Planet OpenID

July 27, 2014

Kaliya Hamlin

Resources for HopeX Talk.

I accepted an invitation from Aestetix to present with him at HopeX (10).

It was a follow-on talk to his Hope 9 presentation that was on #nymwars.

He is on the volunteer staff of the HopeX conference and was on the press team that helped handle all the press that came for the Ellsberg - Snowden conversation that happened mid-day Saturday.  It was amazing and it went over an hour - so our talk that was already at 11pm (yes) was scheduled to start at midnight.

Here are the slides for it - I modified them enough that they make sense if you just read them.  My hope is that we explain NSTIC, how it works and the opportunity to get involved to actively shape the protocols and policies maintained.

I am going to put the links about joining the IDESG up front. Cause that was our intention in giving the talk to encourage folks coming to HopeX to get involved to ensure that the technologies and policies for for citizens to use verified identity online when it is appropriate and also most importantly make SURE that the freedom to be anonymous and pseudonymous online.
This image is SOOO important I'm pulling it out and putting it here in the resources list.

WhereisNSTIC

Given that there is like 100 active people within the organization known as the Identity Ecosystem Steering Group as called for in the National Strategy for Trusted Identities in Cyberspace published by the White House and signed by president Obama in April 2011 that originated from the Cyberspace Policy Review that was done just after he came into office in 2009. Here is the website for the National Program Office.

The organization's website is here:  ID Ecosystem - we have just become an independent organization.

My step by step instructions How to JOIN.

Information on the committees - the one that has the most potential to shape the future is the Trust Framework and Trust Mark Committee

Here is the video.

From the Top of the Talk

Links to us:
Aestetix -  @aestetix Nym Rights
Kaliya - @identitywoman  -  my blog identitywoman.net

Aestetix - background + intro #nymwars from Hope 9

Aestetix's links will be up here within 24h
We mentioned Terms and Conditions May Apply - follows Mark Zuckerberg at the end.

Kaliya  background + intro

I have had my identity woman blog for almost 10 years  as an Independent Advocate for the Rights and Dignity of our Digital Selves. Saving the world with User-Centric Identity

In the early 2000’s I was working on developing distributed Social Networks  for Transformation.
I got into technology via Planetwork and its conference in 2000 themed: Global Ecology and Information Technology.  They had a think tank following that event and then published in 2003 the Augmented Social Network: Building Identity and Trust into the Next Generation Internet.
The ASN and the idea that user-centric identity based on open standards were essential - all made sense to me - that the future of identity online - our freedom to connect and organize was determined by the protocols.  The future is socially constructed and we get to MAKE the protocols . . . and without open protocols for digital identity our ID's will be owned by commercial entities - the situation we are in now.
Protocols are Political - this book articulates this - Protocols: How Control Exists after Decentralization by Alexander R. Galloway. I excerpted key concepts of Protocol on my blog in my NSTIC Governance Notice of Inquiry.
I c0-founded the Internet Identity Workshop in 2005 with Doc Searls and Phil Windley.  We are coming up on number 19 the last week of October in Mountain View and number 20 the third week of April 2015.
I founded the Personal Data Ecosystem Consortium in 2010 with the goal to connect start-ups around the world building tools for individual collect manage and get value from their personal data along with fostering ethical data markets.  The World Economic Forum has done work on this (I have contributed to this work) with their Rethinking Personal Data Project.
I am shifting out of running PDEC to Co-CEO with my partner William Dyson of a company in the field The Leola Group.

NSTIC

Aestetix and I met just after his talk at HOPE 9 around the #nymwars (we were both suspended.
So where did NSTIC come from? The Cyberspace Policy Review in 2009 just after Obama came into office.
Near-Term Action Plan:
#10 Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.
Mid-Term Action Plan:
#13 Implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.
NSTIC was published in 2011: Main Document - PDF  announcement on White House Blog.
Trust Frameworks  are at the heart of what they want to develop to figure out how navigate how things work.
What will happen with results of this effort?
The Cyber Security Framework (paperObama Administration just outlined . NSTIC is not discussed in the framework itself – but both it and the IDESG figure prominently in the Roadmap that was released as a companion to the Framework.  The Roadmap highlights authentication as the first of nine different, high-priority “areas of improvement” that need to be addressed through future collaboration with particular sectors and standards-developing organizations.

The inadequacy of passwords for authentication was a key driver behind the 2011 issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which calls upon the private sector to collaborate on development of an Identity Ecosystem that raises the level of trust associated with the identities of individuals, organizations, networks, services, and devices online.

I wrote this article just afterwards: National! Identity! Cyberspace! Why we shouldn't Freak out about NSTIC   (it looks blank - scroll down).
Aaron Titus writes a similar post explaining more about NSTIC relative to the concerns arising online about the fears this is a National ID.
Staff for National Program Office

The put out a Notice of Inquiry - to figure out How this Ecosystem should be governed.

Many people responded to the NOI - here are all of them.

I wrote a response to the NSTIC Notice of Inquiry about Governance. This covers that covers much of the history of the user-centric community  my vision of how to grow consensus. Most important for my NSTIC candidacy are the chapters about citizen's engagement in the systems co-authored with Tom Atlee the author of the Tao of Democracy and the just published Empowering Public Wisdom.

The NPO hosted a workshop on Governance,  another one Privacy - that they invited me to present on the Personal Data Ecosystem.  The technology conference got folded into IIW in the fall of 2011.

OReilly Radar - called it The Manhattan Project for online identity.

The National Program Office published a proposed:

Charter for the  IDESG Organization

ByLaws  and Rules of Association for the IDESG Organization

Also what committees should exist and how it would all work in this webinar presentation.  The Recommended Structure is on slide 6.  They also proposed a standing committee on privacy as part of the IDESG.

THEN (because they were so serious about private sector leadership) they published a proposed 2 year work plan.  BEFORE the first Plenary meeting in Chicago in August 2012

They put out a bid for a Secretariat to support the forthcoming organization and awarded it to a company called Trusted Federal Systems.
The plenary was and is open - to anyone and any organization from any where in the world. It is still open to anyone. You can join by following the steps on my blog post about it.
At the first meeting in August 2012 the management council was elected. The committees they decided should exist ahead of time had meetings.
The committees - You can join them - I have a whole post about the committees so you can adopt one.

Nym Issues!!!

So after the #nymwars it seemed really important to bring the issues around Nym Rights and Issues into NSTIC - IDESG.  They were confused - even though their bylaws say that committees. I supported Aestetix writing out a charter for a new committee - I read it for the plenary in November of 2012 - he attended the Feb 2013 Pleanary in Pheonix. I worked with several other Nym folks to attend the meeting too.
They suggested that NymRights was to confrontational a name so we agreed that Nym Issues would be a fine name. They also wanted to make sure that it would just become a sub-committee of the Privacy Committee.
It made sense to organize "outside" the organization so we created NymRights.
Basically the committee and its efforts have been stalled in limbo.
        Aestetix's links will be up here within 24h

The Pilot Grants from the NPO

Links
Year 1 - announcement about the FFO , potential applicant Webinar - announcement about all the grantees and an FAQ.
  • Daon, Inc. (Va.): $1,821,520
    The Daon pilot will demonstrate how senior citizens and all consumers can benefit from a digitally connected, consumer friendly Identity Ecosystem that enables consistent, trusted interactions with multiple parties online that will reduce fraud and enhance privacy. The pilot will employ user-friendly identity solutions that leverage smart mobile devices (smartphones/tablets) to maximize consumer choice and usability. Pilot team members include AARP, PayPal, Purdue University, and the American Association of Airport Executives.
  • The American Association of Motor Vehicle Administrators (AAMVA) (Va.): $1,621,803
    AAMVA will lead a consortium of private industry and government partners to implement and pilot the Cross Sector Digital Identity Initiative (CSDII). The goal of this initiative is to produce a secure online identity ecosystem that will lead to safer transactions by enhancing privacy and reducing the risk of fraud in online commerce. In addition to AAMVA, the CSDII pilot participants include the Commonwealth of Virginia Department of Motor Vehicles, Biometric Signature ID, CA Technologies, Microsoft and AT&T.
  • Criterion Systems (Va.): $1,977,732
    The Criterion pilot will allow consumers to selectively share shopping and other preferences and information to both reduce fraud and enhance the user experience. It will enable convenient, secure and privacy-enhancing online transactions for consumers, including access to Web services from leading identity service providers; seller login to online auction services; access to financial services at Broadridge; improved supply chain management at General Electric; and first-response management at various government agencies and health care service providers. The Criterion team includes ID/DataWeb, AOL Corp., LexisNexis®, Risk Solutions, Experian, Ping Identity Corp., CA Technologies, PacificEast, Wave Systems Corp., Internet2 Consortium/In-Common Federation, and Fixmo Inc.
  • Resilient Network Systems, Inc. (Calif.): $1,999,371
    The Resilient pilot seeks to demonstrate that sensitive health and education transactions on the Internet can earn patient and parent trust by using a Trust Network built around privacy-enhancing encryption technology to provide secure, multifactor, on-demand identity proofing and authentication across multiple sectors. Resilient will partner with the American Medical Association, Aetna, the American College of Cardiology, ActiveHealth Management, Medicity, LexisNexis, NaviNet, the San Diego Beacon eHealth Community, Gorge Health Connect, the Kantara Initiative, and the National eHealth Collaborative.In the education sector, Resilient will demonstrate secure Family Educational Rights and Privacy Act (FERPA) and Children’s Online Privacy Protection Act (COPPA)-compliant access to online learning for children. Resilient will partner with the National Laboratory for Education Transformation, LexisNexis, Neustar, Knowledge Factor, Authentify Inc., Riverside Unified School District, Santa Cruz County Office of Education, and the Kantara Initiative to provide secure, but privacy-enhancing verification of children, parents, teachers and staff, as well as verification of parent-child relationships.
  • UniversityCorporation for Advanced Internet Development (UCAID) (Mich.): $1,840,263
    UCAID, known publicly as Internet2, intends to build a consistent and robust privacy infrastructure through common attributes; user-effective privacy managers; anonymous credentials; and Internet2's InCommon Identity Federation service; and to encourage the use of multifactor authentication and other technologies. Internet2's partners include the Carnegie Mellon and Brown University computer science departments, University of Texas, the Massachusetts Institute of Technology, and the University of Utah. The intent is for the research and education community to create tools to help individuals preserve privacy and a scalable privacy infrastructure that can serve a broader community, and add value to the nation's identity ecosystem.

Year 2 - announcement about the FFO, potential applicant webinar, annoucement about the grantees.

  • Transglobal Secure Collaboration Participation, Inc. (TSCP) (Va.): $1,264,074
    The TSCP pilot will deploy trusted credentials to conduct secure business-to-business, government-to-business and retail transactions for small and medium-sized businesses and financial services companies, including Fidelity Investments and Chicago Mercantile Exchange. As part of this pilot, employees of participating businesses will be able to use their existing credentials to securely log into retirement accounts at brokerages, rather than having to obtain a new credential. Key to enabling these cross-sector transactions will be TSCP's development of an open source, technology-neutral Trust Framework Development Guidance document that can provide a foundation for future cross-sector interoperability of online credentials.
  • Georgia Tech Research Corporation (GTRC) (Ga.): $1,720,723
    The GTRC pilot will develop and demonstrate a "Trustmark Framework" that seeks to improve trust, interoperability and privacy within the Identity Ecosystem. Trustmarks are a badge, image or logo displayed on a website to indicate that the website business has been shown to be trustworthy by the issuing organization. Defining trustmarks for specific sets of policies will allow website owners, trust framework providers and individual Internet users to more easily understand the technical, business, security and privacy requirements and policies of the websites with which they interact or do business.Supporting consistent, machine-readable ways to express policy can enhance and simplify the user experience, raise the level of trust in online transactions and improve interoperability between service providers and trust frameworks. Building on experience developing the National Identity Exchange Federation(NIEF), GTRC plans to partner with the National Association of State Chief Information Officers (NASCIO) and one or more current NIEF member agencies, such as Los Angeles County and the Regional Information Sharing Systems (RISS).
  • Exponent (Calif.): $1,589,400
    The Exponent pilot will issue secure, easy-to-use and privacy-enhancing credentials to users to help secure applications and networks at a leading social media company, a health care organization and the U.S. Department of Defense. Exponent and partners Gemalto and HID Global will deploy two types of identity verification: the use of mobile devices that leverage so-called "derived credentials" stored in the device's SIM card and secure wearable devices, such as rings and bracelets. Solutions will be built upon standards, ensuring an interoperable system that can be easily adopted by a wide variety of organizations and companies.
  • ID.me, Inc. (Va.): $1,204,957
    ID.me, Inc.'s Troop ID will develop and pilot trusted identity solutions that will allow military families to access sensitive information online from government agencies, financial institutions and health care organizations in a more privacy-enhancing, secure and efficient manner. Troop ID lets America's service members, veterans, and their families verify their military affiliation online across a network of organizations that provides discounts and benefits in recognition of their service. Today, more than 200,000 veterans and service members use Troop ID to access benefits online. As part of its pilot, Troop ID will enhance its current identity solution to obtain certification at Level of Assurance 3 from the U.S. General Services Administration's Trust Framework Providers program, enabling Troop ID credential holders to use their solution not only at private-sector sites, but also when interacting online with U.S. government agencies through the recently announced Federal Cloud Credential Exchange (FCCX). Key project partners include federal government agencies and a leading financial institution serving the nation's military community and its families.
  • Privacy Vaults Online, Inc. (PRIVO) (Va.): $1,611,349
    Children represent a unique challenge when it comes to online identity. Parents need better tools to ensure safe family use of the Internet, while online service providers need to comply with the requirements of the Children's Online Privacy Protection Act (COPPA) when they deal with minors under the age of 13. PRIVO will pilot a solution that provides families with COPPA-compliant, secure, privacy-enhancing credentials that will enable parents and guardians to authorize their children to interact with online services in a more privacy-enhancing and usable way. Project partners, including one of the country's largest online content providers and one of the world's largest toy companies, will benefit from a streamlined consent process while simplifying their legal obligations regarding the collection and storage of children's data.

Year 3 - ? announcement about FFO - grantees still being determined.

Big Issues with IDESG

Diversity and Inclusion

I have been raising these issues from its inception (pre-inception in fact I wrote about them in my NOI).

I was unsure if I would run for the management council again -  I wrote a blog post about these concerns that apparently made the NPO very upset.  I was subsequently "univited" to the International ID Conf they were hosting at the White House Conference Center for other western liberal democracies trying to solve these problems.

Tech President Covered the issues and did REAL REPORTING about what is going on.  In Obama Administration's People Powered Digital Security Initiative, There's Lots of Security, Fewer People.

This in contrast to a wave of hysterical posts about National Online ID pilots being launched.

They IDESG have Issues with how the process happens. It is super TIME INTENSIVE.  It is not well designed so that people with limited time can get involved.  We have an opportunity to change tings becoming our own organization.

The 9th Plenary Schedule - can be seen here.  There was a panel on the first day with representatives who said that people like them and others from other different communities needed to be involved AS the policy is made.  Representatives from these groups were on the panel and it was facilitated by Jim Barnett from the AARP.

  • NAACP
  • Association of the Blind
  • ACLU

The Video is available online.

The "NEW" IDESG

The organization is shifting from being a government initiative to being one that is its own independent organization.

The main work where the TRUST FRAMEWORKS are being developed is in the Trust Framework and Trust Mark Committee.  You can see their presentation from the last committee here.

Key Words & Key Concept form the Identity Battlefield

Trust

What is Identity?  Its Socially Constructed and Contextual

Identity is Subjective

Aestetix's links will be up here within 24h

What are Identifiers?: Pointers to things within particular contexts.

Abrahamic Cultural Frame for Identity / Identifiers

Relational  Cultural Frame for Identity / Identifiers

What does Industry mean when it says "Trusted Identities"?

