Planet OpenID

October 04, 2016

Kaliya Hamlin

September 27, 2016

September 13, 2016

Harmonizing IETF SCIM and OpenID Connect: Enabling OIDC Clients to Use SCIM Services

OpenID Connect(OIDC) 1.0 is a key component of the “Cloud Identity” family of standards. At Oracle, we have been impressed by its ability to support federated identity both for cloud business services and in the enterprise. This is the reason why we recently joined the OpenID Foundation as a Sustaining Corporate Member.

In addition to OIDC, we are also strong proponents of the IETF SCIM standard. SCIM provides a JSON-based standard representation for users and groups, together with REST APIs for operations over identity objects. The schema for user objects is extensible and includes support for attributes that are commonly used in business services, such as group, role and organization. 

Federated identity involves two components: secure delivery of user authentication information to a relying party (RP) as well as user profile or attribute information. Many of our customers and developers have asked us: can OIDC clients interact with a SCIM endpoint to obtain or update identity data? In other words, can we combine SCIM and OIDC to solve a traditional use-case supported by LDAP for enterprise applications (bind, attribute lookup) recast for the modern frameworks of REST and cloud services.

Working collaboratively with other industry leaders, we have published just such a proposal[1]. The draft explains how an OpenID Connect RP can interact with a SCIM endpoint to obtain or update user information. This allows business services to use the standard SCIM representations for users and groups, yet have the information conveyed to the service in a single technology stack based upon the OIDC protocols.

SAML, OIDC, SCIM and OAuth are the major architectural “pillars” of cloud identity. We would like to see them work together in a uniform and consistent way to solve cloud business service use-cases. Harmonizing SCIM and OIDC is an important step in that direction.

Prateek Mishra, Oracle


by Guest Author at September 13, 2016 07:18 PM

August 24, 2016

Registration Open for OpenID Foundation Workshop on Monday, October 24, 2016

OpenID Foundation Workshops provide insight and influence on important Internet identity standards. The workshop provides updates on the development of profiles of OpenID Connect as well as review progress on OpenID Connect Certification and an update on Relying Party certification.

We will introduce the FastFed (Fast Federation) while providing updates on others including Connect, Account Chooser, Financial API (FAPI), HEART, iGov, MODRNA (mobile operator discovery, registration & authentication) and RISC. Leading technologists from Amazon, Oracle, Microsoft, Google, Ping Identity and others will update key issues and discuss how they help meet social, enterprise and government Internet identity challenges.

This event precedes the IIW #23 Mountain View October 2016.

Registration can be found here:

The OpenID Foundation Workshop Agenda

Thank you to VMware for hosting and directed funding support of this event.

Don Thibeau

The OpenID Foundation

by Don Thibeau at August 24, 2016 07:31 PM

August 10, 2016

Nat Sakimura


8月3日のBlackhat 2016で発表された、HTTPSのURLが読めるというWPAD/PAC Attack[1]、なるほどねぇ、と思わせるアタックですな。

HTTPS自身を攻撃するわけじゃなくて、HTTPSのhostに対するproxy resolveの時に、PACファイルを使ってURLの内容をフィルタリングして攻撃者のホストに送るというやり口。
毎回proxy resolveが走るブラウザ(例:Firefox, Chrome)とそうでないブラウザがあって、後者だとあまり攻撃は成功しないが、FirefoxやChromeなどでは効果的。ただし、LANのProxy設定などで、「設定を自動的に検出する」がオンになっていなければならない。でもこれは、企業システムなどでは割りとONになっていることが多いのではないだろうか。
  • OpenID authentication URLPassword reset URL
  • OpenID authentication
  • URLPassword reset URL
の間違いかな?OpenID authentication URLPassword reset URLなんてものは無いから。
OAuthのAuthz req/res のqueryは両方共盗られてしまう。つまり、response_type=code * なら codeが、response_type=token * ならばtokenが奪取されて、リアルタイムに攻撃者のサーバに送られてしまいます。
もちろん、ユーザが上記のプロキシ設定自動取得オプションをオフにしていれば大丈夫ですが、これは、OAuth Server/Client側ではいかんともし難いです。できる対策としては、
  • S256のPKCE[RFC7636]を使っていれば、このcodeは使いみちが無いので安全。
  • Form Post mode を使っていても大丈夫。
  • もちろん、Token Binding していれば大丈夫。
Password Reset URLは、やられてしまいますね。むしろこっちの方が問題ですな。あと、DropboxなどでのURLによるファイル共有もやられます。サーバ側でできる対策としては、ファイル識別子を別途Formで入れさせるとかなんだろうけど、多くの人には使えなくなってしまうだろうことがちょっと悩ましいですね。

Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at August 10, 2016 06:54 AM

August 05, 2016

Initial OpenID Connect Enhanced Authentication Profile (EAP) Specifications

The OpenID Enhanced Authentication Profile (EAP) working group charter states that:

The purpose of this working group is to develop a security and privacy profile of the OpenID Connect specifications that enable users to authenticate to OpenID Providers using strong authentication specifications. The resulting profile will enable use of IETF Token Binding specifications with OpenID Connect and integration with FIDO relying parties and/or other strong authentication technologies.

I’m pleased to announce that two new draft OpenID specifications have been adopted by the EAP working group to meet those two goals:

Please give them a read and give your feedback to the working group. Or even better yet, implement them (they’re both very straightforward) and send us your feedback!

by Mike Jones at August 05, 2016 12:41 PM

July 16, 2016

Preventing Mix-Up Attacks with OpenID Connect

Recently the OAuth community has been concerned with some attack vectors around mixed up clients, particularly when dynamic client registration and discovery are used with user-selected OpenID Providers.

Broadly, the attacks consist of using dynamic client registration, or the compromise of an OpenID Provider (OP), to trick the Relying Party (RP) into sending an authorization code to the attacker’s Token Endpoint. Once a code is stolen, an attack that involves cutting and pasting values and state in authorization requests and responses can be used to confuse the relying party into binding an authorization to the wrong user.

Many deployments of OpenID Connect (and OAuth) in which the configuration is static, and the OPs are trusted, are at greatly reduced risk of these attacks. Despite that, these suggestions are best current practices that we recommend to all deployments to improve security, with a particular emphasis on more dynamic environments.

The full research papers on these attacks can be read here: A Comprehensive Formal Security Analysis of OAuth 2.0, and On the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect.

Using the Hybrid Flow to mitigate attacks by a bad OP

Fortunately, the Hybrid flow of OpenID Connect is already hardened against these attacks, as the ID Token cryptographically binds the issuer to the code, and the user’s session, and through doing dynamic discovery on the issuer, the token endpoint. In fact, any OpenID Connect flow that returns an ID Token from the Authorization Endpoint already contains the same information returned by the OAuth 2.0 Mix-Up Mitigation draft specification, the Issuer (as the iss claim) and the Client ID (as the aud claim), enabling the RP to verify it, and thus prevent mix-up attacks.

To protect against the Mix-Up attack, RPs that allow user-driven dynamic OP discovery and client registration should:

Use the hybrid code id_token flow, and verify in the authorization response that:

  1. The response contains tokens required for the response type that you requested (code id_token).
  2. The ID Token is valid (signature validates, aud is correct).
  3. The issuer (iss value) matches the OP that the request was made to, and the token endpoint you will exchange the code at is the one listed in the issuer’s discovery document.
  4. The nonce value matches the nonce associated with the user session that initiated the authorization request.
  5. The c_hash value verifies correctly.

To aid the implementation of the best practice, we recommend that OPs consider supporting OAuth 2.0 Form Post Response Mode, as it makes it simpler for clients doing code id_token to get both the code and the ID Token on the backend for verification.

OPs MUST also follow the OpenID Connect requirement for exact matching of a pre-registered redirect URI, to protect against open redirector attacks.

