 32 (out of 158 members = 20.3% > 20% quorum requirement)

— Michael B. Jones – OpenID Foundation Board Secretary

by Mike Jones at April 17, 2015 12:24 AM

April 06, 2015

Vote to approve final OAuth 2.0 Form Post Response Mode specification

The OpenID Connect Working Group recommends approval of the following specification as an OpenID Final Specification:

  • OAuth 2.0 Form Post Response Mode 1.0 – Defines how to return OAuth 2.0 Authorization Response parameters (including OpenID Connect Authentication Response parameters) using HTML form values that are auto-submitted by the User Agent using HTTP POST

A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision.

The official voting period will be between Friday, April 17th and Friday, April 24th, 2015. For the convenience of members, voting actually opened on Monday, April 6th for members who have completed their reviews by then, with the voting period still ending on Friday, April 24th. Vote now at

Voting to approve the OpenID 2.0 to OpenID Connect Migration 1.0 specification is also open at through April 9th.

If you’re not already a member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at

A description of OpenID Connect can be found at The working group page is

– Michael B. Jones, OpenID Foundation Secretary

by Mike Jones at April 06, 2015 09:38 PM

March 23, 2015

Nat Sakimura


photo by Brian Solis (2009) CC-BY。今はもうちょっと老けていると思われ。


Yahoo! Techによる、デビッドがホワイトハウスの「director of information technology」に抜擢されたというニュース[1]です。これって、日本語だと、「情報技術長官」で良いのですかね…。Wikipediaの米国政府用語[2]によると、Directorは「長官」らしいので…。(誰か詳しい人教えて…。)

彼は、米国のOpenID® Foundation立ち上げの立役者兼初代副理事長で、OpenID® Authentication 2.0の主著者でもありますね。当時はSixApart→Verisign Laboで働いていたのですが、その後Facebookに行って、FacebookのIdentityのOAuth 2.0化を途中までやって[3]、Open Compute Project[4] の方に行ってそちらでも業績を残しました。



  • 政府のより賢いIT供給施策:ホワイトハウスによって使われるテクノロジーが効率的、効果的、かつ安全であるように。
  • 共同作業のためのソフトウェアの近代化と、民間のベストプラクティスと平仄をあわせた新技術の導入


ちなみに、ホワイトハウスは、来年度の予算として、25省庁のデジタル・チームの編成に$105M (約120億円)を要求しているらしいので、これからもシリコンバレーからの引き抜きが続くでしょう。



[1] Alyssa Bereznak, “Exclusive: Facebook Engineering Director Is Headed to the White House”, (2015-03-19), Yahoo! Tech,

[2] Wikipedia 米国政府用語一覧

[3] 結局、そこで止まっているのがなんとも…。なので、FBは未だにOAuth 2.0 draft 10とかそのくらい…。

[4] ざっくり言うと、GoogleやFacebookスタイルのサーバをオープン化して普及しようというもの。

[5] Anita Breckenridge, “President Obama Names David Recordon as Director of White House Information Technology”, The Whitehouse Blog, (2015-03-19),

[6] Mariella Moon, “White House names top Facebook engineer as first director of IT“, Engadget

by Nat at March 23, 2015 12:53 PM

Nat Sakimura





これ、法律家はさておき、一般には全く理解されていないんじゃないかと思うんですよね。なので、先日のOpenID BizDay[3]では、ここのところを大きく取り上げたのです。








[1] 夏井高人: “鈴木正朝・高木浩光・山本一郎『ニッポンの個人情報 -「個人を特定する情報が個人情報である」と信じているすべての方へ』”, サイバー法ブログ, (2015/3/23),

[2] 鈴木正朝・高木浩光・山本一郎『ニッポンの個人情報 -「個人を特定する情報が個人情報である」と信じているすべての方へ』,  翔泳社 (2015/2/20)

[3] 崎村夏彦:『セミナー:企業にとっての実践的プライバシー保護~個人情報保護法は免罪符にはならない』, @_Nat Zone, (2015-03-01)

by Nat at March 23, 2015 11:50 AM

March 17, 2015

Kaliya Hamlin

Ello….on the inside

So. I FINALLY got my invitation to Ello.

I go in…make an account.

I check the Analytics section.

Ello uses an anonymized version of Google Analytics to gather and aggregate general information about user behavior. Google may use this information for the purpose of evaluating your use of the site, compiling reports on site activity for us and providing other services relating to site activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. To the best of our knowledge, the information gathered by Google on Ello’s behalf is collected in such a way that neither Ello, nor Google, can easily trace saved information back to any individual user.

Ello is unique in that we offer our users the option to opt-out of Google Analytics on the user settings page. We also respect “Do Not Track” browser settings. On your Ello settings page, you can choose to turn Google Analytics off completely when you visit the Site. If you choose either of these options, we make best efforts not to send any data about your user behavior, anonymized or otherwise, to Google or any other third party service provider. Please be aware that there may be other services that you are using and that are not controlled by Ello (including Google, Google Chrome Web Browser, Android Operating System, and YouTube) that may continue to send information to Google when you use the Site, even if you have asked us not to send information through our services.

Not sure what to make of all this.

by Kaliya Hamlin, Identity Woman at March 17, 2015 12:24 AM