What is Verified?

AirBnB
Verified ID in the context of the Identity Spectrum : My post about the spectrum.

Reputation

In Conclusion: HOPE!

We won the #nymwars!

Links to Google's apology.

Skud's the Apology we hopped for.

More of Aestetix's links will be up here within 24h

The BC Government's Triple Blind System

Article about & the system  they have created and the citizen engagement process to get citizen buy-in - with 36 randomly selected citizens to develop future policy recommendations for it.

Article about what they have rolled out in Government Technology.

Join the Identity Ecosystem Steering Group

Get engaged in the process to make sure we maintain the freedom to be anonymous and pseudonymous online.

Attend the next  (10th) Plenary in mid-September in Tampa at the Biometrics Conference

Join Nym Rights group.

http://www.nymrights.org

Come to the Internet Identity Workshop

Number 19 - Last week of October - Registration Open

Number 20 - Third week of April

by Kaliya Hamlin, Identity Woman at July 27, 2014 07:53 PM

July 26, 2014

Kaliya Hamlin

I've co-founded a company! The Leola Group

Thursday evening following Internet Identity Workshop #18 in May I co-Founded and became Co-CEO of the Leola Group with my partner William Dyson.

So how did this all happen? Through a series of interesting coincidences in the 10 days (yes just 10 days) William got XDI to work for building working consumer facing applications. He showed the music meta-data application on Thursday evening and wowed many with the working name Nymble registry.  The XDI [eXtneible Resource Identifier Data Interchange] standard has been under development at OASIS for over 10 years. Getting it to actually work and having the opportunity to begin to build applications that really put people at the center of their own data lives is a big step forward both for the Leola Group and the  Personal Data community at large.

William and I met in September of 2013 via an e-mail introduction from Drummond Reed.  We started working together the day I met him on the efemurl project.  We were dating a few days later and a few weeks later we were engaged. We announced this during the closing circle at IIW #17.

The efemurl project was taking a extensively featured web platform William had built over several years and working to turn it further develop it and turn it into a consumer-co-operative.  The short hand way to describe, you know in that way they describe movie plots, it's like Google and REI have a baby.  The core ideas developed for the efemurl platform will be brought over into the applications the Leola Group is developing.  Core aspects of what the Leola Group is are to valuable to be owned by one company and we will be working with Planetwork to turn the operation of those into a consumer co-operative.

So big questions for people in the community include:

Are you still involved with IIW? 
Yes of course!  IIW will continue and my roll with it will too. Phil Windley founded his company Kynetx and continues to be a co-leader of IIW with me and Doc.  We have a great production team lead by Heidi Nobantu Saul.

What is going to happen to PDEC?

We have worked to create a 6 month transition plan for the organization/community to new leadership.   We have brought on Dean Landsman (well known for his leadership in the VRM community) serve as Communications Director and among other things host regular community calls and host a podcast.  As part of taking on the Co-CEO role in the new company I have woven into the job taking the time needed to properly transition out of my role as Executive Director and work with the community over the next 6 months to get governance in line and then have that leadership group hire an new Executive Director. You can read more about it on the PDEC blog and see a video we made.

The organization just welcomed 11 new members. Dean will be presenting about his new role with PDEC at the Personal Data Meetup in NYC on Monday.

When are you getting Married?

William and I are getting married the weekend after IIW #20 which is April 7-9 (Yes, it's way early!!!).  This will help friends coming for IIW from around the world being able to join in the celebration.

by Kaliya Hamlin, Identity Woman at July 26, 2014 05:27 PM

May 19, 2014

OpenID.net

The Economics of Identity

Those of us working on Internet identity issues have lots of conferences to attend when it comes to technology and privacy. Less attention has been paid to how to make money, how value is created, and how business models and monetization works across sectors. Meanwhile governments and companies are reorganizing to better address Internet identity as a cross sector “ strategic utility”. OIX Vice Chairman and Senior Fellow / CTO at Symantec, Paul Agbabian, has encouraged OIX’s quantitative market research on new and emerging internet identity services. OIX’s market research on identity business cases has three elements.

OIX has helped fund Control Shift’s independent primary research on market take up in the UK. A diverse set of organizations are contributing to the study by providing data and insights and helping to identify revenue opportunities and efficiencies relevant to their sectors and business models. The more comprehensive the sources the more complete the UK study and the model becomes more applicable to other markets. OIX is planning to publish the results in early June.

We’ve commissioned a series of white papers on value drivers like liability, trustmarks, alternatives to third party certification, etc. to provide new solutions for the roadblocks of bringing new systems and services online. This provides presenters and participants “pre-reads” to maximize the value of attending for all and the basis for follow up research.

OIX is building a series of “Economics of Identity” workshops with members and partners. The first of a series will take place on June 9th at the KMPG Offices Canary Wharf, London’s financial and banking business heart. This event will be a global summit to consider the ‘economics’ of internet identity that includes very senior level public and private sector leaders. The attendees of this workshop will be privy to a convergence of OIX White Papers and IDAP industry project showcases enabling the discussion on understanding this markets economic value. Alexander B. Howard, renowned writer and editor spanning technology issues of online identity, will MC the event.

We will follow that event at The Gates Center at the University of Washington in Seattle on June 23rd and are planning additional workshops in September 2014 and Spring 2015.

by jfe at May 19, 2014 11:27 PM

May 15, 2014

OpenID.net

Covert Redirect

“Covert Redirect”, publicized in May, 2014, is an instance of attackers using open redirectors – a well-known threat, with well-known means of prevention. The OpenID Connect protocol mandates strict measures that preclude open redirectors to prevent this vulnerability.

Please see Section 4.2.4 of RFC 6819 (http://tools.ietf.org/html/rfc6819#section-4.2.4) for more information on open redirector threats and their prevention.

by Pamela Dingle at May 15, 2014 09:12 PM

May 12, 2014

Kaliya Hamlin

Rosie the [New Language] Developer - Where are you?

This past week we [me, Phil, Heidi + Doc] put on the Internet Identity Workshop. It was amazing.

There is a new project / company forming and they are very keen to have women programmers/developers in the first wave of hires.  They are also committed to cultural diversity.

Since they are developing in a new language - you don't need to have experience in "it" - you just need to have talent and the ability to learn new things.

I asked them for a list of potentially helpful per-requisites:

  • Some experience with ruby on rails
  • Some experience with JSON
  • Some experience with XML
  • Some experience with HTML5
  • Some experience with semantic data modeling
  • Some understanding of the ideas related to the semantic web and giant global graphs

If you are reading the list and thinking - I don't have "all" of those qualifications...then read this before you decide not to reach out to learn more - The Confidence Gap from this month's Atlantic.  TL:DR "Remember that women only apply if they have 100% of the jobs qualifications, but men apply with 60%!"

Please be in touch with me if you are interested. I will connect you with them this week.

Kaliya [at] identitywoman [dot] net

by Kaliya Hamlin, Identity Woman at May 12, 2014 06:25 PM

May 05, 2014

Kaliya Hamlin

Field Guide to Internet Trust Models: Introduction

This is the first in a series of posts that cover the Field Guide to Internet Trust Models Paper.

The post for each of the models is here - full papers is downloadable [Field-Guide-Internet-TrustID]

The decreasing cost of computation and communication has made it easier than ever before to be a service provider, and has also made those services available to a broader range of consumers. New services are being created faster than anyone can manage or even track, and new devices are being connected at a blistering rate.

In order to manage the complexity, we need to be able to delegate the decisions to trustable systems. We need specialists to write the rules for their own areas and auditors to verify that the rules are being followed.

This paper describes some of the common patterns in internet trust and discuss some of the ways that they point to an interoperable future where people are in greater control of their data. Each model offers a distinct set of advantages and disadvantages, and choosing the appropriate one will help you manage risk while providing the most services.

For each, we use a few, broad questions to focus the discussion:

  • How easy is it for new participants to join? (Internet Scale)
  • What mechanisms does this system use to manage risk? (Security)
  • How much information the participants require from one another how strongly verified?

(Level of Assurance -not what I think assurance is...but we can talk - it often also refers to the strength of security like number of factors of authentication )

Using the "T" Word
Like “privacy”, “security”, or “love”, the words “trust” and “identity”, and “scale” carry so much meaning that any useful discussion has to begin with a note about how we're using the words.
This lets each link the others to past behavior and, hopefully, predict future actions. The very notion of trust acknowledges that there is some risk in any transaction (if there's no risk, I don't need to trust you) and we define trust roughly as:
The willingness to allow someone else to make decisions on your behalf, based on the belief that your interests will not be harmed.
The requester trusts that the service provider will fulfill their request. The service provider trusts that the user won’t abuse their privileges, or will pay some agreed amount for the service. Given this limited definition, identity allows the actors to place one another into context.

Trust is contextual. Doctors routinely decide on behalf of their patients that the benefits of some medication outweigh the potential side effects, or even that some part of their body should be removed. These activities could be extremely risky for the patient, and require confidence in the decisions of both the individual doctor and the overall system of medicine and science. That trust doesn’t cross contexts to other risky activities. Permission to prescribe medication doesn’t also grant doctors the ability to fly a passenger airplane or operate a nuclear reactor.

Trust is directional. Each party's trust decisions are independent, and are grounded in the identities that they provide to one another.

Trust is not symmetric. For example, a patient who allows a doctor to remove part of their body should not expect to be able to remove parts of the doctor’s body in return. To the contrary, a patient who attempts to act in this way would likely face legal sanction.

Internet Scale

Services and APIs change faster than anyone can manage or even track. Dealing with this pace of change requires a new set of strategies and tools.

The general use of the term “Internet Scale” means the ability to process a high volume of transactions. This is an important consideration, but we believe that there is another aspect to consider. The global, distributed nature of the internet means that scale must also include the ease with which the system can absorb new participants. Can a participant join by clicking “Accept”, or must they negotiate a custom agreement?

In order to make this new world of user controlled data possible, we must move from a model broad, monolithic agreements to smaller, specialized agreements that integrate with one another and can be updated independently.

A Tour of the Trust Models

The most straightforward identity model, the sole source, is best suited for environments where the data is very valuable or it is technically difficult for service providers to communicate with one another. In this situation, a service provider issues identity credentials to everyone it interacts with and does not recognize identities issued by anyone else. Enterprises employing employees, financial institutions, medical providers, and professional certifying organizations are commonly sole sources. Because this is the most straightforward model to implement, it is also the most common.

Two sole sources might decide that it’s worthwhile to allow their users to exchange information with one another. In order to do so, they negotiate a specific agreement that covers only the two of them. This is called a Pairwise Agreement and, while it allows the two parties to access confidential resources, the need for a custom agreement makes it difficult to scale the number of participants. This is also a kind of federated identity model, which simply means that a service accepts an identity that is managed someplace else.

As communication technology became more broadly available, the number of institutions who wanted to communicate with one another also increased. Groups of similar organizations still wanted to issue their own identities, but wanted their users to be able to interact freely with one another. The prospect of each service having to negotiate a custom agreement with every other service was daunting, so similarly chartered institutions came up with standard contracts that allow any two members to interact. These groups are called Federations, and there are several different kinds. Federation agreements and membership are managed by a Contract Hub.

When the federation agreement limits itself to policy, governance, and common roles, but leaves technical decisions to the individual members, it's referred to as a Mesh Federations. Individual members communicate form a mesh, and can communicate directly with one another using whatever technology they prefer.

Alternatively, a Technical Federation defines communication methods and protocols, but leaves specific governance and policy agreements to the members. In some cases, the technical federation may also route messages between the members.

As the number of services has increased, so has the problem of managing all of those usernames and passwords. Users might decide to reuse an existing identity rather than creating a new one. In recent years, some organizations have made identities that they issue available to other services. Service providers accept these identities because it lowers the cost of user acquisition. When the same entity provides identities for both the requester and the service provider, it is referred to as a Three Party Model.

If the requester and the service provider have provider have separate but compatible identity providers, it is called a Four Party model. This is present in highly dynamic models, such as credit card processing,

Peer-to-peer networks are for independent entities who want to identity assurance, but who lack a central service that can issue identities to everyone. To get around this, the participants vouch for one another’s identities.

Individual contract wrappers are an innovation to enable complex connections between services where the terms and conditions of using the data are linked to the data.

Common Internet Trust Models

Sole source: A service provider only trusts identities that it has issued.

Pairwise Federation: Two organizations negotiate a specific agreement to trust identities issued by one another.

Peer-to-Peer: In the absence of any broader agreement, individuals authenticate and trust one another.

Three-Party Model: A common third party provides identities to both the requester and the service provider so that they can trust one another.

“Good Enough” Portable Identity: In the absence of any institutional agreement, service providers accept individual, user-asserted identities.

Federations: A single, standard contract defines a limited set of roles and technologies, allowing similar types of institution to trust identities issued by one another.

Four-Party Model: An interlocking, comprehensive set of contracts allows different types of entity to trust one another for particular types of transaction.

Centralized Token Issuance, Distributed Enrollment: A shared, central authority issues a high-trust communication token. Each service provider independently verifies and authorizes the identity, but trusts the token to authenticate messages.

Individual Contract Wrappers: Manage how personal data is used rather than trying to control collection. Information is paired contract terms that governs how it can be used. Compliance is held accountable using contract law.

Open Trust Framework Listing: An open marketplace for listing diverse trust frameworks and approved assessors.

Personal Cloud + Agents: An Individual has a personal Cloud and delegates agents it trust to work on their behalf.

by Kaliya Hamlin, Identity Woman at May 05, 2014 06:13 PM

April 07, 2014

Kaliya Hamlin

BC Government Innovation in eID + Citizen Engagement.

I wrote an article for Re:ID about the BC Government's Citizen Engagement process that they did for their eID system.

Here is the PDF: reid_spring_14-BC

by Kaliya Hamlin, Identity Woman at April 07, 2014 02:48 AM

Kaliya Hamlin

Big Data and Privacy

On Friday I responded to the Government "Big Data" Request for Comment.

I will get to posting the whole thing in blog form - for now here is the PDF. BigData-Gov-2

by Kaliya Hamlin, Identity Woman at April 07, 2014 02:13 AM

April 01, 2014

OpenID.net

More Momentum: OpenID Connect Adoption

In my last blog, I noted, “it’s time to build out the final elements of OpenID Connect and move to mobile.” We’ll soon announce the official working group with the GSMA focused on a OpenID Connect mobile profile. Foundation members, partners and independent developers continue to integrate OpenID Connect in robust and interoperable identity services into enterprise solutions.  Enterprise solutions are the focus of OpenID Workshops preceding the European Identity Conference in Munich in May and the Cloud Identity Summit in Monterey, California.

OIDF member salesforce.com is hosting a webinar next week on Wednesday, April 9th, “OpenID Connect: The new standard for connecting to your Customers, Partners, Apps and Devices.” You can find more information and register by clicking on this link  Join Chuck Mortimore, Pat Patterson, and Ian Glazer’s socks as they overview how OpenID Connect can help better connect customers, partners, apps, and devices. Chuck, Pat and Ian will speak to how OpenID Connect builds on OAuth and how to consume OpenID Connect from identity providers with Social Sign-On. While this webinar is aimed at a technical audience, I’m confident that anyone looking to learn more about identity and standards will benefit.

I will continue to keep you abreast of OpenID Connect events and adoption success stories. Feel free to contact me directly with any events or experiences that you feel should be highlighted.

Thanks,

Don

by jfe at April 01, 2014 09:05 PM

March 31, 2014

Kaliya Hamlin

NSTIC WhipLash - Making Meaning - is a community thing.

Over a week-ago I tweeted that I had experienced NSTIC whiplash yet again and wasn't sure how to deal with it.I have been known to speak my mind and get some folks really upset for doing so - Given that I know the social media savy NSTIC NPO reads all tweets related to their program they know I said this. They also didn't reach out to ask what I might be experiencing whiplash about.