Using the Code Flow to mitigate attacks involving a compromised OP

Environments with statically registered OPs are not susceptible to dynamic registration attacks (by definition), however, it is still possible for a whitelisted OPs to potentially attack other OPs and for malicious users to bind stolen codes to their own sessions. This may sound far-fetched (why would your trusted OPs attack each other after all?), but if one OP was compromised for example, it could be used to attack the other OPs, which is not ideal. To protect against such attacks, RPs using the “code” flow with statically registered OPs should:

  1. Register a different redirect URI for each OP, and record the redirect URI used in the outgoing authorization request in the user’s session together with state and nonce. On receiving the authorization code in the response, verify that the user’s session contains the state value of the response, and that the redirect URI of the response matches the one used in the request.
  2. Always use nonce with the code flow (even though that parameter is optional to use). After performing the code exchange, compare the nonce in the returned id token to the nonce associated to the user’s session from when the request was made, and don’t accept the authorization if they don’t match.


The OpenID Connect working group believes that when the above best practices are followed, the attacks described are prevented.

This advice was drafted at a working meeting of the OpenID Connect WG at the 22nd Internet Identity Workshop (IIW), and reviewed at the OAuth Security Workshop 2016 in Trier Germany.

by William Denniss at July 16, 2016 12:34 PM

June 21, 2016

Nat Sakimura

なぜ開かれたインターネットが重要なのか #OECDDigitalMX


Q. 開かれたインターネットは重要なのでしょうか?



これまでの全ての産業革命がそうであったように、私たちは今、生産性の急激な増加と価格の大幅な下落~デジタル・デフレーション(Digital Deflation)を目の当たりにしています。しかし、これは悪いことではありません。生産性の向上は、より少量でより多量のものを作り出すことができるようになりますから、平均でみるなら社会はより豊かになりますし、価格の下落は、それまで供給することができていなかった社会層へのサービスの供給も可能にします。





  1. 信頼できる技術
  2. 拡大された接続性
  3. 開かれたインターネット
  4. 利用者と労働者のスキル向上




彼らに接続を与えなければなりません。それは、開かれていなければなりません。でなければ、許可無きイノベーション(permissionless innovation)は実現しません。




Q. プライバシー行政の課題にはどういうものがあるでしょうか?


  1. 産業界における、プライバシーがビジネスを阻害するという誤解
  2. セキュリティの名の下の広範囲な監視 (pervasive surveillance)
  3. 新しい法制が保護主義の新たなツールとして使われる危険性
  4. 負の外部性と倫理的振る舞いの必要性




Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at June 21, 2016 02:59 PM

June 16, 2016

Nat Sakimura

[出演] 労働組合諮問委員会フォーラム@OECD閣僚級会合 (2016/6/21)

来週6月21日(火) に、メキシコのカンクーンで労働組合諮問委員会フォーラム@OECD閣僚級会合のデジタル経済に関するTUAC(Trade Union Advisory Council, 労働組合諮問委員会)フォーラムの「Technological Transformation & New Regulatory Models」というパネル・ディスカッションに出演します。


9:30 am to 10:45 am

Technological Transformation & New Regulatory Models

Existing economic and social structures are increasingly affected by digitization: Some for the better (increased internet openness and exchanges) and other for the worse (security and privacy risks, non-shared profits, and the rise in non-standard work). A coherent set of regulatory policies and investment targets is imperative to enable an equitable technological diffusion, while anticipating trends and risks. As such, the risk of a “digital deflation’ is real since companies increasingly encounter pressures on profit margins and rely on short-term financing. At the same time, monopolistic structures are making it difficult for new firms to grow, and leading some to adopt labour-cost saving and high-risk business models, to avoid paying taxes and to seek other legal loopholes. Panelists are invited to discuss the economic and social effects of Internet openness and technological change focusing on:

  • Value creation in the digital sector
  • Legal status and taxation
  • Competitive pressures vs. sustainable business models
  • Long-term investment vs. Digital Deflation

Moderator: Tim Noonan, Communications Director, ITUC

Catalina Achermann, Expert for telecommunications, digital ecosystems, new technologies, and public policy, CEPAL

Robert T Atkinson, President, Information Technology and Innovation Foundation (ITIF)

Yann Bonnet, General Secretary, Conseil National du Numérique (French Digital Council), France

Nat Sakimura, Chairman, OpenID Foundation[1]

Damon Silvers, Policy Director and Special Councel, AFL-CIO

Conrado García Velasco, General Secretary, Sutnotimex


Ruwan Subasinghe, Legal Advisor, International Transport Workers’ Federation (ITF)




Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at June 16, 2016 10:14 AM

Nat Sakimura

ITAC Forum @デジタル経済に関するOECD閣僚級会合 (2016/6/21)

来週6月21日(火)に、デジタル経済に関するOECD閣僚級会合に先立って行われるOECD ITAC (Internet Technical Advisory Committee, インターネット技術諮問委員会) フォーラムのプログラムが公開されました。



ITAC Forum at the 2016 OECD Ministerial on the Digital Economy

Tuesday, June 21, 2016
9:00 am-

9:30 am

Opening and keynote address

▪                    Welcome: Laurent Liscia, CEO and Executive Director, OASIS

▪                    Keynote: Jari Arrko, Chair, Internet Engineering Task Force

9:30 am –

10:45 am

Getting the Ball Rolling: IPv6 Adoption Since 2008

The adoption of IPv6 was specifically noted in the Seoul Declaration for the Future of the Internet Economy in 2008. This session will discuss the real-world progress in IPv6 adoption since that event, with a particular focus on the accelerated adoption rates seen in many economies over the last 18 months. Discussants will consider the drivers of IPv6 adoption and the lessons learned in terms of what IPv6 adoption means for Internet growth, openness and competition.

Moderator: Alejandro Pisanty, Academic Computing Services of the National University of Mexico (UNAM)


▪                    Geoff Huston, Chief Scientist, APNIC

▪                    Adriana Lavandini, Commissioner, Instituto Federal de   Telecomunicaciones,


▪                    John Brzozowski, Fellow and Chief Architect IPv6, Comcast

▪                    Hiroshi   Esaki,   Professor,   Graduate   School   of   Information   Science     &

Technology, University of Tokyo

10:45 am-

11:00 am

11:00 am-

12:15 pm

Open Standards for an Open Internet of Things

The Internet of Things (IoT) promises to usher in a revolutionary, fully interconnected “smart” world, with relationships between objects, people and their environments becoming more connected and intertwined. The potential ramifications of this are huge, particularly in the areas of: security and privacy; interoperability  and  standards;  legal,  regulatory  and  rights  issues;  and     the

inclusion of emerging economies. IoT involves a complex and evolving set of considerations, including the technology underpinnings to support IoT. We therefore need to be prepared. Stakeholders, including governments, need to think and act strategically together so that the maximum advantage can be derived from this emerging phenomenon. Conversely uncoordinated actions  such as on standard setting (by state or private actors) risk undermining trust and understanding of the benefits of the IoT.

The session will address the questions of:

·         What is the value of open and voluntary standards in sustaining innovation in this domain?

·         What is the economic rationale that goes into choosing between a particular set of competing standards?

·         What are possible frameworks and solutions for creating an enabling environment for IoT to flourish as a positive force for inclusive economic and social development?

·         Who should take such standards forward?

·         With IoT’s multi-faceted nature that allows it to cross over many disciplines and vertical markets, how do stakeholders ensure a path that supports convergence and interoperability?

Moderator: Karen McCabe, Senior Director, Technology Policy and International Affairs, IEEE Standards Association


▪                    Monique Morrow, CTO, Evangelist for New Frontiers Development and

Engineering, CISCO

▪                    Laurent Liscia, CEO and Executive Director, OASIS

▪                    David Conrad, Chief Technology Officer, ICANN

▪                    Roberto Minerva, Research Coordinator at Telecom Italia Lab; Chair of the

IEEE IoT Initiative

▪                    Luis Kun, Prof.  of  National  Security  at the

Center for Hemispheric Defense Studies (CHDS) at the National Defense University

▪                    Elsa Chan, Co-Founder, Jetlun

12:30 pm –

2:00 pm

Joint stakeholder hosted lunch (ITAC, BIAC, CSISAC, TUAC)
2:00 pm-

3:30 pm

A collaborative approach to Internet Security

The Internet (a global interconnected network of networks) has enabled a global digital economy to flourish. Yet, the same interconnectedness that fosters communication, opportunities, innovation and commerce on a global scale, also means that participation in the global digital economy means global interdependence and shared risk. Therefore, we have a common interest in the security of this shared economic growth resource and a collective responsibility to care for the Internet. Further, the continued effectiveness of the Internet as a driver for a vibrant and sustainable global digital economy also depends on the

Internet being a trusted platform for social interaction and commerce.