First of all since I am big on getting some shared understanding up front - what do I mean by "whiplash" it is that feeling like your going along ... you think you know the lay of the land the car is moving along and all of a sudden out of nowhere - a new thing "appears" on the path and you have to slam on the breaks and go huh! what was that? and in the process your head whips forward and back giving you "whip-lash" from the sudden stop/double-take.

I was toddling through and found this post.  What does it Mean to Embrace the NSTIC Guiding Principles?

I'm like ok - what does it mean? and who decided? how?

I read through it and it turns out that in September the NPO just decided it would decide/define the meaning and then write it all out and then suggest in this odd way it so often does that "the committees" just go with their ideas.

"We believe that the respective committees should review these derived requirements for appropriate coverage of the identity ecosystem.   We look forward to continued progress toward the Identity Ecosystem Framework and its associated trustmark scheme."

Why does the NPO continue to "do the work" that the multi-stakeholder institution they set up was created to do that is to actually figure out the "meaning" of the document.

Why not come to the Management Council and say - "hey we really need to as a community figure out what it "means" to actually embrace the guiding principles. We need to have a community dialogue that gets to a meaningful concrete list relatively quickly - how should we do that as a community." Then the Management Council would do its job and "manage" the process and actually figure out 1) if the NPO was right that indeed now would be a good time to figure out the meaning of embrace and 2) then figure out how to do it and the people on the council (and others in the community) who have some experience in leading real mulit-stakeholder efforts and skills inclusive methodologies would have debated and put forward a path. The Secretariate - (if it actually functioned as a support organ for the Management Council) would then help the council carry out the process/method and get to the needed "outcome" some community developed articulation of what embracing the principles means.  Instead we just have what the NPO staff thinks. Which while I am sure it is "great" and they are such "hard working, good folks"...it wasn't community generated and therefore not "owned" by the community which is not good if the outcomes of this effort are to be "trusted" by public at large all the core work items of a mutli-stakeholder institution can't just be done by the NPO.

by Kaliya Hamlin, Identity Woman at March 31, 2014 07:21 PM

March 21, 2014

OpenID.net

Growing list of OpenID Connect libraries available

The list of publicly available OpenID Connect libraries is growing, with implementations available for numerous development platforms and environments, including Drupal, Java, PHP, Python, and Ruby. See the Libraries page for a list of OpenID Connect libraries, as well as libraries implementing the related JSON Web Token (JWT) and JSON Object Signing and Encryption (JOSE) specifications. These libraries make it easy to join the likewise growing list of OpenID Connect deployments.

If your library isn’t listed and you’d like it to be, please drop us a note on the code@openid.net mailing list or the general@openid.net mailing list.

Also, if you’re interested in participating in OpenID Connect interop testing, please join the openid-connect-interop@googlegroups.com mailing list and ask to be added to the current OpenID Connect interop.

by Mike Jones at March 21, 2014 12:45 AM

March 20, 2014

Santosh Rajan

Browser supported Single Sign on with Email Addresses


In this post I would like to explore Single Sign on's with email addresses, with the support of the users browser. Browsers do not currently support Single Sign On. Recently Mozilla showcased their concept of BrowserID.

I am not comfortable with their use of asymmetric keys, because this requires the user to manage his own private/public keys. Indeed BrowserID will ease the process for the user, but he still needs a private key on every computer he uses. And this may include public computers at browsing centers etc.

So here, I will present a Single Sign on process, that will not require asymmetric keys. For the sake of this post we will call the users email provider "email.com". The site he wants to sign into "site.com", and "BSSO"  for Browser Supported Single Sign On. This article will not get into the details of algorithm's etc, because each step described here can be carried out in many ways, and has already been implemented in some form or the other by other protocols. A good example is OpenID 2.0.

First, I will describe the process when the user is already signed into "email.com", and wants to sign into "site.com".

Case 1 - User signed into email.com


Step 1
The user browses to "site.com". "site.com" needs to indicate to the user's browser that it supports BSSO. This can be done in many ways. I will give one example here. On site.com's page it can include two elements. One element in the html head part like below
<link href="https://site.com/bsso" rel="bsso_end_point"/>
In the body part it can have an element with id "bsso_sign_in_button".
The rel="bsso_end_point" link element will indicate to the browser that this site supports BSSO and it should listen to the click event of the element with id="bsso_sign_in_button".

Step 2
When the user clicks the "Sign In" button for "site.com" the browser will make an authentication request to "email.com" on behalf of "site.com" with "site.com"s end point. This will need the user to have pre selected his prefered email address(s) in the browsers BSSO setup, if not the browser will show a popup asking the user to select his prefered email address. The browser may also have discovered "email.com"s end point during setup using webfinger.

Step 3
"email.com" returns a positive assertion of the user's email address. This is not a problem because the user is currently signed into "email.com". Also a private "association key" is included along with the assertion.

Steps (2) and (3) are transparent to the user. The browser makes a cross-domain ajax request to "email.com". This is possible because it is the browser making the request and not any javascript on "site.com"s page.

Step 4
The browser now directs the user to "site.com"s end point url with a http post request, with the assertion returned from "email.com" in the post body.

Step 5
"site.com" will now verify the assertion by sending the assertion along with the association directly to "email.com"s endpoint. "site.com" would have also followed the webfinger protocol to determine the end point. It is possible for "site.com" to request a time bound association with "email.com", so that Step 5 and 6 can be avoided in subsequent requests.

Step 6
"email.com" will respond with success or failure. 

Case 2 - User Not signed into email.com

In the case where the user is not signed into "email.com", in Step 3 "email.com" will respond with a "user not signed in" response along with a sign in url that might have an encoded token in its query parameter. (The encoded token is for preventing phishing, I am not yet sure if this token is required or not as of now). The browser will pop up a window and listen to the popup's close event, and direct the user to the returned sign in url. After sign in "email.com" must "close" the popup via javascript. When the popup is closed the browser will continue with Step 2 again. In case the popup was closed without the user signing in, the browser will receive a "user not signed in" for the second time, in which case the browser has to query the user again.

Some Notes
This may look like a lot of steps, but the user only "see's" (1) and (4). Also (5) and (6) are not required after "site.com" and "email.com" have established an association.

Phishing is not possible, because there are no redirects from "site.com".

The user can sign in from anywhere, there is no need to have any private keys on the computer being used.

Unlike BrowserID "email.com" will be aware of the site's the user sign's into. I don't know how much of a problem this is. It's a debatable issue I guess.

by Santosh Rajan at March 20, 2014 03:56 AM

March 19, 2014

OpenID.net

Last Call on the Launch and the Move to Mobile

This is my first blog after a successful OpenID Connect launch in San Francisco, Barcelona and Japan on February 26th. The launch generated global buzz and coverage. Below are a few links to my previous posts highlighting statements of support and press coverage:
Statements of Support
Additional Statements of Support
OpenID Connect Press Coverage

Congratulations to the OpenID Foundation Marketing Committee and the membership as a whole for the creativity and commitment that launched OpenID Connect from Tokyo, San Francisco and Barcelona.

On behalf of the Foundation, a “thank you” to Tim Bray for his expertise and overall contributions to the OpenID Connect launch. We await news from Tim as he decides what‘s next in his highly successful career. We are happy to hear Tim will never be too far from the OpenID Foundation’s work.

Jeff Fishburn from OnPR led the PR efforts and ensured that OpenID Connect received the coverage it deserved at the very “noisy” RSA and Mobile World Congress events. I appreciate the efforts of the PR teams at the GSMA, Google, Microsoft, Ping, Salesforce, ForgeRock and others as well as our OpenID Foundation Japan colleagues in ensuring a successful launch. Thanks to Microsoft and Google providing direct funding to support of launch activities. Jeff Fishburn’s firm, OnPR, has been a long standing supporter of Jeff’s volunteer efforts on the Marketing Committee over the last few years.

And thanks to Mike Leszcz who has been working with me on OIXnet as Technical Program Manager. Mike helped coordinate the OpenID Connect launch with OIX members like the GSMA. Mike worked closely with Jeff Fishburn on communication efforts and coordinated launch support across time zones, late night deadlines and member organizations.

Now it’s time to build out the final elements of OpenID Connect and prepare to move to mobile. I spent last week in London at the headquarters of OIDF member, the GSMA. We had a big crowd for the kick-off of a new mobile centric working group. It was a diverse turnout of mobile network operators (MNOs), telcos, data aggregators, bureaus, IDPs, SPs, RPs, government standards representatives and others. The all-important scoping discussion was encapsulated in what to call this new working group. Should it be a profile for mobile network operators? Understandable, certainly legitimate, but even the GSMA representatives pushed for more. Tim Bray encouraged the group to leverage the momentum of OpenID Connect to address the systemic needs of the market, developers and consumers alike. Despite, or because of the diversity of stakeholders in the room, a strong consensus grew around the timeliness and importance of the work group’s focus.

OIDF Chairman Nat Sakimura used the OIDF Work Group chartering process to articulate what is now “The Mobile Profile for OpenID Connect Working Group.” No doubt soon to be nicknamed “Mobile Connect”. This Working Group plans to apply to the Specs council to develop an OpenID Connect profile intended for use by MNOs providing identity services to RPs and for RPs in consuming those services as well as any other party wishing to be interoperable with this profile. David Pollington, Senior Director of Technology at the GSMA, is acting Chair of the WG. The draft Charter is also available here and it has been submitted to the OIDF specs list for approval.

I draw your attention to that last part. As part of this work, the Working Group will identify and make recommendations for additional Connect standards items. This is a positive as it can complement and further strengthen Connect adoption. It also signals the increasingly important compatibility with other protocols in the OIDF pipeline, notably Account Chooser and NAPPs. This also strengthens emerging federation architectures in enterprise, government and other sectors.

Foundation members and others interested in the progress of this Working Group as well as others are invited to join. Foundation workshops detailing develop of all OIDF protocols are planned for the EIC in Munich, at the Yahoo! Campus before the May IIW, at the European Identity Conference in Munich, and at the Cloud Identity Summit in Monterey, CA in July.

None of this would not have been possible without the dedication, direct funding and on-going support of the OIDF and OIX members. Thank you again and I look forward to continuing our work together.

Don Thibeau
Executive Director
OpenID Foundation

by jfe at March 19, 2014 05:04 PM

March 13, 2014

Kaliya Hamlin

I'm not your NSTIC "delegate" any more ... pls get involved.

I have heard over the past few years from  friends and associates in the user-centric ID / Personal Cloud/ VRM Communities or those people who care about the future of people's identities online say to me literally - "Well its good  you are paying attention to NSTIC so I don't have to."

I'm writing to say the time for that choice is over. There is about 1 more year left in the process until the "outputs" become government policy under the recently released White House Cyber Security Framework (See below for the specifics).

Key items of work are progressing and the time for "our" world view showing up within the work is now and my ability to get them to be taken seriously is ZERO if I continue to be an almost lone voice expressing these key items - particularly

The functional Model Group is working on defining all the "bits" of the system. I believe this is where the "personal cloud" should be a key primary function/piece of the ecosystem. So far it has not been raised in a significant way and not be addressed by the powers that be leading the committee.

The Trust Framework work is progressing rapidly. This is the work to take existing what they call Trust Frameworks (and I think should be called Accountability Frameworks). These are where the existing rules/policies and technologies for various networks are all harmonized and then through that some how we get to a kind of mata/uber trust framework and interoperability.

The big challenge that I see is that it is all coming from existing frames within the conversation do NOT have a remotely "user centric" frame.

  • I don't hear any conversation about how individuals will be protected from their "Identity Provider" (the entity that has "all" their identity information and vouches for them at a Relying Party).
  • I don't hear any conversation about how people will be protected from over zealous relying parties asking for way to much information.
  • I don't hear any conversation about how individuals will be protected from IdP's and RP's being able to sell their data into the data broker industry.
  • I don't hear any conversation about how people could collect their own attributes and information in a Personal Cloud and from that center of personal sovereignty use it in the ecosystem.

I do see:

  • Assertions that Relying Parties can ask for whatever they want / think they need to complete a transaction and that "the market will decide"
  • Assertions that concerns about people's rights around how they choose to name and identify themselves should be set aside for future iterations.
  • I do see that one of the pilots in the last round of multi-million dollar grants went to a defense industry consortium specifically for "development of an open source, technology-neutral Trust Framework Development Guidance document"

So what should you DO?

1) Sign up to attend the April 1-3 Plenary in Mountain View (bonus you don't have to attend in person) Link Here.

2) Sign up to watch and contribute to the Trust Framework and Functional Model Groups - please see this post OR any of a number of groups with activity.

3) Sign up to join the IDESG organization (that way you can be "official members") of the committees and "vote" on things.  See this Post.

4) Let me know you are keen on getting more involved and I can help connect you others also "diving in" right now [ kaliya AT identitywoman DOT net].

5) Bonus - Attend the Internet Identity Workshop in Mountain View May 6-8 and work with others in the user-centric community on this and other more fun issues (like building cool decentralized, empowering technologies).

This is what I referenced above it becoming government policy and practice.

As the White House announcement details below, today marked the release of the Cybersecurity Framework crafted by NIST – with input from many stakeholders – in response to President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity issued one year ago.

NSTIC is not discussed in the framework itself – but both it and the IDESG figure prominently in the Roadmap that was released as a companion to the Framework.  The Roadmap highlights authentication as the first of nine different, high-priority “areas of improvement” that need to be addressed through future collaboration with particular sectors and standards-developing organizations.

The inadequacy of passwords for authentication was a key driver behind the 2011 issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which calls upon the private sector to collaborate on development of an Identity Ecosystem that raises the level of trust associated with the identities of individuals, organizations, networks, services, and devices online.

NSTIC is focused on consumer use cases, but the standards and policies that emerge from the privately-led Identity Ecosystem Steering Group (IDESG) established to support the NSTIC – as well as new authentication solutions that emerge from NSTIC pilots – can inform advances in authentication for critical infrastructure as well.

NSTIC will focus in these areas:
· Continue to support the development of better identity and authentication solutions through NSTIC pilots, as well as an active partnership with the IDESG;

· Support and participate in identity and authentication standards activities, seeking to advance a more complete set of standards to promote security and interoperability; this will include standards development work to address gaps that may emerge from new approaches in the NSTIC pilots.

by Kaliya Hamlin, Identity Woman at March 13, 2014 06:19 AM

March 11, 2014

Kaliya Hamlin

Meta-Governance

This spring I attended the Executive Education program Leadership and Public Policy in the 21st century at the Harvard Kennedy school of government with fellow Young Global Leaders (part of the World Economic Forum).  A line of future inquiry that came to me by the end of that two weeks -

How do we design, create, get functioning and evolve governance systems?

The governance of governance systems = Meta-Goverancne. 

At the Kennedy program all they could talk about was "individual leadership" (with good advice from good teams of course) at the top of  Organizations.  They all waved their hands and said "Good luck young leaders, We know its more complicated now...and the problems are bigger then just organizational size but we don't really know how what to tell you about how to interorgainzational collaborative problem solving and innovations...so "good luck".

It was surreal because this inter-organizational, complex space is where I spend my work life helping design and facilitate unconferneces - it is in that complex inter organizational place.

I have this clear vision about how to bring my two main career bodies of knowledge together (digital identity + digital systems & design and facilitation of unconferneces using a range of participatory methods) along with a range of other fields/disciplines that I have tracked in the last 10 years.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:18 AM

Kaliya Hamlin

Core Concepts in Identity

One of the reasons that digital identity can be such a challenging topic to address is that we all swim in the sea of identity every day.  We don't think about what is really going in the transactions....and many different aspects of a transaction can all seem do be one thing.  The early Identity Gang conversations focused a lot on figuring out what some core words meant and developed first shared understanding and then shared language to talk about these concepts in the community.