As the Internet and its applications become ever more pervasive in our daily lives through the Internet of Things, widespread use of sensors and the digitization of biological traits, collaborative risk-based approaches to Internet security are needed more than ever.

•         How can we, as a global community, overcome silo approaches and evolve beyond considering only one’s own security risks?

•         How will we share resources to ensure the delivery of a more secure Internet?

•         How will we integrate the rights and expectations of users in security solutions?

•         How will we collaborate to empower e-entrepreneurs and SMEs to effectively contribute to the overall security risk management of the Internet?

Building on the OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity, this session will highlight real world examples of collaborative approaches to strengthen the security of the Internet and its use, identify economic impediments to deployment of Internet security solutions, and suggest ways forward so that the Internet’s full potential can be realised.

Moderator: Robin Wilton, Technical Outreach for Identity and Privacy, Internet Society


▪                    Laurent Bernat, Cyber Security and Privacy Risk Policy Analyst, OECD

▪                    Bruce Schneier, Chief Technology Officer, Resilient Systems, Inc.

▪                    Yurie  Ito,  Director  of  JPCERT/CC  and  Founder  and  Executive  Director   of


▪                    Geoff Huston, Chief Scientist, APNIC

▪                    Belisario Contreras, Cyber Security Program Manager at the Organization   of

American States

▪                    David Conrad, Chief Technology Officer, ICANN

▪                    Sebastian Bellagamba, Regional Bureau Director for Latin America and The

Caribbean, Internet Society

5:30 pm –

6:30 pm

Joint Stakeholder Press Conference
7:30 pm –

9:30 pm

Official Ministerial Welcome Reception

Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at June 16, 2016 09:43 AM

June 13, 2016

Nat Sakimura

速報 マイクロソフトがLinkedInを買収

6月13日公開のLinkedInブログによると、マイクロソフトがLinkedInを買収に同意した模様。買収額は、USD26.2B 日本円で約2.77兆円。[1]。しかも、全額現金だそうです。マイクロソフト市場最大の買収とのこと。




Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at June 13, 2016 01:08 PM

June 10, 2016

Nat Sakimura


2004年に一時期試みられていた、Virtual Personality (英語で言うとDigital Identityかな)を持つ持たないを個人が決定する権利を憲法で規定しようとする動きが、6/3にコスタリカ国会で再始動した模様。


「海外では、アイデンティティへの権利というと、自らのアイデンティティを証明して、教育だとかもろもろの権利を享受することができるようにするための権利だと思うけどね~。たとえば、国連のTHE 2030 AGENDA FOR SUSTAINABLE DEVELOPMENTGoal 16.9 [2]とか。主に、Thin filed people (身元証明できるような書類が非常に少ない人)日本で言えば無戸籍児とか、今の欧州なら難民とか向けの話で。

そういえば、2004年にはコスタリカで改憲運動が起きていて、その時主導者の1人の最高裁判事にも会ったよ~。日本の今回のとはだいぶ違うね。」という話をしていて、懐かしくて Jaco Aizenman Leiner のTLを見たら、こんなのが出てきた。


この投稿をしている Jaco Aizenman Leinerは、当時の の2004年当時の理事仲間で、上記のコスタリカ訪問の立役者。その後二人共XDI.orgは離れていたけど、こうやってまた運命がクロスするものなのね。

Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at June 10, 2016 03:12 PM

May 25, 2016

Nat Sakimura

Open Data in Finance @ London は6月15日!

FinTechの3本柱の1つとして注目されるAPIですが、特に欧州ではPayment Service Directive 2で銀行が2017年末までに金融API提供を義務付けられたことに伴い、とてもホットな話題になっています。日本ではまだまだブロックチェインの後塵を配していますが、まだまだリサーチ・プロジェクトと言っても良いブロックチェインに比べて、金融APIは喫緊の課題です。

こうした中で、金融APIをメインに取り扱う、「Open Data in Finance」というカンファレンスが、欧州金融の中心地・ロンドンで6月14日、15日の2日間にわたって行われます。6月14日はワークショップで、メインのカンファレンスは6月15日です。到底力不足ながら、不詳、わたくし、Nat Sakimura が、カンファレンスを通じたChair を拝命しております。

Screen Shot 2016-05-25 at 23.03.32

プログラムは、こちらのページ(Agenda)からご覧いただけますが、The Open Banking Standard のステアリング・コミッティのチェアの Open Data Institute の CEO の Gavin Starks とバークレイズ銀行のManaging DirectorのMatt Hammerstein の Armchair Chatに始まり、多くの有識者たちによるパネル・ディスカッションやラウンドテーブルを聞くことができ、欧州における金融APIの「今」を知るための貴重な機会となろうかと思います。



Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at May 25, 2016 02:17 PM

May 24, 2016

Nat Sakimura

CISでのOpenID Trackは6月7日火曜日

昨年までは、CISでのOpenID Trackは、Pre-conference day でしたが、今年は 『Achieving Internet Scale Identity with OpenID Connect』と題して、main conferenceに取り込まれました。

トラック・コーディネーターはDon Thibeauです。
今年は、わたしは金融API WGの紹介をします。

Achieving Internet Scale Identity with OpenID Connect

Tuesday, June 7.
  • OpenID Connect – Certification and Futures
    9:30 AM – 9:55 AM   |   SPEAKER:   Michael Jones
  • The Mobile OpenID Connect Profile
    10:05 AM – 10:30 AM   |   SPEAKER:   Bjorn Hjelm 
  • Account Chooser
    10:40 AM – 11:05 AM   |   SPEAKER:   Pamela Dingle
  •  The Mission Critical, First Responder Profile of OpenID Connect to Serve & Protect
    2:30 PM – 2:55 PM   |   SPEAKER:   Adam LewisFintech
  • OpenID Connect: Introducing FAPI WG
    3:40 PM – 4:05 PM   |   SPEAKER:   Nat Sakimura
  • Protecting Users and Infrastructure: Can We Create a Sharing Economy of Security Signals?
    4:20 PM – 4:45 PM   |   SPEAKER:   Andrew Nash ,   Alexander Weinert ,   Adam Dawes ,   Richard Struse
  • Protecting Users and Infrastructure (Continued)
    4:55 PM – 5:20 PM   |   SPEAKER:   Andrew Nash ,   Alexander Weinert ,   Adam Dawes ,   Richard Struse

Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at May 24, 2016 07:24 AM

May 23, 2016

Announcing the Financial API (FAPI) Working Group

In many cases, Fintech services such as aggregation services uses screen scraping and stores user passwords. This model is both brittle and insecure. To cope with the brittleness, the new OpenID Foundation Work Group invites developers, architects and technologists to contribute to an open standard approach using an API model with structured data and to cope with insecurity, it should utilize a token model such as OAuth [RFC6749, RFC6750].

The OpenID Foundation Financial API (FAPI) Working Group aims to rectify the situation by developing a REST/JSON model protected by OAuth. Specifically, the FAPI Working Group aims to provide JSON data schemas, security and privacy recommendations and protocols to:

  • enable applications to utilize the data stored in the financial account,
  • enable applications to interact with the financial account, and
  • enable users to control the security and privacy settings.

Both commercial and investment banking account as well as insurance, and credit card accounts are to be considered.

The FAPI Working Group is building a Fintech bridge through open standards. This effort builds on the wide international adoption of OpenID Connect.

The FAPI Working Group was proposed by Nat Sakimura (NRI), Tony Nadalin (Microsoft), and Cindy Barker (Intuit). A charter will be approved and a chair selected at the first FAPI Working Group meeting.

The FAPI Working Group chairs will be presenting on the focus of the group at upcoming conferences including the 2016 Cloud Identity Summit in New Orleans and the Open Data Finance conference in London, both in June.

The Open Data in Finance conference is an end-user driven event that focuses exclusively on open data and data sharing in the finance sector.

It will bring together influential representatives at the nexus of the open data initiative, to give insights into the plans of government and key industry players, and share how they are shaping and responding to this market change.

The Open Data in Finance organizers have offered OpenID Foundation members a 20% discount to attend. Please contact me directly if interested.

Links of interest:

OIDF FAPI Working Group Page

Subscribe to the FAPI Working Group Mailing List

Those interested in participating will need to submit a signed IPR Agreement indicating their participation in the FAPI WG. The IPR agreement can be submitted online via DocuSign or emailed to

by Mike Leszcz at May 23, 2016 08:15 PM

Nat Sakimura

Let’s Encrypt あらため certbot でSSL証明書インストール

Let’s Encrypt がついにβフェーズを終わって正式リリースされました。そして、EFF提供のcertbotになりました。


まず、 に行ってください。すると、Web Server と OS を選ぶ画面が出てきます。

Certbot Front Screen

図)自分が使っているWeb ServerとOSを指定すると、インストラクションが出てくる。

ここで、自分の使っている Webserver と OS を選ぶと、お使いの環境ごとのマニュアルが出てきます(英語ですが)ので、それに従うだけです。たとえば、Apache + Ubuntu 14.04 だと、

$ wget
$ chmod a+x certbot-auto

で、certbot のインストールファイルを落としてきて権限変更し、

$ ./certbot-auto

とすることで、certobot のインストールができます。


$ ./path/to/certbot-auto --apache

でできます。使い勝手はほぼ Let’s encrypt と同じです。

ついでに、Courier MTA のSSL certs も切り替えてみよう

さて、Apache はほとんど全自動で設定できたのではないでしょうか?ついでですから、Courier MTAのSSL certs もこれに切り替えちゃいましょう。

Courier MTA で使う .pem ファイルは、プライベート・キー+証明書+証明書チェーンとつなげたものです。certbotの場合、あなたのドメインが「」だった場合、/etc/letsencrypt/live/ にこれらのファイルは入っています。Courier MTA SSL の設定ファイル(/etc/courier/esmtpd-ssl ) から読んでいる .pem ファイルが /etc/courier/esmtpd.pem だったとしましょう。その場合、

$ sudo cd /etc/letsencrypt/live/
$ sudo cat privkey.pem cert.pem fullchain.pem > /etc/courier/esmtpd.pem
$ sudo /etc/init.d/courier-mta-ssl restart


Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at May 23, 2016 05:48 PM

April 20, 2016

Nat Sakimura


「全てのMV制作者を敵に回しそうなMV」という記事[1]が回ってきた。そこで紹介されていたのが、「岡崎体育」氏のMusic Video「Music Video」。









Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at April 20, 2016 04:42 PM

April 18, 2016

Nat Sakimura

「2016 メニューイン国際コンクール」ガラ・コンサート速報

創設者ユーディー・メニューイン生誕100周年を記念してイギリス・ロンドンで開催された「2016 メニューイン国際コンクール」では、ジュニアの部では、アメリカのYesong Sophie Lee(12歳)が、シニアの部では中国のZiyu He(16歳)が優勝した。

Menuhin Competition 2016 Winners Yesong Sophie Lee (12) & Ziyu He (16)

Menuhin Competition 2016 Winners
Yesong Sophie Lee (12) & Ziyu He (16)

17日にRoyal Festival Hallで行われたガラ・コンサートでは、それぞれ Vivaldi: Concerto from The Four Seasons (Summer)、Dvrak: Violin Concerto 3rd mov. と、アンコールとしてザルツブルグの作曲家のバイオリン独創のための現代曲が演奏された。

室内楽編成のオケを12歳のYesong Sophie Leeが率いて弾いたヴィヴァルディは、非常にニュアンスも細かく、ダイナミックレンジも大きな演奏で、今までの私のヴィヴァルディの四季に対する評価を一変させた。団員が少女との間の音楽をつくりあげようとして、大切に時間を使っているのがひしひしと伝わって来る演奏だった。

一方、Ziyu Heの方は、とても16歳とは思えないような堂々とした演奏だった。ただ、その協奏曲よりも、アンコールで弾いた曲の方がもっと良かった。


後半は、1995年のメニューイン・コンクールのジュニアの部で優勝したJulia Fischerがバルトークのヴァイオリン協奏曲第1番を演奏、それに続いて、オケだけで、チャイコフスキーのFrancesca da Rimini, Op.32 が演奏された。

オケの楽器配置は、アメリカンスタイルの第1・第2・ヴィオラ・チェロ。この配置だと、高音が左に偏ってしまってどうかとも思う。式のDiego Matheuzの指示もあるのかもしれないが、最近の楽器間の分離の良いオケの傾向とは違い、特に弦の音が混ざり合う、良きにつけ悪しきにつけ、20世紀的な音作りのオケだった。

Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at April 18, 2016 01:20 PM

April 13, 2016

Kaliya Hamlin

Its getting Meta – Identity for the Identity students

Today I picked up my University of Texas at Austin ID card. Yes I’m now a Texas Longhorn. The Center for Identity here is teaming up with the Information School to offer a Masters of Science in Identity Management and Security and I’m enrolled in the first cohort of students.

I’m not moving to Texas though. It’s a part time program, one weekend a month and I’m going to fly here to participate in classes.

Today we had an overview of the 10 classes that make up the program, learned about some of the different research happening at the iSchool and the Center for Identity.

I wasn’t expecting this but we got a full tour of the football stadium, saw a bunch of statues of players and coaches and learned all about the team and the lore.  It reminded me of the first week I had at Cal and the feeling I had that week knowing I would be a Golden Bear for life (I was a student athlete though so there was a whole other layer to the experience).

I will be blogging about what we are up to.

by Kaliya Hamlin, Identity Woman at April 13, 2016 11:03 PM

March 25, 2016

Nat Sakimura



(代表 坂井 修一 東京大学大学院情報理工学系研究科長)
(主査 鈴木 正朝 新潟大学法学部 教授)

日時:2016/03/24 17:00- 20:00
場所:東京大学工学部2号館12階 電気系会議室4

NTTセキュアプラットフォーム研究所 藤村 明子、間形 文彦

国立研究開発法人産業技術総合研究所 高木 浩光

私は、1時〜5時半まで機械振興会館でJIS X 29100 プライバシー・フレームワークの審議を行ってから遅刻して駆けつけたので、藤村さんの発表はほとんど聞けずに、高木さんの発表を聞いた。




その後、恒例の懇親会で、家に戻って11時頃から高木さんといろいろ教えていただいた。日本の個人情報保護法の変遷とその逐条解説による本来の意味〜日本の場合は、一定のレコード構造を持ったものが積み重なっているデータベースが対象〜とか、また、EUにおいても、データ保護指令やデータ保護規則案などで、対象scopeは自動処理されるfiling systemに含まれるないしは、入れられることを意図されるstructuredな情報であるとも教えていただいて、ようやく研究会での高木さんの話とつながってきた[1]

一方で、だとすると、EUでのGoogleに対する忘れられる権利がなぜデータ保護法にもとづいて認められたのかというのが分からず、(url, keyword)という構造と見たのだろうかというような話もしていた。


ただ、EUの判決はやはり腑に落ちないので、おやすみなさいしてから、個人的にさらに勉強してみた。その結果分かったのは、どうもEU GDPRとかの対象は、上記の会話で想定していたのとちょっと違いそうかなということだ。この辺は有識者に再度確認して教えてほしいのだが…。

icoの出している文書、『What is personal data? – A quick reference guide Data Protection Act 1998』[2]や『Determining what information is ‘data’ for the purposes of the DPA 』[3]を見てみよう。すると、対象になる情報は、

(i) information processed, or intended to be processed, wholly or partly by automatic means (that is, information in electronic form usually on computer);
(ii) information processed in a non-automated manner which forms part of, or is intended to form part of, a
‘filing system’ (that is usually paper records in a filing system)

(出所) ico『What is personal data? – A quick reference guide Data Protection Act 1998』

であって、Directiveの(27)や、それを引き継いでもっと読みやすくしている GDPRの

The protection of individuals should apply to processing of personal data by automated means as well as to manual processing, if the data are contained or are intended to be contained in a filing system.
Files or sets of files as well as their cover pages, which are not structured according to specific criteria, should not fall within the scope of this Regulation.


(The protection of individuals should apply to processing of personal data) by
(automated means)
as well as
(to manual processing, if the data are contained or are intended to be contained in a filing system.)