I'm writing this post now for a few reasons.

There is finally a conversation about taxonomy with the IDESG - (Yes! after over a year of being in existence it is finally happening (I recommended in my NSTIC NOI Response  that it be one of the first things focused on)

Secondly I have been giving a 1/2 day and 1 day seminar about identity and personal data for several years now (You can hire me!).  Recently I gave this seminar in New Zealand to top enterprise and government leaders working on identity projects 3 times in one week.  We covered:

  • The Persona and Context in Life
  • The Spectrum of Identity
  • What is Trust?
  • A Field Guide to Internet Trust
  • What is Personal Data
  • Market Models for Personal Data
  • Government Initiatives Globally in eID & Personal Data

I created a new section of this presentation to cover some core concepts that I realized needed to be fully articulated to talk about

Identifiers (generic)

Identifiers are pointers.

A description of an object and a location can be an identifier for it - "The green chair in the corner."

Names

Names are identifiers.

The names of people are ways to identify them in the context of the society in which they live.  Different societies have different conventions for naming people.

Names are asserted by people about themselves.

Some people use different names in different contexts.

Names are often not unique (that is more then one person will have the same name as another person).

Identifiers in modern systems 

In modern society governments, organizations and businesses all provide services to people (citizens). If names are not unique the builders of these systems needed to figure out how to identify them to do the record keeping.  A sensible solution to this was to assign a unique identifier number to people so that interactions between the person and the system could be correlated.

Examples: 

An identifier that people in the United States have to track their engagement with the pension system is the Social Security Number. It is issued or assigned to people by the Social Security Administration.  Today it is common practice for this number to be issued at birth to babies born in the US. People born outside of the US who come to the country can apply to get a number.

It is normal practice to register children's births with the jurisdiction in which they are born. A form is filled out by the parents and signed by a physician and submitted. Then a birth certificate is issued. The birth certificate has a serial number on it that identifies it as a unique document.

Note: Billions of people world wide do NOT have this type of document.

Companies issue numbers to their customers to track them and their interactions with a company.  When you call a company to interact with them they ask you what your customer number is.  The bar code on loyalty cards encodes a customer number and when they scan it with a purchase - which then links that purchase with prior ones.

Identifiers with End-Points (Digital Identifiers)

The above type of identifiers that are issued by bureaucratic systems that point to particular people.  They are however not end-points on a network. Information can not be sent to them.  The person who the identifier points at can not do a technical authentication to prove that indeed at the end of the end point to receive the information.

One type of network with an end-points that we are familiar with is relatively modern but presides electronic networks is the street address system.  Integrity in this system is backed up by laws in the US that impose sever consequences for its use for fraudulent purposes. It is also illegal to open mail not addressed to you.

In electronic systems we have identifiers that point to people and are end points. These include phone numbers, e-mail addresses, debit card numbers, employee login's etc. Information is sent to these identifiers and access to resources is available via the end-point. To protect the information, to make sure it is only seen by the person who it was for (the person that the identifier points at) and only that person can access resources.  These electronic systems support the person claiming they are indeed the person that a particular identifier points at - proving they are that person.  This requires that systems provide ways to do Technical Authentication AuthN.

This can be done in a variety of ways - sharing a secret only they know (password or PIN), sharing a changing secret that only they have access to it (a code that changes on a token or in software generating a one time password), scanning a body part to see if it matches the body part that matches one that was enrolled, having a thing that only they have (a phone with the SIM card in it, a debit card). Different types of technical authentication are possible for different systems but they have the basic function of supporting the person who the identifier points at being able to prove to the system that they are the person a particular identifier points at.

More sophisticated systems issue both a "core" identifier that is the primary pointer at a particular person AND a different identifier that is an authentication end-point.  This has an advantage because if control over the authentication end-point is lost then it can be re-issued but the core identifier stays the same.

Attributes

Attributes are things about a person (or an entity).

They include personal details like birthday, age, gender, residence, place of work, income, preferences and habits, credentials from educational institutions, record of employment.

Claims

Claims can include identifiers (both authenticatable end-points, identifiers that are not end-points / not resolvable) and attributes.

Proofing / Verification 

This is the process where the certain things that you claim about yourself are checked to see if the assertions line up with how you presented yourself in the past or how facts about you were recorded in record keeping systems.

One way that proofing is done is the presentation in person of formal government issued paperwork that affirm certain claims: a birth certificate asserts a birth date, a passport asserts citizenship, and has a photo asserting likeness, a drivers license has a photo for asserting likeness, a residential address (asserted by the person when getting the license),

Another way to do proofing is to look up claims by people about themselves in databases managed by data brokers.

Document Validation 

This is the process where documents presented can checked to see if they are valid - were in fact issued by the authority and the name on the presented document matches the one on file.  These are typically set up so that the person viewing a document presented by an individual can type in the document information, serial number, birthdate, name and find out via a yes-no answer if it is a valid document.

The e-verifiy program for employers is a system designed to do this. It should be noted that this process does have negative impact on particularly transgender people who have hidden their gender at birth from their employer and who are rejected by the system when the gender they present to their employer does not match the one in the social security administration records. 

Enrollment 

This is the process that people go through to be issued an identifier in a system. This is true for identifiers with and with-out Authentication end-point. What information do they need to present? How is it checked or verified? Do they need to it in person? Does it involve the collection of a biometric (photo, fingerprint, iris scan)?  The end result of an enrollment process is the issuance of an identifier and often some type of credential that can be used to authenticate into a system. For example: a student ID card at a university has a student number on it AND a magnetic stripe (with an identifier for that particular card) that can be used to authenticate (via swiping it in a card reader) the student to gain access to the student dorm one lives in or libraries on campus.

Authentication - AuthN

This is what happens after one is enrolled in a system and an individual has an end-point that they want to use - they have to Authenticate via any one of a number of methods to prove they are indeed the person who set up the account or was issued the identifier.

(repeated from above) This can be done in a variety of ways - sharing a secret only they know (password or PIN), sharing a changing secret that only they have access to it (a code that changes on a token or in software generating a one time password), scanning a body part to see if it matches the body part that matches one that was enrolled, having a thing that only they have (a phone with the SIM card in it, a debit card). Different types of technical authentication are possible for different systems but they have the basic function of supporting the person who the identifier points at being able to prove to the system that they are the person a particular identifier points at.

Authorization - AuthZ

Once Authentication is done in a digital system the question is what resources can be accessed and what can be done to them (just read them, read and write them, delete them) - What is Authorized.

One way Authorization is managed is by defining roles and determining access based on roles.

More definitions to come soon include : Delegation, Triangulation, Persona, Role, Context

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:17 AM

Kaliya Hamlin

Personal Clouds, Digital Enlightenment, Identity North

Next week Thursday August 22nd is the Personal Cloud Meetup in San Francisco. It will be hosted at MSFT.  If you want to get connected to the community it is a great way to do so. Here is where you register. 

In September I'm heading to Europe for the Digital Enlightenment Forum September 18-20th. I'm excited about the program and encourage those of you in Europe who might be reading this to consider attending. We are doing a 1/2 day of Open Space (what we do at IIW) where the agenda is created live at the event.

October 1-2 is Identity North in Toronto and Vancouver. I'm working with Aran and the other organizers again. The first day will be curated talks and the 2nd day will be Open Space (what we do at IIW) where the agenda is created live at the event.

I'm heading to Investing with a Gender Lens Convergence in CT.  Topic that I'm bringing there is Gender and Big Data.

I'm considering plan to spending the week of October 7th in Boston and/or New York. If you think this is a good idea and want to meet with me or make something happen out there this week let me know.

NSTIC's next IDESG Plenary is the week of October 14th in Washington, DC.

Then its the Internet Identity Workshop October 22-24th in Mountain View.

The next thing on my calendar is a tentative dates in December for the UnMoney Convergence December 10th.

Then in the new year its She's Geeky! at the end of January.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:16 AM

Kaliya Hamlin

Personal Cloud Gathering Sept 25th - Video's from August 22

The next SF Personal Cloud Community Gathering is September 25th in downtown.

Please head over to the Eventbrite to register and learn who is speaking.

Jospeh Boyle record and posted the presentations from the last meetup you can find them here.

Trovebox by Jaisen Mithai

priv.ly - Daniel

Cozycloud - Benjamin Andre

Update on Nym Research - aestetix

Indie Box - Johannes Ernst

Following the presentations about the futures and what people are building now and how it links together - you can find them on the wiki.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:15 AM

Kaliya Hamlin

She's Geeky! Bay Area, January 24-26

Calling all Geeky women!

We are doing it again - a weekend of fun and connection and nerding out.

January 24-26th at Microsoft in Mountain View.

http://www.shesgeeky.org

It is one of my favorite weekends of the year. If you are a woman and you do anything related to tech or science or math or day dream about science fiction, are a gamer.  The diversity of women is amazing.

It is a great place to practice a talk you are thinking about or have to give at some other event, talk about critical issues like NSA spying, learn about other nerdy things like bee-keeping and knitting weird math shapes.

Feel free to ask me any questions you have about it.

If you are a guy reading this...please let women friends and colleagues know about it.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:15 AM

Kaliya Hamlin

How to Join NSTIC, IDESG - A step by step guide.

The National Strategy for Trusted Identities in Cyberspace calls for the development of a private sector lead effort to articulate an identity ecosystem.

To be successful it needs participation from a range of groups.

An organization was formed to support this - the Identity Ecosystem Steering Group in alignment with the Obama administration's open government efforts.

The "joining" process is not EASY but I guess that is part of its charm. It is totally "open and free" but challenging to actually do.

PART 1 - Getting an Account on the Website!

Step 1: Go to the website: http://www.idecosystem.org

Step 2: Find this box on the right hand side of the site.

IDESG-1 Step 3: Login to the website.

You can use any e-mail address you want to do so. If you click on the IDESG labelled button.

If you have a Yahoo! e-mail address OR a Google/GMail account you can use that by clicking on their respective buttons - but the next steps that follow are for the IDESG button path (recommended).

Step 4:  Click on the button circled below.

IDESG-3b

Step 5: Enter the information requested.

IDESG-4

Step 6: Pick a Time Zone!

The note in red is making it clear that when you are sent a form to fill out with the membership agreement in step __. you must write down the same e-mail address that you have here so they can correlate your account to membership.

IDESG-4

Step 7: Confirm that you want an account. Click the Button.

Unknown

Step 8: You Should See this Screen. Make sure you check your e-mail account - it will have a link you click on. Then you can login to the website.

IDESG-6b

Step 9: You might see this screen.

IDESG-6

Step 10: Contact the site Administrator at this e-mail address : idecosystem@trustedfederal.com or phone them (240) 403-4092

IDESG-7

PART 2 - Filling out Membership Form on Website!

Step 11: Go to this page to access the new member registration application http://www.idecosystem.org/page/join-idesg-0   Fill out the fields of the application.

You will be asked to pick a stakeholder category. 

I recommend either the #11 Small Business and Entrepreneur category if you are an individual who has a business.

OR the #3 Consumer Advocate Group if you represent people in your work .

PART 3 - Sign and SEND in the form

Step 12: You will get an e-mail from the administrators of the organization with a membership agreement.

  • You need to print it out and read it or at least scan it
  • Sign it
  • Return it  (via fax OR scan -> email)

The agreement has a clause about intellectual property - this can scare some people. It is basically saying that contributions you make to public mailing lists can be posted online by the organization and used in the work outputs of the organization. It is common in technical communities and supports sharing and development of collective work products.

Step 3: You will get a confirmation from the administrators and you will be officially a member.

Trouble Shooting

How you can get involved is another post....so stay tuned.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:14 AM

Kaliya Hamlin

How to Participate in NSTIC, IDESG - A step by step guide.

The Identity Ecosystem Steering Group is a multi-stakeholder organization (See this post about how join.) Technically You can participate on lists even if you are not members but it is better that you go through the process of joining to be "officially" part of  the organization.

If you join the IDESG it is good to actively participate in at least one active committee because that is where organization work is done by committees - any person or organization from any stakeholder category can participate.

The committees have mailing lists - that you subscribe to (below click through where it says Join Mailing list and put in the e-mail address you want to use, share your name and also a password).

On the list the group chats together on the list and talk about the different work items they are focused on.  They have conference calls as well to talk together (these range from once a week to once a month).  You can also contact the chair of the committee and "officially" join but that is not required.

If you are reading this and getting involved for the first time - read through this list and pick one of the committees that sound interesting to you.  They are friendly folks and should be able to help you get up to speed - ask questions and ask for help. This whole process is meant to be open and inclusive.

It might be confusing but that is ok.  You haven't learned all the language of this very particular sub-industry. Remember you can always ask me questions and I can connect you to a community of others who are engaging with this field for the first time.

The next Face to Face meeting is happening April 1-3 in Mountain View California. It is totally open and free you can register here. Follow just one of the committees and maybe two and join us there - if you can only make it for part of a day you can come when the committee you have been following meets.

Trust Framework and Trust Mark Committee

Very important work is going on in this committee.  It will define the legal, policy and technology underpinnings of the whole effort to get identities work.  Some of the questions that I have about the outcomes of this work are

  • Will the policy and technology choices (they call these trust frameworks) they respect people and their rights online?
  • Will they let people who are citizens define how they are "seen" online or will they only permit "real name - verified identities" to be used?
  • How will end users be protected both with policies and technologies from the sites they use their digital identities? and services that help them use their digital identities?

This group is VERY active right now - that means they are producing work very fast and the outcome is basically the CENTRAL DOCUMENT outlining "how" this identity system will work. It needs attention to track it and ask quesitons and give substantive input.

The Committee Work products, Work Plan and Collaboration space.

Join the mailing list hereDocuments for meetings - It meets EVERY Wednesday at 3pm EST / noon PST for two hours.  To see all their documents click on this page and then on the file folder for "Functional Model AHG"

Functional Model Group

It is currently working on getting feedback on these documents:
The Functional Elements Applied PPT.
Functional Models Applied PDF to go with the PPT

Yep they are very confusing - they are confusing to me too.

Join the Mailing list is here - I can't find its meetings on the calendar.

To see all their documents click on this page and then on the file folder for "Functional Model AHG". The wiki is here.

Policy Committee

This committee is working on the development of policy recommendations for the White House and Legislators. These will likely influence what provisions that might come into law all with the goal of helping the vision of the Identity Ecosystem being developed in this institution coming into being.

The current draft of the document IDESG Policy Committee findings on policy incentives(As best as I could find)

Join the Mailing List is here - It does not have meetings currently scheduled they will be announced on the list.

To see all their documents click on this page and then on the file folder for "Policy Coordination Committee"

Use Case Committee

This group is defining all the different Use-cases that is the stories of how regular citizens will use the system.  My concern is they have developed detailed cases such as ____ and ___.  Without ever speaking to real people from those groups or have those need.  The generic use-cases about Authentication and Proofing also impact different populations of people differently and diverse input is essential.

The use-cases are then used to define the different technology and policy building blocks in what they call a Functional Model.

Join the  Mailing list is here - It meets Every Wednesday at 4pm EST/1pm PST

To see all their documents click on this page and then on the file folder for "Use Case AHG". The wiki is here.

Security Committee

This group is looking to define a security model for use in Identity Ecosystem. It has many different sub-committees including Taxonomy, Attributes, Functional Model and Use-Cases.

The Mailing list is here.  It meets every Thursday 2pm EST/11am PST  

To see all their documents click on this page and then on the file folder for "Security Committee".

They are just starting to begin meetings on the Security Evaluation Methodology.

Standards Committee

This committee is working on so many different things and has spawned 4 Ad-Hoc/Sub Committees.

The Standards Coordination Committee will be responsible for coordinating, reviewing, and recommending the adoption of technical standards to facilitate interoperability within the Identity Ecosystem.