と読むべき、つまり対象とするのは『パーソナルデータが(自動処理される場合)及び(手動処理だが、その対象がファイリング・システムに含まれるか含まれることを意図している場合)』で、「,」以降のif文は「manual processing」にかかっていることになっている。さらに、ここの「ファイリング・システム」とは情報システムではなく、通常、紙ファイル[4]のことである。またその次の文の

Files or sets of files as well as their cover pages, which are not structured according to specific criteria, should not fall within the scope of this Regulation.

でいう structured according to specific criteria というのは、「一定の基準で並べ替えられているなど検索性を有すること」であって、同じ形式の帳票とか、同じフォーマットのレコードという意味ではないということになる[5]



Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at March 25, 2016 03:48 AM

March 11, 2016

Nat Sakimura

さすが虚構新聞→「加工アルバム、匿名文集… 卒業記念品にもプライバシーの波」にみる、現在のプライバシー侵害の異常性

さすが虚構新聞である。2016年3月11日に公開された「加工アルバム、匿名文集… 卒業記念品にもプライバシーの波」[1]という記事は、ユーモアの中にも、プライバシーの本質をつくところがある。














Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at March 11, 2016 04:32 AM

February 22, 2016

Nat Sakimura



家で楽譜の山を整理していたら、フリードリヒ・クーラウ(Firedrich Kuhlau, 1786/9/11-1832/3/12)のTrio in G op.119が出てきました。

クーラウというと、なんといってもソナチネ・アルバム。冒頭の曲がクーラウの『ソナチネ第1番ハ長調 op.20-1』なので、ピアノをやったことがある方々にはとても馴染み深いというかなんというか。ドソミソドソミソとアルベルティ・バスをI-IV-V-Iで繰り返している退屈な曲を書く作曲家みたいなネガティブな印象が強いのではないかと思います。幼心に、「あ〜」と思っていると、なかなか好きになれないものです。私もそうでした。




ところがです。46歳で亡くなる年に最後のフルート曲『トリオ ト長調 op.119』を書いているのですが、これがね、どういう風の吹き回しか、結構良い曲なんですね[1]。Youtubeにあるのだと、これが演奏としては良いかな…。

あと、私が好きな演奏に、クーラウのフルート曲演奏の第一人者のトーケ・ロン・クリスチャンセンとウィリアム・ベネットの演奏が有ります。トーケ・ロン・クリスチャンセンは世界で最初にクーラウのフルート曲の全曲録音をした、デンマーク放送交響楽団のフルート奏者です。テンポは上記のBizjak/Zupan/Misumi のはずっとゆったりしていて、爆速好きなわたしの好みとは本来違うのですが、この曲の別の側面を良く表しているからです。

Kuhlau: Duos Opus 102, Trio Opus 119 (MP3 ダウンロード)

New From: ¥ 1,710 In Stock
Used from: Out of Stock




Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at February 22, 2016 04:20 PM

February 16, 2016

HEART Implementer’s Drafts Approved

The OpenID Foundation members have approved of the following specifications as OpenID Implementer’s Drafts:

  • Health Relationship Trust Profile for OAuth 2.0
  • Health Relationship Trust Profile for OpenID Connect 1.0
  • Health Relationship Trust Profile for User Managed Access 1.0

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification.

The specifications are available at:

The voting results were:

  • Approve – 34 votes
  • Object – 1 vote
  • Abstain – 11 votes

Total votes: 46 (out of 204 members = 23% > 20% quorum requirement)

— Michael B. Jones – OpenID Foundation Board Secretary

by Mike Jones at February 16, 2016 01:35 AM

February 15, 2016

Nat Sakimura


以前もtwitterなどでは告知していましたが、OpenID BizDay #9 として、「ブロックチェーンは本当に利用価値があるのか?」と題してセミナーをやります。御茶ノ水のソラシティで19時からです。







Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at February 15, 2016 03:17 AM

February 14, 2016

Nat Sakimura


Facebookで、「トンテキの由来…あ、そういうことね! はいじゃあビフテキも…え!?」という記事が回ってきた。(httpsで見ると、以下の引用が表示されないので、httpで見てください…。)

トンテキの由来…あ、そういうことね! はいじゃあビフテキも…え!?


  • 「トンテキ」は豚を表す「トン」+ビフテキの「テキ」
  • 四日市市の名物としても知られる
  • 「ビフテキ」=ビーフ・ステーキを略したものかと思ったら
  • 実は、フランス語のbifteckというステーキを表す語が元だった(出所 日本ハム [1])あらびっくり!



それによると、biftechの初出は1805年に出版されたTrad. Souvenirs de Parisの267ページ[3]に出てくるようで、これは英国で1735年に初出が見られる Beef Steak から来てるんですね。なので、もう一歩行くと、

  • ところで、フランス語のbiftechは、英語のビーフ・ステーキ(beaf steak)から作られた造語だった。


って、なんでそんなこと知ってるんだわたし… orz


beef lamb steak plated meal

beef steak plated meal

Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at February 14, 2016 03:57 PM

February 12, 2016

Vote Early and Often!

More often than not OpenID Foundation members vote with their feet. Members typically signal their interest in a topic or work group by participating on a spectrum from “leader to lurker” on a mailing list discussion or in a work group’s agenda setting. On important, rare occasions, real people have to cast real votes. Votes decide things in presidential elections or in standards development organizations like the OpenID Foundation.

Two elections just concluded in the OpenID Foundation. The Vote to Approve Implementer’s Drafts of OpenID HEART Specifications just passed after a successful “get out the vote” campaign by Work Group Chairs Deb Bucci and Eve Maler with help from Board Secretary Mike Jones. In the “sausage making” of standards development votes like these really matter.

The vote for the corporate board representative also just concluded with Dale Olds’ election. I asked Dale to share a few remarks about what we might expect from his leadership. He shared the following;

“I’m honored to be elected to the board of the OpenID Foundation. In the past few years VMware has become much more active in federated identity services, both with their own products and integrations with other vendors’ products. While I expect to primarily contribute to technical issues, I plan to use my position on the board to push for increased participation by VMware and AirWatch in working groups and events. With that said, I also recognize that my position is to represent the perspective of all the corporate members, not just VMware. I encourage other corporate members to contact me if they would like to voice a concern or if they desire an issue brought to the board’s attention. Looking forward to a productive term!”

Thanks to all who took the time to vote. The contribution of your time, talents and votes are the lifeblood of volunteer-driven organizations like the OpenID Foundation and as a result; solutions are improved, standards are strengthened and customers and end-users are better served.

Don Thibeau
The OpenID Foundation

by Don Thibeau at February 12, 2016 05:40 PM

February 11, 2016

Nat Sakimura




因みに、ピアノを弾いているEdoardo Brotto さんは、1990年生まれの写真家さんです。ピアニストとしての勉強も修士を終えられて、ポスト・マスターの勉強をされておられるようです。この録音は2014年なのですが、毎年彼女ですかね?に誕生日の即興を送っているようです。素敵ですね。


(source) Eduardo Brotto: Arched Milkyway



Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at February 11, 2016 11:50 AM

February 08, 2016

New OpenID Foundation Board Leadership

Thanks to all who voted for representatives to the OpenID Foundation Board of Directors. 

George Fletcher of AOL will begin a new two year term as the community member representative. His continued leadership on the Executive Committee ensures continuity on important initiatives like OpenID Connect Certification and his deep technical expertise will assist the new work groups that are in the pipeline.

Also, each year Corporate Members of the OpenID Foundation elect a member to represent them on the board. All corporate members were eligible to nominate, second and vote for candidates.  I am pleased to announce the election of Dale Olds to the OpenID Foundation Board. This will be Dale’s first time serving on the Board and he will bring a fresh perspective to complement his considerable technical and  business experience.

I’d like to thank Torsten Lodderstedt, of Deutsche Telekom, who has made important contributions during his tenure as a Director. Torsten has helped drive international outreach and led the resolution of complex security challenges. His continued Chairmanship of the MODRNA Working Group helps provide a clear path forward for OpenID Connect’s contribution to standards development on global mobile platforms.

I wanted to acknowledge all those who put themselves forward as candidates and those now serving. Board participation is a substantial investment of time and energy and requires diligent consensus building.