The Mailing list is here -  Its Documents are here. It meets every Thursday 11am EST/8am PST

To see all their documents click on this page and then on the file folder for "Standards Committee"

Taxonomy Committee

This committee is defining the words that we use to talk about the Identity Ecosystem - such as Pseudonymous Transactions, Credentials, Attributes, Identifier.

The Mailing list is here - It meets every Thursday 12:30 EST/9:30 PST

To see all their documents click on this page and then on the file folder for "Taxonomy AHG"

Privacy Coordination Committee

The Privacy Coordination Committee will be responsible for seeing that other Committees’ work products adhere to the Privacy-enhancing and Voluntary Guiding Principle.  All work products developed from all other committees pass through this one. The model of privacy they have is oriented to the Fair Information Principles and Practices developed in the 1970's - and doesn't necessarily look at new ideas of how to manage the needs of people having dignity.

Join the Mailing List here - It meets the first Tuesday of the month at 4pm EST/1pm PST.

To see all their documents click on this page and then on the file folder for "Privacy Coordination Committee"

Financial Services Committee

This group creates space for those from the Financial Industry to contribute the specific needs of that industry into the work of the IDESG.

Join the Group Mailing List on this Page   They meet the 2nd & 4th Tuesday of every month at 11am Eastern Standard Time

To see all their documents click on this page and then on the file folder for "Financial Services Committee"

Health Care Committee

This group creates space for those from the Health Care Industry to contribute the specific needs of that industry into the work of the IDESG.

Join the Mailing List here -  It meets

To see all their documents click on this page and then on the file folder for "Health Care Committee"

Attributes Committee

Join the Mailing ListHere - It meets every 2nd Friday

Their wiki page is here. To see all their documents click on this page and then on the file folder for "Attributes AHG"

User Experience Working Group

Join the Meeting List here - It meets

To see all their documents click on this page and then on the file folder for "User-Experience Committee"

International Coordination Committee

The International Coordination Committee will be responsible for reviewing– and where appropriate, coordinating alignment with – similar international standards and policies.

The Mailing List is here - It currently doesn't have a meeting scheduled - it sill be announced on the list.

To see all their documents click on this page and then on the file folder for "International Coordination Committee"

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:14 AM

March 06, 2014

Kaliya Hamlin

What is a Functional Model?

I have been working in the identity industry for over 10 years. It was not until the IDESG - NSTIC plenary that some folks said they were working on a functional model that I heard the term.  I as per is normal for me pipped up and asked "what is a functional model", people looked at me, looked back at the room and just kept going, ignoring my question.  I have continued to ask it and on one has answered it.

I will state it out loud here again -

What is a Functional Model?

by Kaliya Hamlin, Identity Woman at March 06, 2014 07:22 PM

February 28, 2014

OpenID.net

No Oscars, But OpenID Connect Launch Receives International Raves

This past Wednesday, February 26th, the OpenID Foundation, it’s members and the OpenID Connect Working Group successfully launched the OpenID Connect standard in the US, Europe and Japan. The launch generated press coverage at RSA in San Francisco and the Mobile World Congress in Barcelona. This was made possible by you; our members, contributors. Thanks for a successful launch and reaching this important milestone.

Below is the OpenID Connect launch coverage to date:

February 27, 2014
InfoWorld
Google, Microsoft, Salesforce back OpenID Connect — but it’s not enough
Despite big-name support, newly finalized OpenID Connect protocol is a security building block, not a silver bullet
http://www.infoworld.com/t/identity-management/google-microsoft-salesforce-back-openid-connect-its-not-enough-237258

The Register
OpenID Foundation launches XML-free ID handler
OpenID Connect spec touts simpler messaging
http://www.theregister.co.uk/2014/02/27/openid_foundation_launches_xmlfree_id_handler/

heiseDeveloper
OpenID Connect als Standard ratifiziert
Der von Unternehmen wie Google, Microsoft, Deutsche Telekom und Salesforce.com ausgearbeitete Standard soll über kurz oder lang OpenID 2.0 im Web ablösen – auch dank der ungemeinen Popularität von OAuth..
http://www.heise.de/developer/meldung/OpenID-Connect-als-Standard-ratifiziert-2126073.html

Help Net Security
OpenID Foundation launches the OpenID Connect Standard
http://www.net-security.org/secworld.php?id=16445

Golem.de
OpenID Connect fertiggestellt
http://www.golem.de/news/authentifizierung-openid-connect-fertiggestellt-1402-104838.html

Cnews
Мобильные операторы заменят пароли номером телефона
http://www.cnews.ru/news/top/index.shtml?2014/02/26/562446

DataNews
Des opérateurs sortent une alternative ‘sûre’ à Facebook Connect
http://datanews.levif.be/ict/actualite/des-operateurs-sortent-une-alternative-sure-a-facebook-connect/article-4000539065405.htm

Nikkei ITPro
グーグル、マイクロソフトが採用する「OpenID Connect」の仕様が最終承認
http://itpro.nikkeibp.co.jp/article/NEWS/20140227/539966/?top_tl1

dig.no
OpenID tar ny sats
http://www.digi.no/927406/openid-tar-ny-sats

February 26, 2014
ZDNet
Cloud-era authentication infrastructure taking shape
Google, Microsoft, Salesforce, GSMA, UK, welcome final OpenID Connect spec in effort to scale ID services across cloud, mobile
http://www.zdnet.com/cloud-era-authentication-infrastructure-taking-shape-7000026718/

ZDNet
Deutsch Telekom on cutting edge for ID management, mobile log-ins
German company puts faith in OpenID Connect to secure infrastructure, integrate SSO with partners
http://www.zdnet.com/deutsch-telekom-on-cutting-edge-for-id-management-mobile-log-ins-7000026717/

SecureIDNews
OpenID Connect enables online identity
http://secureidnews.com/news-item/openid-connect-enables-online-identity/

TechCrunch
OpenID Connect Identity Protocol Launches With Support From Google, Microsoft & Others
http://techcrunch.com/2014/02/26/openid-foundation-launches-openid-connect-identity-protocol-with-support-from-google-microsoft-others/
- Techmeme – http://www.techmeme.com/140226/p19#a140226p19
- Daily Motion – http://www.dailymotion.com/video/x1dhp1g_openid-connect-identity-protocol-launches-with-support-from-google-microsoft-others_tech
- TechCrunch Japan – http://jp.techcrunch.com/2014/02/27/20140226openid-foundation-launches-openid-connect-identity-protocol-with-support-from-google-microsoft-others/?utm_source=dlvr.it&utm_medium=twitter

T.H.E. Journal
OpenID Connect Standard Extends Digital Identities Across the Web
http://thejournal.com/articles/2014/02/26/new-openid-connect-standard-extends-digital-identities-across-the-web.aspx
- Campus Technology – http://campustechnology.com/articles/2014/02/26/new-openid-connect-standard-extends-digital-identities-across-the-web.aspx

SDTimes
The OpenID Foundation launches an authentication protocol
http://www.sdtimes.com/content/article.aspx?ArticleID=68832&page=1

WSJ MarketWatch
The OpenID Foundation Launches the OpenID Connect Standard
http://www.sdtimes.com/content/article.aspx?ArticleID=68832&page=1

Bloomberg
The OpenID Foundation Launches the OpenID Connect Standard
http://www.bloomberg.com/article/2014-02-26/asf8Wzgm0W00.html

telecompaper
OpenID members finalise OpenID Connect standard (subscription required)
http://www.telecompaper.com/news/openid-members-finalise-openid-connect-standard–998934

InformationWeek
‘Connect’: A Modern Approach to Mobile, Cloud Identity
Patrick Harding, CTO Ping Identity (contributed article)
http://www.informationweek.com/security/identity-and-access-management/connect-a-modern-approach-to-mobile-cloud-identity/d/d-id/1113894

InternetWatch
ID連携のAPI標準仕様「OpenID Connect」が承認される
http://internet.watch.impress.co.jp/docs/news/20140227_637343.html

RELATED NEWS
Bloomberg Businessweek
Carriers Back Mobile-Based IDs to Match Google, Facebook Service
http://www.businessweek.com/news/2014-02-24/carriers-back-mobile-based-ids-to-match-google-facebook-service

FierceWireless
U.S. operators are MIA in the GSMA’s new Mobile Connect universal login program
http://www.fiercewireless.com/story/us-operators-are-mia-gsmas-new-mobile-connect-universal-login-program/2014-02-24

LightReading
Operators See Eye-to-Eye on SIM-Based Security
http://www.lightreading.com/services-apps/mobile-services/operators-see-eye-to-eye-on-sim-based-security-/d/d-id/707918?_mc=RSS_LR_EDT

Rude Baguette
Mobile World Congress Day 1 Highlights – Connected Living, Samsung, Mobile Connect & Zuckerberg
http://www.rudebaguette.com/2014/02/25/mobile-world-congress-day-1-highlights-connected-self-samsung-zuckerberg-mobile-connect/

Mobile News
GSMA and operators to use mobile to protect digital security
http://www.mobilenewscwp.co.uk/2014/02/24/gsma-and-operators-to-use-mobile-to-protect-digital-privacy/

telecompaper
Orange to offer Mobile Connect across EMEA by 2015
http://www.telecompaper.com/news/orange-to-offer-mobile-connect-across-emea-by-2015–998177

OIDF MEMBER BLOGS AND NEWS RELEASES
Google Developers Blog
Welcome OpenID Connect
http://googledevelopers.blogspot.com/2014/02/welcome-openid-connect.html

GSMA
Leading Mobile Operators Unveil GSMA Mobile Connect Initiative to Provide Consistent and Interoperable Approach to Managing Digital Identity
http://www.gsma.com/newsroom/leading-mobile-operators-unveil-mobile-connect-initiative/

Microsoft Active Directory Team Blog
OpenID Connect is Now Final!
http://blogs.technet.com/b/ad/archive/2014/02/26/openid-connect-is-now-final.aspx

Microsoft – Mike Jones Self-Issued Blog
OpenID Connect Specifications are Final!
https://self-issued.info/?p=1191

Matias Woloski – Auth0 Blog
OpenID Connect specs are final! (with links to open source implementations)
http://blog.auth0.com/2014/02/26/openid-connect-final-spec-10/

Nat Sakimura
OpenID Connect is here! – An Identity Layer on the internet
http://nat.sakimura.org/2014/02/26/openid-connect-is-here/

OpenID Connect リリース~インターネットのアイデンティティ層
http://www.sakimura.org/2014/02/2277/

Ping Identity CTO Blog
Now, OpenID Connect is Real (and ratified)
https://www.pingidentity.com/blogs/cto-blog/2014/02/now-this-morning-openid-connect-became-real.html

by jfe at February 28, 2014 06:54 PM

February 26, 2014

OpenID.net

The OpenID Foundation Launches the OpenID Connect Standard

Providing Increased Security, Usability, and Privacy on the Internet

RSA 2014 and Mobile World Congress- San Francisco, CA, and Barcelona, Spain – Feb. 26, 2014 – The OpenID Foundation announced today that its membership has ratified the OpenID Connect standard.  Organizations and businesses can now use OpenID Connect to develop secure, flexible, and interoperable identity Internet ecosystems so that digital identities can be easily used across websites and applications via any computing or mobile device. OpenID Connect has been implemented worldwide by Internet and mobile companies, including Google, Microsoft, Deutsche Telekom, salesforce.com, Ping Identity, Nomura Research Institute, mobile network operators, and other companies and organizations. It will be built into commercial products and implemented in open-source libraries for global deployment.

“Widely-available secure interoperable digital identity is the key to enabling easy-to-use, high-value cloud-based services for the devices and applications that people use,” said Alex Simons, Director of Program Management for Microsoft Active Directory. “OpenID Connect fills the need for a simple yet flexible and secure identity protocol and also lets people leverage their existing OAuth 2.0 investments. Microsoft is proud to be a key contributor to the development of OpenID Connect, and of doing our part to make it simple to deploy and use digital identity across a wide range of use cases.”

OpenID Connect is an efficient, straightforward way for applications to outsource the business of signing users in to specialist identity service operators, called Identity Providers (IdPs). Most importantly, applications still manage their relationships with their customers but outsource the expensive, high-risk business of identity verification to those better equipped to professionally manage it.

The Strength of Mobile Identity

Mobile operators are placed ideally to offer identity services with their differentiated assets such as the SIM card, strong registration process, authentication, and fraud detection and mitigation processes. They have the ability to provide sufficient authentication to enable consumers, businesses and governments to interact in a private, trusted and secure environment and enable access to services. The GSMA earlier this week announced the launch of the Mobile Connect service, a collaborative initiative, supported by leading mobile operators, to develop an innovative new service that will allow consumers to securely access a wide array of digital services using their mobile phone account for authentication.

“The GSMA’s role is to work with the Mobile Operators to deliver relevant services to their customers; one such area that is growing in importance is the use of the mobile phone for authentication or identification purposes,” said Marie Austenaa, Head of Personal Data, GSMA. “In order to achieve global scale and ease of implementation both for Mobile Operators and for the Service Providers, it is important to have a consistent approach and this is what OpenID Connect provides.”

“Today is an important milestone in the evolution of online identity; the launch of OpenID Connect provides an open standard enabling global interoperability,” said Don Thibeau, Executive Director of the OpenID Foundation. “The strength of the standard is validated by industry competitors cooperating to lead the development and adoption of OpenID Connect. It is further validated by the plans for adoption by the GSMA, which represents over 800 global Mobile Network Operators.”

OpenID Connect Makes Online Transactions Easier and More Secure

OpenID Connect is the third generation of OpenID technology. Its predecessors, OpenID 1.1 and OpenID 2.0, were well received and are in production today by many well-known Internet companies worldwide.

“Google is betting big on OpenID Connect because it’s simple for developers to understand and makes it easy to federate with identity providers. It also protects users by only sharing account information that users explicitly tell us to,” said Eric Sachs, Group Product Manager for Identity. “As of today, Google offers support for OpenID Connect as an identity provider and we are excited to see how this standard will make Internet use easier for users without having to enter passwords.”

“Salesforce.com is committed to unlocking new ways for companies to build meaningful relationships with their customers, and that engagement starts with standards-based identity,” said Chuck Mortimore, vice president, Identity product management, salesforce.com. “We’ve built OpenID Connect into the core of the Salesforce1 customer platform, allowing companies to connect the next generation of apps, devices and products—delivering a unified customer experience through a single identity.

“Today’s ratification of OpenID Connect is a big step forward in making business interaction easier and more secure,” said Ping Identity CTO Patrick Harding. “Standards are critical to supporting a new era of identity-centric business. OpenID Connect spans Web, API and mobile, making it an especially important protocol in our collective efforts to move identity from application to infrastructure.”

The formalization of OpenID Connect as an open global standard allows developers, businesses, governments, accreditors, and other interested parties to build creation and adoption of sector-specific OpenID Connect profiles into 2014 plans and priorities. Next week in London at the GSMA Headquarters, OpenID Foundation Members including Google, Microsoft, Ping Identity and others will meet with counterparts at the GSMA to begin work on ensuring interoperability across global Mobile Network Operators. The OpenID Foundation, the Open Identity Exchange, and the GSMA are collaborating on pilot and discovery projects and in 2014 will begin testing how OpenID Connect implementations can enhance online choice, efficiency, security, and privacy.

Internet identity initiatives like the UK Identity Assurance Program (IDAP) rely on open standards. The UK Cabinet Office has been a global leader in discovering how commercial identity providers and mobile network operators can contribute to the goals of its Digital By Default Strategy. The GSMA, OpenID Foundation, the Open Identity Exchange, and four leading Mobile Network Operators are collaborating on a set of tests in support of the UK IDAP program using open standards.

Why OpenID Connect?