Please join me in thanking George and Dale as well as the other Directors for their service to the OpenID Foundation and the community at large.

by Don Thibeau at February 08, 2016 07:00 PM

February 06, 2016

Registration Now Open for OpenID Foundation Workshop on Monday, April 25, 2016

OpenID Foundation Workshops provide insight and influence on important internet identity standards.  The workshop provides updates on the adoption of OpenID Connect across industry sectors. We’ll review progress on OpenID Connect Certification and gather feedback for planned Relying Party certification. Work Group Leaders will overview the MODRNA (Mobile Profile of OpenID Connect) as well as other protocols in the pipeline like RISC, HEART, Account Chooser, Strong Authentication and the new Financial API profile. Leading technologists from Forgerock, Microsoft, Google, Ping Identity and others will lead the discussions to update key issues and discuss how they help meet social, enterprise and government Internet identity challenges.

This event precedes the IIW #22 Mountain View April 2016

Registration is at

The OpenID Foundation Workshop Agenda

  • Overview – Don Thibeau, Executive Director OpenID Foundation
  • OpenID Connect and the OpenID Connect Certification Program: Mike Jones
  • iGOV ( International Government Assurance Profile ): John Bradley
  • MODRNA ( Mobile OpenID Connect Profile): Bjorn Helm
  • Account Chooser: Pam Dingle
  • RISC ( Risk and Incident and Sharing Coordination): Adam Dawes
  • Strong Authentication Profile: Tony Nadalin
  • HEART ( Health Relationship Trust Profile): Eve Maler and Deb Bucci
  • Financial API Work Group (*Proposed): Nat Sakimura

Thank you to Microsoft for their directed funding support of this event.

Don Thibeau
The OpenID Foundation

by Don Thibeau at February 06, 2016 12:44 PM

February 05, 2016

Nat Sakimura

もう一つのHappy Birthday変奏曲

さて、前回は のハッピバースデイ変奏曲をご紹介したわけですが、今日はもう一つ。こっちの方が一般に有名な曲に載せているので、よりウケるかもしれません。

カタール交響楽団の1周年のお誕生日を祝っての模様です。Peter Weiner作曲、『Variations on Happy Birthday to you』 です。

全曲は naxos で。


Variations on Happy Birthday to You

» Variation 1: Handel
» Variation 2: Mozart
» Variation 3: Beethoven
» Variation 4: Schubert
» Variation 5: Rossini
» Variation 6: Bruckner
» Variation 7: Wagner
» Variation 8: Bizet
» Variation 9: Johann Strauss Sohn
» Variation 10: Blues und Dixie
» Variation 11: Johann Strauss Vater
» Variation 12: Happy Birthday


Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at February 05, 2016 11:48 AM

February 02, 2016

Nat Sakimura

ノキアがダメならHappy Birthdayはどうか?

さて、Ensemble Mega Ne、いくら良くてもファミマ+JRじゃ世界に出られないよなということで、昨日はノキアの着信音を考えてみたのですが、どう考えてもターレガの原曲にガチで挑むのは分が悪かろうということで終わりました。では、他にないのか?だれでも知ってるような曲が?あるじゃないですか、「Happy Birthday」。これなら誰でも知ってる。

でもねぇ、これ、有名な変奏曲があるんですよね。Peter Heidrich作曲のハッピバースデイ変奏曲(1935)です。全14変奏から鳴っておりまして、バロックから古典派、ロマン派、映画音楽、ジャズ、タンゴとたどり、最後はチャルダッシュで締めるという、西洋音楽の歴史をなめられるような構成になっております。

  • Theme
  • Variation 1 (after J.S. Bach – in the style of 4-part chorale)
  • Variation 2 (after J. Haydn’s String Quartet No. 62 in C Major, Op. 76, No. 3, Hob.III:77, “Emperor”)
  • Variation 3 (after W.A. Mozart’s String Quartet No. 19 in C Major, K. 465, “Dissonance”)
  • Variation 4 (after L. van Beethoven’s String Quartet No. 8 in E Minor, Op. 59, No. 2, “Rasumovsky”)
  • Variation 5 (after R. Schumann’s String Quartet No. 3 in A Major, Op. 41, No. 3)
  • Variation 6 (after J. Brahms’ String Quartet No. 3 in A Major, Op. 41, No. 3)
  • Variation 7 (after R. Wagner’s Siegfried Idyll in the style G. Abraham’s string quartet version)
  • Variation 8 (after A. Dvorak’s String Quartet No. 12 in F Major, Op. 96, “American”)
  • Variation 9 (after M. Reger’s String Quartet in E-Flat Major, Op. 109)
  • Variation 10 (in the style of Viennese music)
  • Variation 11 (in the style of film music)
  • Variation 12 (in the style of jazz)
  • Variation 13 (in the style of tango)
  • Variation 14 (in the style of Hungarian music)


  1. テーマ (1:04)
  2. Variation 2 ハイドン風 (1:43) [String Quartet No. 62 in C Major, Op. 76, No. 3, Hob.III:77, “Emperor”]
  3. Variation 4 ベートーヴェン風 (3:03) [String Quartet No. 8 in E Minor, Op. 59, No. 2, “Rasumovsky”]
  4. Variation 13 タンゴ風(4:14)
  5. ハンガリー風カデンツァ一瞬ノキア
  6. Variation 14 チャルダッシュ風 (6:26)





なお、全曲盤はヴェニス弦楽四重奏団 – Venice String Quartetのものが Naxosにあります→


Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at February 02, 2016 11:01 PM

Nat Sakimura

Let’s Encrypt で名前ベースのHTTPSバーチャルホスト(SNI)を設定してみる

Let’s Encryptは米国のInternet Security Research Group (ISRG)という財団が提供している、無償のTLSサーバ証明書提供サービスです。無償・自動・安全・透明・オープン・協調をモットーにするサービスで、財団自体は501(c)3の非営利団体[1]になっています。Technical Advisory Board のメンバーを見ると、Joe Hildenbrand とか Karen O’Donohue のようなお友達が並んでいますね。 も、 はTLS対応をしてきているのですが、証明書代をケチって&設定が面倒で、nat.sakimura.orgなどはTLS対応してきていませんでした。でも、こんなのが出てきたらもう言い訳できません。それでは、設定をしてみましょう。

Let’s Encrypt のインストール

設定するには、まず、Let’s Encryptをインストールしなければなりません。LinuxのDistributionによっては、パッケージとして提供されているようですが、今使っているUbuntuのリリースにはLet’s Encryptが入っていないので、まずはLet’s Encryptをインストールします。インストールには、gitを使って、githubからファイルを落としてくるところから始めます。

$ git clone
$ cd letsencrypt
$ ./letsencrypt-auto --help

おっと、色々エラーが出ますね。どうもPythonが古いようです。今入っているのはPython 2.7なので、SNIをサポートしていなかったりなど色々問題有りということのようです。なので、Python 3 をインストールしてみます。私は、aptitude で python3.4-venv をインストールしました。


$ ./letsencrypt-auto --help

Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: sudo /home/nat/.local/share/letsencrypt/bin/letsencrypt --help

  letsencrypt-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  (nginx support is experimental, buggy, and not installed by default)
  --webroot         Place files in a server's webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

  --authenticator standalone --installer apache

More detailed help:

  -h, --help [topic]    print this message, or detailed help on a topic;
                        the available topics are:

   all, automation, paths, security, testing, or any of the subcommands or
   plugins (certonly, install, nginx, apache, standalone, webroot, etc)




./letsencrypt-auto –apache







本当はSecureを選ぶ(=HTTPSオンリーにする)べきであるような気もするんですが、そうすると、過去記事のせっかく集めたFacebook「いいね」などのカウントがゼロになってしまって寂しいので、Easy (=HTTP, HTTPS両方対応)を選びます。

(図3)完了画面。QUALIS SSLLabs でテストするようにそくされる

(図3)完了画面。QUALIS SSLLabs でテストするようにそくされる

すると、たったそれだけでTLSの証明書のインストールとWebサーバの設定完了です。スゴイ。Apacheのconfigを色々書かなきゃと思っていたのですが、全部自動でやってくれたようです。/etc/apache2/sites-enabled を見ると、 のような「ドメイン名-le-ssl.conf」という設定ファイルができています。これを見る限りでは、複数のバーチャルホストを持っている場合、そのHTTP版の設定ファイルを使って、SSL用の設定ファイルを自動生成してくれるようです。


最後の仕上げは、QUALISのサイトに行って、TLSの設定の確認です。上の図にあるように、 のように指定して、状況をテストします。このサイトのテスト結果はこんな感じでした。 の QUALIS SSL Report

(図4) の QUALIS SSL Report



今回初めてLet’s encrypt を使ってみて、その便利さに感動しました。これまでのTLSの設定は何だったのかという感じです。もはや、TLSを使わない言い訳はあり得ないでしょう。

一方、これを便利に使いこなすには事前に準備も必要だなぁと思いました。その代表例は、サーバとしてアクセスさせることを意図していなくても、 のようなドメイン名自体のWebサーバも設定しておいてLet’s Encryptを走らせたほうが良いということです。(この点、QUALISに「Confusing」といわれました。)Let’s Encryptで取得する証明書の有効期限は3ヶ月弱ですから、次回までにこの点を改善しようと思います。自動更新はまたその後ですね。


Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at February 02, 2016 02:57 PM

February 01, 2016

Nat Sakimura


さて、Ensenble Mega Ne の「ファミリーマートの主題による変奏曲【木管四重奏+ピアノ】」やら「山手線の主題による対位法的楽曲」にいたく感心しておりましたのですが、世界に出るとなると、ファミマやJRのテーマじゃなぁ、というのがあります。対象聴衆が狭すぎます。ここは一発、誰でも知ってるメロディでやらなきゃというわけで、何が良いか。




これなら、Ensemble Mega Ne勝てるでしょう。ぜひやってほしいなと思いますが、もう一つとっても良いやつがありましたよ。あの有名なギター曲「アルハンブラの思い出」を書いた、19世紀後半から20世紀初頭にかけてのスペインの大作曲家、フランシスコ・ターレガ(1852-1909)のグラン・ヴァルス(大円舞曲)です。え?「19世紀にノキアの携帯電話があったのか」ですって?あるわけ無いでしょ。ノキアの携帯電話の着信音が、このグラン・ヴァルスから旋律をとったんです。



Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at February 01, 2016 05:33 PM

January 30, 2016

Nat Sakimura


これは今日のヒット。2016/1/25にアップされたビデオで、5日で15万回近く見られています[1]Ensemble Mega Ne の作品です。


2016/01/25 に公開

1. テーマ
2. モノフォニー
3. 対位法
4. バロック時代のソナタ
5. モーツァルト
6. ベートーヴェン
7. ハイドン
8. 古典派のレチタティーヴォ
9. ウェーバー
10. シューベルト
11. ショパン
12. ドヴォルジャーク
13. ブラームス
14. ムソルグスキー
15. ドビュッシー
16. ラヴェル
17. サティ
18. ラフマニノフ
19. ストラヴィンスキー
20. ドラマのエンディング
21. 映画予告編


Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at January 30, 2016 10:24 PM

January 19, 2016

Nat Sakimura





死者のプライバシー 問題は、個人情報保護法の遵守とプライバシー保護の違いや、人権とプライバシーの間の溝を浮き立たせる良い話題ではある。同時に、今回のように被害者のエピソードなどがどんどん報道されていくような状況は、マスコミの言う「言論の自由」と「プライバシー」との関係を考えなおす良いきっかけにもなる。










[図2] 自観と他観とプライバシー

それを見ていた第三者は、死んでしまうと、生前築いた関係性が崩れてしまうと気づき、不安を感じ、不幸せになる可能性はあると思われる。一つのチャレンジとしては、これを守るということを法益として、人権規定から #死者のプライバシー を引き出せないかというのはあるのではないか。

もう一つの方法としては、遺言がなぜ認められるのかということの類似から引き出すというのもあるかもしれない。法学者の先生方には、上記のような観点なども含めて、 #死者のプライバシー 問題を少し考えていただきたいなぁと思う。




Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at January 19, 2016 03:49 PM

January 14, 2016

Leaders Lead

The inaugural meeting of the iGov Working Group took place on Wednesday, January 14th where three co-chairs were elected by acclamation. John Bradley of Ping Identity, Paul Grassi of the US NIST and Adam Cooper of the UK Cabinet Office Identity Assurance Program are the elected co-chairs. Acclamation may be a bit strong describing an electoral process closer to being shanghaied. All the same, all of us know leadership is a classic  key success factor.

However leaders emerge, they are essential to success especially in the “sausage making” of standards development. The configuration of iGOV’s leadership is intentional. The leaders map onto the WG’s mission: John’s Chilean/Canadian identity together with his unique technical chops; together with Paul Grassi’s past pedigree and present position in the US Government; together with Adam Cooper’s architectural expertise than stretches into European standards and schemes form iGOV’s leadership team. 

Leaders lead and we look to these men to manage the process and lead work group contributors to a common goal. Please consider joining this effort. The work group’s goal is to have a common deployment profile that can be customized for the needs of both pubic and private sector deployments in multiple jurisdictions that may require the higher levels of security and privacy protections that OpenID Connect currently supports. The resulting profile’s goal is to enable users to authenticate and share consented attribute information with public sector services across the globe. 

The full draft charter is available at

by Don Thibeau at January 14, 2016 09:52 PM

January 10, 2016

Kaliya Hamlin

20th She's Geeky!!! Jan 29-30th Mountain View

I’m super excited about the 20th She’s Geeky Unconference coming up January 29th and 30th in Mountain View.

I’m going to be facilitating. So it will be extra fun.

To celebrate our 20th She’s Geeky we are offering a special 20% off ticket price register with the dicount code: MYGIFT20. Can’t commit to two days? The MYGIFT20 code is also valid for one-day registrations. To register go to

Here is a flyer for you to print out for your office.


About She’s Geeky:

Inspiring each other, creating vital networks, and sharing skills are the backbone of our events. Without places to re-energize and networks that support them, women who have done the hard work of developing their skills to work in STEM may drop out after just a few years in their eld. We want to improve the situation of women in STEM elds, increase retention rates, and create a place for women to discuss the topics that are meaningful to them.

Women attending She’s Geeky events nd the inspiration necessary to continue on STEM career paths because they are given the opportunity to present their work, discuss critical issues and build peer networks for support.

We work with and promote existing activities and organizations in regions around the country.
She’s Geeky is a neutral event that supports connection between different geeky cultures by using a format where the agenda is created live at the event by the women in attendance.

It’s more fun with a friend! Please invite your friends who might enjoy She’s Geeky!

Email for more info on:

• Student and Teacher Discount.
• A limited number of volunteer opportunities are available.
• Sponsorships! Sponsors are eligible for free and discounted tickets. • Group Buys! Got ten or more women who want to attend?

by Kaliya Hamlin, Identity Woman at January 10, 2016 11:40 PM

Nat Sakimura



Rattle-Hannigan: Ligeti - Mysteries of the Macables

(出所)9Post [note][/note]

あのねー、指揮してるのは、現代随一の指揮者、サー・サイモン・ラトル[1]でしょ。バーバラ・ハニガン[2]じゃないよ。で、「女子高生」がカナダ出身の現代オペラの第一人者、バーバラ・ハニガン、御年44歳。曲は20世紀の大作曲家ジョルジ・リゲティ[3]のオペラ『Le Grand Macable』(1974-77, 96年に改作)からアリアをコンサート用に抜き出した『Mysteries of the Macabre』(1992)[4]。ロンドン交響楽団の2015年1月15日のコンサートです。



Ligetiは、高校生時代の1981年に、パリのSalle Playelでパリ管の演奏で『Lontano』を聞いて以来好きなんですよね。最近手に入りやすい物としては、ジョナサン・ノット指揮ベルリン・フィルハーモニー管弦楽団の演奏が良いと思います。


Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at January 10, 2016 04:29 AM

January 04, 2016

Nat Sakimura



Minimal Xpertテーマで、投稿一覧からのリンクが効かなくなる。

自分でやっている音楽系のサイト[1]で、リンクが効かなくなっているのに気が付いた。おそらく、最近のWordpressのupdateによるものだろう。Minimal Xpertテーマ[2]は4年以上改定されていないので。そこで、掘り進んでいったところ、post-entry.php にバグが有った。ファイルの中を見ると、

the_permalink(‘ ‘)