Barely a week goes by without another news story about some Internet-facing organization suffering a damaging data breach, often including passwords, sometimes numbering in the tens of millions. The constant drumbeat of data breaches is damaging organizations’ reputations, the Internet as a whole, and in particular, the trust of Internet users worldwide.

OpenID Connect provides a simple, standard way to outsource site and application login to operators who continually invest in sophisticated authentication infrastructure and who have the specialized skills required to securely manage sign-in and detect abuse. That investment is coupled with the increased cost of helping users with lost-account recovery, password changes, and so on. The organizations that contributed to OpenID Connect are leading the way in the development of advanced authentication technologies such as risk-based authentication and multi-factor authentication and deploying them at their OpenID Connect IdPs. This ongoing investment in technology and expertise is increasingly beyond the reach of most application providers. It is not a core competence, and is thus an excellent candidate for outsourcing.

OpenID Connect builds on the foundation of successful open identity and security standards like OAuth 2.0 and TLS (also known as SSL or “https”). As a result, it has the advantage is that it is substantially easier for developers to implement and deploy than other identity protocols, enabling simpler deployments without sacrificing security.

“NRI has been actively involved in developing OpenID Connect as one of the authors. We have deployed an open source implementation of OpenID Connect as a backend technology provider for media companies, mobile operators, credit card and commerce companies,” said Nat Sakimura, Senior Researcher of Nomura Research Institute, Ltd.

OpenID Connect was developed by a working group of independent security experts and specialists from several continents at companies including Microsoft, Google, salesforce.com, Ping Identity, AOL, Nomura Research Institute, and Deutsche Telekom and tested for interoperability among over 20 implementations.

About The OpenID Foundation

The OpenID Foundation is an international non-profit organization of individuals and companies committed to enabling, promoting and protecting OpenID technologies. Formed in June 2007, the foundation serves as a public trust organization representing the open community of developers, vendors, and users. The OIDF assists the community by providing needed infrastructure and help in promoting and supporting expanded adoption of OpenID technologies. This entails managing intellectual property and brand marks as well as fostering viral growth and global participation in the proliferation of OpenID.

# # #

News Media Contacts:

Jeff Fishburn

OnPR for OpenID Foundation

jefff@onpr.com

by Don Thibeau at February 26, 2014 02:08 PM

February 25, 2014

OpenID.net

A Great Day for Internet Identity

Passwords are a pain. Internet security is difficult. But getting consensus among competing vendors, independent developers, privacy advocates seemed impossible. But OpenID Connect is finally done. This internet identity layer is already helping websites, enterprises and mobile network operators identify people. OpenID Connect enables better privacy controls and stronger (and more user friendly) authentication. Application developers have responded the working group’s mantra, “Keep simple things simple, make complex things possible.” Given the almost daily drumbeat of data breaches, websites operators, mobile applications developers and enterprise architects are welcoming the increased security options OpenID Connect provides for their domains.

Standards are only as good as their adoption. And adoption is a product of the hard work of the OpenID Connect Working Group and our member organizations that have continued to support the painstaking work on building OpenID Connect:

GSMA
“The GSMA’s role is to work with the Mobile Operators to deliver relevant services to their customers; one such area that is growing in importance is the use of the mobile phone for authentication or identification purposes,” said Marie Austenaa, Head of Personal Data, GSMA. “In order to achieve global scale and ease of implementation both for Mobile Operators and for the Service Providers, it is important to have a consistent approach and this is what OpenID Connect provides.”

salesforce.com
“Salesforce.com is committed to unlocking new ways for companies to build meaningful relationships with their customers, and that engagement starts with standards-based identity,” said Chuck Mortimore, vice president, Identity product management, salesforce.com. “We’ve built OpenID Connect into the core of the Salesforce1 customer platform, allowing companies to connect the next generation of apps, devices and products—delivering a unified customer experience through a single identity.”

Ping Identity
“Today’s ratification of OpenID Connect is a big step forward in making business interaction easier and more secure,” said Ping Identity CTO Patrick Harding. “Standards are critical to supporting a new era of identity-centric business. OpenID Connect spans Web, API and mobile, making it an especially important protocol in our collective efforts to move identity from application to infrastructure.”

Nomura Research Institute Ltd.
“NRI has been actively involved in developing OpenID Connect as one of the authors. We have deployed an open source implementation of OpenID Connect as a backend technology provider for media companies, mobile operators, credit card and commerce companies,” said Nat Sakimura, Senior Researcher of Nomura Research Institute, Ltd.

by jfe at February 25, 2014 07:53 PM

February 20, 2014

OpenID.net

OpenID Connect FAQ Now Available

With the OpenID Connect specifications expected to be approved on Tuesday, February 25, 2014, a set of answers to Frequently Asked Questions has been published at http://openid.net/connect/faq/ to help answer questions people might have about OpenID Connect.

OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows with a design goal of “making simple things simple and complicated things possible”. It’s uniquely easy for developers to integrate, compared to any preceding Identity protocol.

Regards,
Don

by jfe at February 20, 2014 05:40 PM

February 18, 2014

OpenID.net

OpenID Connect Launch: Statements of Support

Last week I blogged about how we are in the final stretch of launching OpenID Connect on Thursday, February 26, 2014 at RSA in San Francisco, Mobile World Congress in Barcelona and in Tokyo with OpenID Foundation Japan. In that blog, I mentioned some of the industry leaders who have been and will be adopting the OpenID Connect standard. As a follow-up to my comments from last week, below are some of the statements of support for OpenID Connect received thus far:

Microsoft
“Widely-available secure interoperable digital identity is the key to enabling easy-to-use, high-value cloud-based services for the devices and applications that people use,” said Alex Simons, Director of Program Management for Microsoft Active Directory. “OpenID Connect fills the need for a simple yet flexible and secure identity protocol and also lets people leverage their existing OAuth 2.0 investments. Microsoft is proud to be a key contributor to the development of OpenID Connect, and of doing our part to make it simple to deploy and use digital identity across a wide range of use cases.”

Google
“Google is betting big on OpenID Connect because it’s simple for developers to understand and makes it easy to federate with identity providers. It also protects users by only sharing account information that users explicitly tell us to,” said Eric Sachs, Group Product Manager for Identity. “As of today, Google offers support for OpenID Connect as an identity provider and we are excited to see how this standard will make Internet use easier for users without having to enter passwords.”

ForgeRock
“There is more pressure than ever for CIOs to drive revenue and new business models across mobile platforms,” said Lasse Andresen, CTO, ForgeRock. “OpenID Connect is an essentials standard for any organization wanting a simple, repeatable approach for extending identity relationships to any device and directly impacting top-line revenue.”

Additional statements of support are forthcoming and I will include those in a follow-up blog.

-Don

by jfe at February 18, 2014 07:22 PM

February 15, 2014

Kaliya Hamlin

NSTIC - Elections & Giving It One More Go

I wrote an essay to give some context for these elections.  You can see part 1 below.

If you are a voting member of the IDESG you were just sent an invitation to vote for leadership positions.

For Management Council Chair please vote for

Salvatore D'Agostino

For at Large Delegate please vote for

Ian Glazer

Kim is the only person running for Plenary Chair and she will be great in that role.

Plenary Vice-Chair I like Colin, from New Zealand and Andrew, from Vancouver, Canada - both would be great in the position - so read and evaluate.

I am running again to represent small businesses and entrepreneurs - elections for those positions are in week or so.

The Essay:

I could write a long essay about all that, in my opinion, has gone wrong with the NSTIC process over the last  years.  I’m not doing that now.

I’m instead writing about why still have a bit of hope for the effort and why I’m making a choice to run once again for the Identity Ecosystem Steering Group - Management Council as the representative for Small Businesses and Entrepreneurs.

Lets be REAL.
There are some serious doubts about the state of the IDESG.

They built a gi-enormous super (super monstrously, extra big, kluge tower) structure before they defined work they wanted to do.

NSTIC has metastasized yet another entity but hopefully this is the last.

The execution of the strategy never cohered and the foundations are crumbling. The execution and instansiation fundamentally flawed.

I basically agree with these statements.

The key one, where my seeds of hope lie, is the fact that there is an entirely new organization - the IDESG is now a nonprofit corporation that is independent.

The Kay Chopard Cohen who was hired by the Secretariat to be the Executive Director of the organization will now actually be playing that role. She had been very limited in her ability to actually lead organizational development by the man who owned the company (Trusted Federal) who won the bid Secretariat.

The NSTIC NPO will be providing funding to support the IDESG dot org so we have another year of life/runway before it has to collect dues from the private sector.

Andy Ozment from the White House came to speak at the last NSTIC meeting in Atlanta and said  - Identity is a fundamental part of any cybersecurity framework.  The outcomes of our work will be part of their framework for protecting critical infrastructure.
He reiterated the importance of the work we are doing because it requires a multi-stakeholder process to find the right way to integrate Technology, Public Policy and Public Concerns.  The solutions need to  respect privacy AND earn the trust of consumers.

The newly elected management council will be going on a multi-day retreat.  This will give us the chance to really figure things out to get in sync and from there support a effective organization emerging.

Taking the time to get to know each other, our motivations for being involved in NSTIC, hearing our highest hopes and greatest fears around the effort.
Learning about the gifts we have to bring to the project - what we have to offer and how we want to contribute.
We all share the same goal we want the organization to function effectively. What does that look like? and what are the priorities of the organization? How is staff time dedicated towards these goals/priorities?

This fall a communications firm came in and listening to those involved in the IDESG to write our “value proposition” and “differentiators”:

IDESG provides an inclusive forum for organizations, government and citizens to take on the complex issues of online security and privacy. IDESG spurs dialogue and action for common ground and common sense solutions.  

Our unique value comes from integrating public policy, individual perspectives and cross-sector industry leadership and collaboration. This dynamic partnership enhances choice and stimulates innovation and growth.

An organization that is seeking to “take on complex issues” in a way that is “inclusive” needs to actually use processes and methods that are capable of holding complexity AND being inclusive.

We as the Management Council need to grapple with HOW to do this in the emerging IDESG dot org.

We have to go beyond what has been unfolding so far.

Roberts Rules of Order is the default modality that “everyone knows” so it is how virtually all committees use along with the management council.  It is fine for what it is good at - but it does not actually make space for listening to a broad group like the IDESG Plenary (or at least what could be the NSTIC plenary of 1000’s if not 10’s of thousands of people & organizations)

In committees I participate in we have a culture where you can not object to something “unless you have a solution” so it is suppressing the ability to raise concerns. Those who work at corporate day jobs in middle management run them under “their rules” there is no space for collective discernment and consensus to emerge.

We also have the challenge that committees of the plenary where formed and the “work products” would be focused on were outlined in detail before there ever was a management council.  Who defined them? David Temoshok via the NSTIC NPO also wrote an entire work plan of how they saw getting to the “end work product” of an Identity Ecosystem Framework.

Instead of bringing the governments version a potential work plan and the government’s idea of what committees should be brought into being and why to work on a work plan to the newly formed IDESG and working with the Management Council’s elected stake holder delegates to figure out a work plan for this private sector led organization.

It ended up that because the NPO was main instigator (via the Secretariat that they funded to support the functioning of the IDESG) of the first meeting of the IDESG in Chicago - it set all the committees in motion motion before a management council ever existed.

Committee topics were just single words like “Security” or Standards” and people who were in attendance went to these first meetings and then “elected leaders” out of the blue at those initial meetings.  These leaders have all been defining what they thought a particular group of people who were interested in “Trust Frameworks” or “International Outreach” or “Privacy” - should do - and muddling through how they thought they should relate/work together.  All of this was done outside of any connection or interaction with the Management Council.

This alone should make clear some of the origins of why people have doubts about the organization.

So the leadership retreat we will be having is key - it will give us a chance to re-set, get in sync - really for the first time and provide LEADERSHIP.

We as a management council discern what we want to accomplish - to find agreement amongst ourselves regarding what a Trust Framework actually is and how we as an organization/community tasked with helping

The gap between the optics of everything going well and the substance of what is happening has to be closed in the coming year or there will be no IDESG.

The NPO has gone to great lengths to ensure that appearances of the organization functioning are “kept up”.  Of course that is there job - they need to have it look good so they can continue funding and avoid congressional investigation.

The reality is that the NSTIC / IDESG regulars see through the image of it working.

Example 1) [self-censored]

Example 2) [self-censored]  For this election I went through the list of all the members of the organization there was only 4 State, Tribal and City governments who are members of the IDESG.There are only 5 Relying parties that are members of the IDESG - these are two groups who play critical roles in the ecosystem and well they are barely represented. [self-censored]

Example 3) We have consensus on what any of the following words actually mean.

  • an Identity Ecosystem,
  • a Trust Framework
  • an Identity Ecosystem Framework

I have rough outlines of the remainder of this essay but I ran out of time to finish it. I will post part 2 in the coming days.

by Kaliya Hamlin, Identity Woman at February 15, 2014 07:25 PM

February 11, 2014

OpenID.net

Vote for Final OpenID Connect Specifications and Implementer’s Drafts is Open

The vote is closed.

Please vote now at https://openid.net/foundation/members/polls/80.

The OpenID Connect Working Group recommends approval of the following specifications as Final OpenID Specifications:

The working group also recommends approval of the following specifications as OpenID Implementer’s Drafts:

  • OpenID Connect Session Management – Defines how to manage OpenID Connect sessions, including logout functionality.
  • OAuth 2.0 Form Post Response Mode – Defines how to return OAuth 2.0 Authorization Response parameters (including OpenID Connect Authentication Response parameters) using HTML form values that are auto-submitted by the User Agent using HTTP POST.

A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision. An Implementer’s Draft is a stable version of a specification also providing intellectual property protections, but that is subject to further revision before becoming a final specification.

The official voting period will be between Tuesday, February 18 and Tuesday, February 25, 2014, following the 60 day review of the specifications. For the convenience of members, voting will actually open a week before Tuesday, February 18 on Tuesday, February 11 for members who have completed their reviews by then, with the voting period still ending on Tuesday, February 25, 2014.

If you’re not already a member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration.

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.

Locations for the proposed Final Specifications are:

Locations for the proposed Implementer’s Drafts are:

– Michael B. Jones, OpenID Foundation Secretary

by Mike Jones at February 11, 2014 06:38 PM

February 07, 2014

OpenID.net

In the Final Stretch of Launching OpenID Connect

After 4 years of painstaking (and occasionally painful) collaboration among industry competitors, we are a few weeks away from launching OpenID Connect at the RSA Conference in San Francisco, in Tokyo via OpenID Foundation Japan and Mobile World Congress in Barcelona with the GSMA. This is an important milestone in the evolution of online identity providing an open standard enabling global interoperability. More simply said, this helps move us away from the use of passwords. And in light of yet more breaches, the sooner the better.

Standards are as strong as the sum of those that adopt them. OpenID Connect has been and will be adopted by Internet leaders worldwide including Google, Microsoft, Nomura Research, mobile network operators and so many others that I’ll blog just on that. Connect is now a part of product roadmaps across industry sectors, built into global commercial products and implemented in open-source libraries for deployment.

While we are in the final stretch of launching OpenID Connect, now the hard work begins. It’s time to roll-up the sleeves and focus on continued promotion, global adoption and proving the power of the standard. The week following launch in London at the GSMA Headquarters, OpenID Foundation Members such as Google, Microsoft, Ping Identity and others will meet with counterparts at the GSMA to begin work on ensuring interoperability across 850+ global Mobile Network Operators. The OpenID Foundation, the Open Identity Exchange, and the GSMA are collaborating on pilot and discovery projects and in 2014 will begin testing how OpenID Connect implementations can enhance online choice, efficiency, security and privacy.

These 2014 efforts beginning with GSMA complements the work that companies like Verizon, Daon and others have in flight in US NSTIC pilots, in the UK with the IDAP program and benefiting from the leading edge deployments in Japan. Thanks to all of you who labored long to make this important milestone. I look forward to our work together in 2014.

Don

by jfe at February 07, 2014 04:50 PM

February 06, 2014

OpenID.net

Result of First Election for Corporate Member Board Seat

Beginning in 2014 and each year thereafter, Corporate Members of the OpenID Foundation will elect a member to represent them on the OIDF board. All corporate members were eligible to nominate themselves, second the nominations of others who self-nominate, and vote for candidates. It is rare that the OpenID Foundation suffers from an embarrassment of riches but we just had that happen in the candidacy of three well qualified candidates – Lasse Andresen from ForgeRock, Chuck Mortimore from Salesforce.com and Torsten Lodderstedt from Deutsche Telekom. I agree with Chuck Mortimer’s comment that any one of the candidates would do a fine job.

The voting closed on February 5, and I am very pleased to announce the election of Torsten Lodderstedt as the Corporate member representative to the Board of Directors. Board participation is a substantial investment of time and energy and requires painstaking consensus building. We sincerely thank Lasse, Chuck and Torsten for their candidacies and congratulate Torsten for his election. As their elected corporate Director, Torsten will help build our partnership with the GSMA and guide the role OIDF will play in facilitating faster and broader adoption of open identity standards like OpenID Connect and Account Chooser. Torsten’s candidate statement follows below.

Regards,

Don Thibeau

Torsten Lodderstedt, Deutsche Telekom Candidate Statement
In my daily work as Product Owner for identity management services at Deutsche Telekom I see an increasing demand for secure, powerful, and ease-to-use identity management protocols due to cloud-based business models and e-Government. The OpenID foundation addresses this demand through the results of its working groups. Especially OpenID Connect will allow the foundation to foster the secure and interoperable implementations of various innovative cloud and app use cases and therewith gain more visibility in the mainstream of the industry. As a director of the OIDF I will contribute needs and lessons learned from daily business to the work of the foundation, with a focus on European businesses/organizations as well as the Telco operators. Within working groups I will advocate to always seek for a balance between innovation and maturity in protocol design. I will drive adoption of OpenID within Deutsche Telekom and promote it at other operators and other organisations throughout Germany and Europe. In order to support the OIDF’s working groups, Deutsche Telekom’s IDM team will adopt OIDF standards early (in alignment with DT’s business needs) and continuously contribute experiences to the respective working group. We will also continue to participate in interop tests. In 2014, I see two major focus areas. First, the OpenID Connect specifications must be finalized. Second, the foundation should drive the adoption of OpenID Connect throughout industry and government beyond early adopters, from small business to enterprises and government agencies. I also think it is important to promote the idea of id federation in general as means to leverage reach and verified identity data to new/small business. In the end, OpenID should become mainstream and also substitute home grown “login with OAuth” solutions, OpenID 2.0, and SAML. I will work with GSMA and Telco operators towards industry-wide adoption of OpenID. My contributions are based on more than 18 years of experience as engineer, architect, and product owner in the software industry, especially 7 years of practical experience in development, operation, and marketing of large-scale identity management services for both Internet and Telco services. Moreover, I have been contributing to the work of the OpenID Connect and OAuth working group for 3 years now.

by jfe at February 06, 2014 08:22 PM

February 05, 2014

OpenID.net

14 Day Notice of Vote for Final OpenID Connect Specifications and Implementer’s Drafts

The official voting period will be between Tuesday, February 18 and Tuesday, February 25, 2014, following the 60 day review of the specifications. For the convenience of members, voting will actually open a week before Tuesday, February 18 on Tuesday, February 11 for members who have completed their reviews by then, with the voting period still ending on Tuesday, February 25, 2014.

If you’re not already a member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration.

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.

The vote will be conducted at https://openid.net/foundation/members/polls/80.

– Michael B. Jones, OpenID Foundation Secretary

by Mike Jones at February 05, 2014 01:57 AM

December 21, 2013

OpenID.net

Review of Proposed Final OpenID Connect Specifications and Implementer’s Drafts

The OpenID Connect Working Group recommends approval of the following specifications as Final OpenID Specifications:

The working group also recommends approval of the following specifications as OpenID Implementer’s Drafts:

  • OpenID Connect Session Management – Defines how to manage OpenID Connect sessions, including logout functionality.
  • OAuth 2.0 Form Post Response Mode – Defines how to return OAuth 2.0 Authorization Response parameters (including OpenID Connect Authentication Response parameters) using HTML form values that are auto-submitted by the User Agent using HTTP POST.

A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision. An Implementer’s Draft is a stable version of a specification also providing intellectual property protections, but that is subject to further revision.

This note starts the 60 day public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures. This review period will end on Tuesday, February 18, 2014. Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve these drafts as Final Specifications and Implementer’s Drafts. For the convenience of members, voting may begin up to two weeks before Tuesday, February 18th, with the voting period still ending on Tuesday, February 25, 2014.

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not already a member, please consider joining to participate in the approval vote.

You can send feedback on the specifications in a way that enables the working group to act upon your feedback by (1) signing the contribution agreement at http://openid.net/intellectual-property/ to join the working group (please specify that you are joining the “AB+Connect” working group on your contribution agreement), (2) joining the working group mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-ab, and (3) sending your feedback to the list.

Locations for the proposed Final Specifications are:

Locations for the proposed Implementer’s Drafts are:

These informational Implementer’s Guides also accompany these specifications:

Locations for the accompanying Implementer’s Guides are:

– Michael B. Jones, OpenID Foundation Secretary

UPDATE: The working group has updated the non-normative sentence in Section 3.3.1, item 5 of the Core specification to apply an editorial correction. The originally posted version is available at the location below to facilitate comparison between the original version and the current version with the correction applied:

by Mike Jones at December 21, 2013 05:49 AM

November 15, 2013

OpenID.net

OpenID® Trademark and Service Mark License

The OIDF board recently voted to adopt an OpenID Trademark and Service Mark License policy. The following are some of the guidelines regarding acceptable uses of OIDF trademarks outlined in the license:

  • The owner of OIDF marks must be clearly identified as the “OpenID Foundation”. For example, “OpenID® is a trademark (registered in numerous countries) of the OpenID Foundation”.
  • To describe or reference OIDF specifications, documents, software, or other products listed at the OIDF web sites
  • To describe non-OIDF products that implement the required features and operations of OIDF Products. Required features and operations are defined within specifications. Representations that products or services comply with OIDF specifications must clearly indicate that the representations are made by the licensee and not by the OIDF
  • OIDF Trademarks must be used in a way that accurately reflects the status associated with the OIDF Products. The status of an OIDF document describes the context in which the product was developed including the publication date, intellectual property disclosures (e.g., copyright or patent terms), location (URI), its publication level (Draft, Implementer’s Draft, Final Specification, Note, Whitepaper), and future expectations regarding OIDF Products
  • OIDF Trademarks may not be used to indicate any kind of endorsement by the OIDF, official status with respect to the OIDF, or any kind of relationship with the OIDF aside from a representation that the above requirements have been met.
  • OIDF will audit the use of the OIDF trademarks to determine compliance with these terms of the license
  • No right to create modifications or derivatives of OIDF Trademarks is granted pursuant to the license

Please contact me if you have any questions regarding the OIDF trademark license and policies.

Regards,

Don Thibeau
OIDF Executive Director

by jfe at November 15, 2013 06:28 PM

November 08, 2013

OpenID.net

Microsoft publicly participates in OpenID Connect interoperability testing. | Thread Safe

While the testing of Windows Azure Active Directory (WAAD) support for OpenID Connect has been going on for some months, Microsoft is now publicly participating in the OSIS interoperability testing.

While most people think of Connect as being adopted by Social sites like Google for Login, it is also gaining traction in enterprise targeted services like WAAD , Ping Federate and PingAccess.

In combination with provisioning protocols like SCIM I expect Connect to see a fair amount interest from Enterprises wanting a simple way to connect to the many Cloud based Software as a Service providers that they are now starting to use as well as protecting there own enterprise API.

John B.
@ve7jtb

(SOURCE) Microsoft publicly participates in OpenID Connect interoperability testing. | Thread Safe.

by Nat Sakimura at November 08, 2013 05:21 PM

September 06, 2013

OpenID.net

Login to Your Salesforce Org with OpenID Connect in Winter ’14

The Winter ’14 release includes OpenID Connect Authentication Providers, allowing your org to be an OpenID Connect Client, and leverage an Authorization Server for user login. Let’s take a look at how this works:

If you want to walk through the protocol in detail, there’s an excellent, detailed description on Google’s Developer site.

(Source) http://blogs.developerforce.com/developer-relations/2013/09/login-to-your-salesforce-org-with-openid-connect-in-winter-14.html

by Nat Sakimura at September 06, 2013 05:00 AM

August 15, 2013

OpenID.net

Vulnerability Alert – OpenID 2.0 Implementations Vulnerabilities found in some OPs

Please be advised a number of OpenID Authentication 2.0 server implementations were found to be vulnerable due to non-compliance to the normative requirements of the OpenID Authentication 2.0 specification.

The nature of the vulnerability
In section 11.4.2.1 of the OpenID Authentication 2.0, it is stated that “For verifying signatures an OP MUST only use private associations and MUST NOT use associations that have shared keys.” However, vulnerable implementations were not making distinction between the private associations and shared associations and was performing the signature verification on the shared associations.

Impact of the vulnerability
Any relying party (RP) that has established a shared association with a vulnerable OP can impersonate a victim at any relying party by crafting a signature using its shared association. This is because the RP that has received the crafted response would not find the association handle in its list of shared associations and thus consider it as being signed by the OP’s private association and send it to the OP for the verification. If the OP was implemented according to the specification, the OP will return false since it is using the shared association. However, if the OP is not making distinction between two types of association, it would respond the RP that the signature is valid allowing the attacker to login to the RP.

How to find if your OP implementation is vulnerable
The OP implementation that has this bug will not pass the following OSIS I5 test. http://test-id.org/OP/CheckAuthSharedSecret.aspx

We hope this notice was helpful. The attentiveness of the open source community is one of the safe guards maiming the integrity of OpenID Foundations standards.

Don Thibeau
Executive Director, The OpenID Foundation

by jfe at August 15, 2013 08:41 PM

July 31, 2013

OpenID.net

Second OpenID Connect Implementer’s Drafts Approved

The OpenID membership has approved the following specifications as OpenID Implementer’s Drafts in the vote held from July 23 and July 30, 2013:

  • Basic Client Profile – Simple, self-contained profile for a Web-based Relying Parties using the OAuth code flow.
  • Implicit Client Profile – Simple, self-contained profile for a Web-based Relying Parties using the OAuth implicit flow.
  • Messages – Defines the messages that are used by OpenID Connect.
  • Standard – Defines an HTTP binding for the Messages, for both Relying Parties and OpenID Providers.
  • Discovery – Defines how Relying Parties dynamically discover information about OpenID Providers.
  • Dynamic Registration – Defines how Relying Parties dynamically register with OpenID Providers.
  • Session Management – Defines how to manage OpenID Connect sessions, including logout functionality.
  • Multiple Response Type Encoding – Registers OAuth 2.0 “response_type” values used by OpenID Connect.

The voting results were:

  • Approve (55 votes)
  • Disapprove (0 votes)
  • Abstain (2 votes)

Total Votes: 57 (out of 245 members = 23% > 20% quorum requirement)

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. The working group intends for the final specifications to be compatible with these Implementer’s Drafts.

The approved Implementer’s Drafts are available at:

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.

by Mike Jones at July 31, 2013 07:48 AM

OpenID.net

OpenID Connect Server in a Nutshell

Nat Sakimura has written a valuable post describing how to write an OpenID Connect server in three simple steps. It shows by example how simple it is for OAuth servers to add OpenID Connect functionality. This post is a companion to his previous post OpenID Connect in a Nutshell, which described how simple it is to build OpenID Connect clients. If you’re involved in OpenID Connect in any way, or are considering becoming involved, these posts are well worth reading.

by Mike Jones at July 31, 2013 07:08 AM

July 23, 2013

OpenID.net

Vote for Second OpenID Connect Implementer’s Drafts is Open

Please vote now at https://openid.net/foundation/members/polls/68. The vote is open between July 23 and July 30, 2013.

The OpenID Connect Working Group recommends approval of the following specifications as OpenID Implementer’s Drafts:
• Basic Client Profile – Simple, self-contained profile for a Web-based Relying Parties using the OAuth code flow.
• Implicit Client Profile – Simple, self-contained profile for a Web-based Relying Parties using the OAuth implicit flow.
• Messages – Defines the messages that are used by OpenID Connect.
• Standard – Defines an HTTP binding for the Messages, for both Relying Parties and OpenID Providers.
• Discovery – Defines how Relying Parties dynamically discover information about OpenID Providers.
• Dynamic Registration – Defines how Relying Parties dynamically register with OpenID Providers.
• Session Management – Defines how to manage OpenID Connect sessions, including logout functionality.
• Multiple Response Type Encoding – Registers OAuth 2.0 “response_type” values used by OpenID Connect.

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This vote follows the 45 day public review period that concluded on July 22nd.

These specifications are available at:
http://openid.net/specs/openid-connect-basic-1_0-28.html
http://openid.net/specs/openid-connect-implicit-1_0-11.html
http://openid.net/specs/openid-connect-messages-1_0-20.html
http://openid.net/specs/openid-connect-standard-1_0-21.html
http://openid.net/specs/openid-connect-discovery-1_0-17.html
http://openid.net/specs/openid-connect-registration-1_0-19.html
http://openid.net/specs/openid-connect-session-1_0-15.html
http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.

by Mike Jones at July 23, 2013 10:25 PM

July 22, 2013

OpenID.net

OpenID Connect / Account Chooser Meeting @ IETF 87 Berlin

OpenID Foundation is hosting a joint WG meeting at IETF 87 Berlin on Sunday, July 28.

People interested in OpenID ConnectAccount Chooser, and how they relate to IETF specifications such as OAuth, JSON Web Token (JWT), and JSON Object Signing and Encryption (JOSE) are meeting at IETF #87.  We will meet at 2:00 on Sunday, July 28th, and have the room all afternoon.  An overview of the specifications and status will be provided.

Toppics will include:

  • Interoperability
  • Compliance
  • Using the OAuth Assertion profile
  • Bootstraping a Web session from a native client.
  • Non-Web clients
  • RS-AS communication.
  • OpenID 2.0 to Connect transition

Non Members are welcome to attend, but must be aware of the OIDF IPR policy.

NOTICE: An OpenID IPR contribution agreement is not mandatory in order to participate in this workshop.  If participants provide feedback, they (on behalf of themselves and any organization they represent) are deemed to agree that;Attendee gives s OIDF the right to use their feedback and comments. Attendee  grants to OpenID Foundation a perpetual, irrevocable, non-exclusive, royalty-free, worldwide license, with the right to directly and indirectly sublicense, to use, copy, license, publish, and distribute and exploit the Feedback in any way, and to prepare derivative works that are based on or incorporate all or part of the Feedback for the purpose of developing and promoting OpenID Foundation specifications and enabling the implementation of the same. Also, by giving Feedback, attendee warrants that they have rights to provide this feedback. Please note that feedback is not treated as confidential and that OpenID Foundation is not required to incorporate feedback into any version of an OIDF specification.

by Nat Sakimura at July 22, 2013 11:25 PM

July 11, 2013

Kaliya Hamlin

Value Network Mapping an Ecosystem Tool

My response, two years ago to the NSTIC (National Strategy for Trusted Identities in Cyberspace) Program Office issued Notice of Inquiry about how to govern an Identity Ecosystem included a couple of models that could be used to help a community of companies & organizations in an ecosystem co-create a shared picture. A shared co-created picture is an important community asset to develop early on because it becomes the basis for a real conversation about critical issues that need to be addressed to have a successful governance emerge.

The Privacy Committee within NSTIC has a Proactive Privacy Sub-Committee and before I went on my trip around the world (literally) a month ago.  I was on one of the calls and described Value Network Mapping and was invited to share more about the model/method and how it might be used.

Value Network Maps are a tool that can help us because both the creation of the map and its subsequent use by the companies, organizations, people and governments that are participating strengthens the network.   This is important because we are dealing with a complex problem with a complex range of players. In the map below we are in the top left quadrant - we NEED strong networks to solve the problems we are tasked with solving.  If we don't have them we will end up with Chaos OR we will have a hierarchical solution imposed to drive things towards the complicated and simple but ...given the inherent nature of the problem we will NOT fully solve the problem and fall off the "cliff" on the edge between simplicity and into chaos.

(In this diagram based on the cynefin framework developed by David Snowden architect of children's birthday parties using complexity theory and the success of Apolo 13 )

So - what is a Value Network Map?

It models technical & business networks by figuring the roles in any given system and then understanding the value that flow between different roles.  Value flows include payment for the delivery of goods or services (these are tangible deliverables) but also intangible deliverables such as increased level of confidence because information was shared between parties (but was not contractually obligated and no payment was made).

Drawing from Verna's book/site that lays out how to do it. There are four steps to a value network map.

1. Define the scope and boundaries, context, and purpose.

2. Determine the roles and participants, and who needs to be involved in the mapping.

3. Identify the transactions and deliverables, defining both tangibles and intangibles.

4. Validate it is complete by sequencing the transactions.

I've worked on several value network mapping projects.
I worked with the Journalism that Matters to document he old and new journalism ecosystem.I have lead several community Value Network Mapping efforts.

This projects highlights how the method can be used to talk about a present/past state about how things happen "now". How do people today or 20 years ago share verified attributes with business and government entities one does business with?  If we understand the roles that exist in a paper based version/world How do those roles change in a future enable with technology and how do the value flows change and what new roles are created/needed?

A value networm map can be used to map the flow of rights and duties between different roles in an ecosystem can also be considered along with the flow of monetary and other value.

Two years ago I went with Verna Allee (the innovator of the method) to  the Cloud Identity Summit  to work on a map for my organization the Personal Data Ecosystem Consortium focused on the "present state" map to explain what currently happens when someone visits a website and clicks on an add to go buy something and then is asked to provide identity attributes.

We took this FCC submitted map that has the individual at the center and data flows to the businesses, government and organizations they do business with and is sold on to Data Brokers and then Data Users buy it to inform how they deal with the individual all without their awareness or consent.

PersonalData-VNA-NowMapWe added in a wrinkle to this flow and asked what happens when an individual has to prove something (an attribute) about themselves to make a purchase.

Our hope was to do this and then work on a future state map with a Personal Cloud provider playing  a key role  to enable new value flow's that empower the  Individual with their data and enabling similar transactions.

This is best viewed in PDF so if you click on the link to the document it will download.

Creating this map was an interactive process involving involved two dozen industry professionals that we met with in small groups.  It involved using large chart paper paper and post-it notes and lines on the map.   We came into the process with some of the roles articulated, some new roles were added as we began mapping with the community.

An example to give you a sense of what it looks like when you do it in real life is this map that shows how trust frameworks & the government's reduction of risk in the credit card system.

This was a small piece of the original map for the Personal Data Ecosystem (it did not end up getting included in the PDF version).  The roles are the orange flowers and the green arrows are tangible value flows and the blue arrows are intangible value flows.

So how could the Proactive Privacy Sub-Committee use this method?

At an IIW11 one of the practitioners of value network mapping came to share the method and we broke up into smal groups to map different little parts of an identity ecosystem. We had a template like this picking four different roles and then beginning to map.

The exercise is written about here on Verna's website.

Scott David was a community member there and really saw how it was a tool to understand what was happening in systems AND to have a conversation about the flow of rights and responsibilities flow.

The method is best done face to face in small groups.  It helps if the groups are diverse representing a range of different perspectives.  A starting point is a use-case a story that can be mapped - what are the roles in that story and then walking through the different transactions.

So how do we "do" it. Well a starting point is for those interested in helping lead it to identify themselves in the context of the pro-active privacy committee.  We should work together  to figure out how we lead the community using this process to figure out the privacy implications and see where the money flows for different proposed solutions.

We can try to do a session at the upcoming July or October plenary.

We could also organize to do some meetings at:

  • conferences in the next few months were we can identify 5-10 interested IDESG members to participate in mapping an ecosystem chunk for an hour or two.
  • in cities around the country where we identify 5-10 folks who want to spend an hour or two mapping an ecosystem chunk.

It would be great if we decide to do this that the Secretariat lead by Kay in her role as Executive Director of the IDESG can support us in organizing this (That is why we are paying htem 2.5 million buck s to help us  do the work of  organizing in a meaningful way.

I am friends with Verna Allee and can ask her for advice on this however I think the kind of help/advice we need to really use this method and do it WELL would behove us to actually use NSTIC IDESG moneys to hire Verna to engage with us in a serious way. When I wrote my NSTIC NOI I did so thinking that their would finally be monies available to pay people to do community conference building work like this.  Perhaps it is not to late to do so.

by Kaliya Hamlin, Identity Woman at July 11, 2013 12:44 AM

July 01, 2013

OpenID.net

[seminar] Simplifying Enterprise IdM – OpenID Connect and SCIM

OpenID Foundation Japan’s Enterprise identity working group (EIWG) will host the following seminar. The working group is a joint working group with Japan Network Security Association’s Identity Management WG.

  • Date: July 4, 2013
  • Time: 14:00-17:00
  • Venue: Nomura Research Institute, Marunouchi Centre 9F. (Tokyo)
  • Entrance: Free
  • Capacity: 100
  • Langauge: Japanese

Cloud environment has spread through the enterprise IT environment. The IdM systems which hitherto has been targeting the internal audit (J-SOX) etc. needs to adopt to the new environment.

RESTful identity federation technology and API management is drawing attention under such circumstances.

In this seminar, overview of the new identity federation protocol that is gaining momentum, OpenID Connect, and the provisioning protocol which is going through the standardization process at IETF, SCIM will be given. Through them, you will be able to understand why they are necessary and what kind of things you need to take into consideration.

In addition, there will be a comparison between OpenID Connect and SAML, not only on the technical point but also in the Cloud Provider’s activities and from the point of view of the API Economy.

Also, there will be some introduction to the implementation guideline on those protocols.

Timetable

  • 14:00-14:05 About Enterprise Identity WG, Shingo Yamanaka, OpenID Foundation Japan
  • 13:05-14:20 Things needed by the enterprise IdM now, Jun’ichi Egawa, Exgen Networks
  • 14:20-14:50 SAML to OpenID Connect – Expansion of the federation technologies
    Standardization situation in OpenID Connect and SCIM, Tatsuo Kudo, Nomura Research Institute (NRI)
  • 14:50-15:05 Break
  • 15:05-15:25 Enterprise IT OpenID Connect Usage Guideline, Tatsuo Kudo, NRI
  • 15:25-15:45 Enterprise IT SCIM Usage Guideline, Masahiko Kuwata, NEC
  • 15:45-16:05 SaaS Implementation Use case, T. Ueda, Exgen Networks
  • 16:05-16:10 Way forward for the WG and how to participate, Shingo Yamanaka, OpenID Foundation Japan
  • 16:05-16:30 Questions and Answers

To join the seminar, please see http://www.openid.or.jp/news/2013/06/74-id—openid-connectscim–.html

by Nat Sakimura at July 01, 2013 04:29 PM

June 12, 2013

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

Today we are informing all users of Sxipper that we will be shutting down Buy macrobid online, the sxipper.com servers and not updating Sxipper to Firefox 4.0.  The writing has been on the wall for a while that Sxipper might be put to rest and it was a hard decision to make. It has been over [...]

by Dick Hardt at June 12, 2013 03:34 PM

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

At the last OpenID Foundation BUY VERONAL NO PRESCRIPTION, board meeting I gave the presentation below. Buy VERONAL online cod, I had hoped to have posted this sooner, but my dearth of video skills meant recording to video was significantly harder than creating the presentation -- which was non-trivial itself, VERONAL samples. VERONAL without a [...]

by Dick Hardt at June 12, 2013 03:34 PM

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

Products can be looked at falling into three categories: Vitamins, Painkillers and Viagra. The type of product being sold will dictate the product management, sales and marketing culture of a company.

by Dick Hardt at June 12, 2013 03:34 PM

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

BUY KLONOPIN OVER THE COUNTER, Yesterday was my last day at Microsoft. I worked there a year, KLONOPIN photos. Real brand KLONOPIN online, When I reflect on 2009, I think of it as the Year of Darkness, online buying KLONOPIN hcl. Buying KLONOPIN online over the counter, I only  wrote a couple blog posts. I [...]

by Dick Hardt at June 12, 2013 03:34 PM

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

REDUCTIL FOR SALE, As one of the first Twitter users, @Dick seemed like an appropriate handle. As you can imagine, buy REDUCTIL without a prescription, REDUCTIL mg, now that Twitter is popular, the @reply noise from people commenting about '@Dick Clark', online buying REDUCTIL hcl, REDUCTIL interactions, '@Dick Cheney', '@Tom @Dick & @Harry' and numerous [...]

by Dick Hardt at June 12, 2013 03:34 PM

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

The Mozilla Identity Team  recently released BrowserID Macrobid birth control, , a user-centric identity initiative that uses email as the identifier. The Drupal community, typically quick to support open identity protocols, released support within 24 hrs, which shows how easy it is to implement, macrobid without prescription. If you read my recent post on the OpenID Foundation, you will know [...]

by Dick Hardt at June 12, 2013 03:34 PM

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

Buy macrobid without prescription, Three years after the release of OAuth WRAP, OAuth 2.0 is finally an official standard as IETF RFCs 6749 and 6750. The inspiration for OAuth was to standardize how users authorize a site or application (the client) to access data at another site (the resource server). Clients wanting to access data [...]

by Dick Hardt at June 12, 2013 03:34 PM

June 08, 2013

OpenID.net

Review of Proposed Second OpenID Connect Implementer’s Drafts

The OpenID Connect Working Group recommends approval of the following specifications as OpenID Implementer’s Drafts:

  • Basic Client Profile – Simple, self-contained profile for a Web-based Relying Parties using the OAuth code flow.
  • Implicit Client Profile – Simple, self-contained profile for a Web-based Relying Parties using the OAuth implicit flow.
  • Messages – Defines the messages that are used by OpenID Connect.
  • Standard – Defines an HTTP binding for the Messages, for both Relying Parties and OpenID Providers.
  • Discovery – Defines how Relying Parties dynamically discover information about OpenID Providers.
  • Dynamic Registration – Defines how Relying Parties dynamically register with OpenID Providers.
  • Session Management – Defines how to manage OpenID Connect sessions, including logout functionality.
  • Multiple Response Type Encoding – Registers OAuth 2.0 “response_type” values used by OpenID Connect.

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This note starts the 45 day public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures. This review period will end on Monday, July 22, 2013. Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve these drafts as OpenID Implementer’s Drafts.

These specifications are available at:

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not already a member, please consider joining to participate in the approval vote.

You can send feedback on the specifications in a way that enables the working group to act upon your feedback by (1) signing the contribution agreement at http://openid.net/intellectual-property/ to join the working group (please specify that you are joining the “AB+Connect” working group on your contribution agreement), (2) joining the working group mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-ab, and (3) sending your feedback to the list.

UPDATE: The working group has updated some of the specifications to apply errata identified during the review period. The working group recommends that these versions be used for the Implementer’s Drafts. Any contributor may request that the 45 day review period be restarted based upon these updates, however the working group does not believe that this is necessary due to the minimal size and nature of the changes.

The original versions of the proposed Implementer’s Drafts are posted at the locations below to facilitate comparison between the original versions and those with the errata applied:

by Mike Jones at June 08, 2013 02:27 AM

June 07, 2013

OpenID.net

AB/Connect WG recommends for the 2nd Implementer’s Drafts

Today, OpenID AB/Conenct Working Group recommended the OpenID Foundation management that the OpenID Connect drafts are ready for vote for the 2nd Implementer’s Draft. The working group believes that the drafts have attained a stable state that the working group do not foresee normative technical change hereafter.

The list of the drafts that the working group recommends as Implementer’s Drafts are:


- http://openid.net/specs/openid-connect-basic-1_0-28.html

- http://openid.net/specs/openid-connect-implicit-1_0-11.html

- http://openid.net/specs/openid-connect-messages-1_0-20.html

- http://openid.net/specs/openid-connect-standard-1_0-21.html

- http://openid.net/specs/openid-connect-discovery-1_0-17.html

- http://openid.net/specs/openid-connect-registration-1_0-19.html

- http://openid.net/specs/openid-connect-session-1_0-15.html

- http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html

With this recommendation, OpenID Foundation secretary will be announcing the 45 days public review period.

by Nat Sakimura at June 07, 2013 06:55 PM

June 05, 2013

OpenID.net

OpenID Foundation Workshop at the European Identity Conference

Another European Identity (and Cloud) Conference has come and gone, and once again it was accompanied by an OpenID Foundation Workshop with excellent attendance as a pre conference event. John Bradley presented OpenID Connect at the Kantara workshop as well. The presentations on OpenID Connect, Account Chooser and Backplane exposed attendees from the EU, Australia, New Zealand, Japan, South Africa and all over north and south America. It was gratifying to see Mike Jones receive the recognition of OAuth 2.0 as an important protocol. Unfortunately, OIDF Board member Axel Nennker was unable to attend due to illness.

Many of the presentations and photos have now been uploaded to the conference website. Please log in using the same email address used for registration and get in touch with support@kuppingercole.com if you face any difficulty.

Dr. Mandl of Daimler was one of the attendees that expressed interest in OpenID Connect and the work of the foundation.

Don Thibeau
The OpenID Foundation

by jfe at June 05, 2013 04:47 PM

May 21, 2013

Chris Messina

17FEET. Small. Mighty. [Flickr]

factoryjoe posted a photo:

17FEET. Small. Mighty.

We’ve got new teammates on Google+!

by factoryjoe at May 21, 2013 12:04 AM

May 20, 2013

Chris Messina

May 16, 2013

Chris Messina

May 10, 2013

Chris Messina

Chris Messina

March 22, 2013

Kaliya Hamlin

She's Geeky Seattle: April 26-27

She's Geeky is coming to Seattle in April 26-27.

She's Geeky Logo

I will be heading up to facilitate and am very excited to finally have this event coming to the North West.

She's Geeky is a kind of magical event where women geeks of all kinds, gaming geeks, linux geeks, fandom geeks, crafting geeks, beekeeping geeks, drupal geeks, raspberry pi geeks, Arduino geeks, geeks in training, come together and hang out learning from each other.

Maybe we can even get some women from my native Vancouver to come down. :)

by Kaliya Hamlin, Identity Woman at March 22, 2013 09:16 PM

March 19, 2013

Kaliya Hamlin

Online Community Unconfernece "Its BACK!"

I am really excited to be working with a super awesome crew of leaders of the Online Community Manager Tribe - or OCTribe.  We have been considering reviving the event and the pieces have finally come together to do it.

May 21st at the Computer History Museum

Registration is Open!

I really love the other co-organizers who are all rockstar community managers.

The conference was originally produced by Forum One and I contracted with them to help design and facilitate. That event itself grew out of an invitational summit they hosted annually on online communities.  I actually attended one of these in 2004 as a replacement for Owen Davis who I worked for at the time at Identity Commons (1).

My firm Unconference.net is doing the production and facilitation for the event.

I plan to bring forward topics of digital identity forward at the event and hopefully get some of the amazing expertise on identity and reputation to participate in NSTIC.

by Kaliya Hamlin, Identity Woman at March 19, 2013 07:26 PM