投稿一覧に「Excerpts」を出したい時に、往々にして好みの文字数ではないことがある。これは、使っているテーマの functions.php[3] を書き換えることで実現可能だ。具体的には、st_custom_excerpt_length()という関数を書き換えるか、もし無ければ追加する。この関数の戻り値が、Excerptsの文字数になる。

function st_custom_excerpt_length($length) {
return 80;




これはいろいろやっていてできたことなので再度検証が必要だが、概ね以下のようにすればよさそうだ。これには、wp-contents/themes/stinger6/styles.css の中の、#gazouを書き換える。私は、以下のようにした。heightのパーセント指定は、モバイル表示用[5]と、PC表示での固定表現を避けるためだ。(は強調のために付けてあるだけである。)

#gazou {
margin: 0px 0px 10px;
height: 15%;
overflow: hidden;


Google Analytics 設定



SNS Count Cacheをインストールすると、しばらくするとカウント数が表示されるようになるらしい。まだインストールしたばかりなので効果は実感していない。



これには、「All in One SEO Pack」プラグイン[6]を使った。All in One SEOの設定は見ればだいたい分かるだろう。各項目の「?」をクリックすれば、大まかな説明が出てくる。

ただ、肝心の「Share時に投稿内の指定の画像が出るように」というのは、インストールしただけではできない。これには、Social Meta FeatureをActivateしなければならない。

サイトのダッシュボードの左側メニューの「All in One SEO」をクリックすると、その下にメニューが出てくる。その一番下の「Feature Manager」をクリックして、右側に出てくる「Social Meta」が出てくる。これをActivateする。こうすると、各投稿に「Social」タブが出てくるようになるので、そこで適宜設定する。


WPtouch Mobile Plugin[7]がかなりかっこいい。以下の図のような感じになる。ただ、設定画面の日本語はかなりわかりにくい。英語だとすんなりわかるのだが。結局わたしは英語サイトにまずインストールして、その設定を見ながら日本語サイトも設定した


WP Touch Mobile を使って表示させたところ。


これには、「Easy Footnotes」プラグイン[8]を使う。Easy Footnote では、脚注リンクの上にマウスを持って行くと、ツールチップとして脚注の内容を表示してくれるのがかっこいい。もちろん、自動ナンバリングもしてくれる。



するとPlugin編集画面になる。この中で、「public function easy_footnote_shortcode($atts, $content = null) 」という関数を探そう。その中には、

$footnoteContent = “<span id=’easy-footnote-“.$this->footnoteCount.”‘ class=’easy-footnote-margin-adjust’></span><span class=’easy-footnote’><a href='”.$footnoteLink.”‘ title=’$content’><sup>$this->footnoteCount</sup></a></span>”;


$footnoteContent = “<span id=’easy-footnote-“.$this->footnoteCount.”‘ class=’easy-footnote-margin-adjust’></span><span class=’easy-footnote’><a href='”.$footnoteLink.”‘ title=’$content’><sup>[$this->footnoteCount]</sup></a></span>”;


Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at January 04, 2016 05:54 PM

Announcing The OpenID Foundation Individual Community Board Member 2016 Election

The OpenID Foundation plays an important role in the interoperability of Internet identity. This is to announce the OpenID Foundation Individual community board member 2016 election schedule. Those elected will help determine the role the Foundation plays in facilitating the adoption of open identity standards.

Per our bylaws, Individual community Members elect three (3) board members to represent them.

George Fletcher’s term is expiring this year. Mike Jones and John Bradley have 1 additional year on their 2 year terms. I want to thank George for his service to the OIDF and the community at large. George is eligible to seek re-election and has indicated that he intends to nominate himself for another term.

The Individual community board member election will be conducted on the following schedule:
• Nominations open: Monday, January 4, 2016
• Nominations close: Monday, January 18, 2016
• Election begins: Wednesday, January 20, 2016
• Election ends: Wednesday, February 3, 2016
• Results announced by: Wednesday, February 10, 2016
• New board terms start: Wednesday, February 24, 2016

Times for all dates are Noon, U.S. Pacific Time.

All members of the OpenID Foundation are eligible to nominate themselves, second the nominations of others including those who self-nominated, and vote for candidates. If you’re not already a member of the OpenID Foundation, we encourage you to join now at

Voting and nominations are conducted using the OpenID you registered when you joined the Foundation. If you are already a member, you have received an email from me at advising you that the election is open and how to participate. You will need to log in with your OpenID membership credentials at to participate in nominations and voting. If you experience problems participating in the election or joining the foundation, please send an email to right away.

Board participation requires a substantial investment of time and energy. It is a volunteer effort that should not be undertaken lightly. Should you be elected, expect to be called upon to serve both on the board and on its committees. If you’re committed to open identity standards work well with others, we encourage your candidacy. The OIDF’s Executive Committee suggests a few questions candidates may want to publically address in their candidate statements:

1. What are the key opportunities you see for the OpenID Foundation in 2016?
2. How will you demonstrate your commitment in terms of resources, focus and leadership?
3. What would you like to see accomplished in 2016; how do you personally plan to make this happen?
4. What other resources can you bring to the foundation to help the foundation attain its goals?
5. What current or past experiences, skills, or interests will inform your contributions and views?

Candidates can address these questions in their election statements on various community mailing lists, especially Please forward questions, comments and suggestions to me at


Don Thibeau
Executive Director
The OpenID Foundation

by jfe at January 04, 2016 04:11 PM

December 11, 2015

Review of Proposed Implementer’s Drafts of HEART Specifications

The OpenID HEART Working Group recommends approval of the following specifications as OpenID Implementer’s Drafts:

  • Health Relationship Trust Profile for OAuth 2.0
  • Health Relationship Trust Profile for OpenID Connect 1.0
  • Health Relationship Trust Profile for User Managed Access 1.0

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This note starts the 45-day public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures. This review period will end on Sunday, January 24th, 2016. Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven-day voting period beginning on Monday, January 25th, 2016 during which OpenID Foundation members will vote on whether to approve these drafts as OpenID Implementer’s Drafts. For the convenience of members, voting may begin up to two weeks before Monday, January 25th, with the voting period still ending on Monday, February 1st, 2016.

The specifications are available at:

The HEART working group page is Information on joining the OpenID Foundation can be found at If you’re not a current OpenID Foundation member, please consider joining to participate in the approval vote.

You can send feedback on the specifications in a way that enables the working group to act upon your feedback by (1) signing the contribution agreement at to join the working group (please specify that you are joining the “HEART” working group on your contribution agreement), (2) joining the working group mailing list at, and (3) sending your feedback to the list.

— Michael B. Jones – OpenID Foundation Board Secretary

by Mike Jones at December 11, 2015 02:25 AM

November 16, 2015

KDDI joins Verizon and Deutsche Telekom to set the direction for OpenID Connect on mobile platforms

The Japanese Mobile Network Operator and market leader KDDI has joined the Board of Directors of the OpenID Foundation. KDDI joins Verizon and Deutsche Telekom as global telco giants helping set the direction for OpenID Connect on the platform of choice; the mobile device. KDDI’s leadership comes at an opportune time as the MODRNA Working Group (Mobile Operator Discovery Registration and Authentication) development of a profile of OpenID Connect for MNOs providing identity services for RPs (Relying Parties) is rapidly building consensus on optimizing global interoperability.

KDDI brings practical user experience across a broad range of relying party applications. KDDI’s will leverage OpenID Connect throughout its “AU ID” platform including “AU Smart Pass,” “AU Wallet Market,” as well as a portfolio of settlement services on prepaid cards and credit cards for a user base of over 25 million customers. KDDI’s input, like that of others OIDF members like the GSMA, is critical to building reliable, flexible and scaleable deployments.

KDDI’s announcement was a highlight of the OpenID Foundation Japan Conference, a gathering of almost 500 developers, technologists and business leaders in Tokyo. Experts from Google, Microsoft, Ping Identity and others led an in depth review of the status of each OpenID Foundation working groups and conducted hands on self certification testing workshops. A series of presentations highlighted the linkage of technical protocols with trust frameworks governance rules. OpenID Foundation Japan is planning new initiatives around localization of documentation and a new wave of OpenID Connect self certifications by members large and small in early 2016.


The signers: Don Thibeau, ED of OIDF, and Yasuhide Yamamoto, Executive Officer of KDDI.



by jfe at November 16, 2015 02:18 PM

November 14, 2015

Nat Sakimura

Pray for France〜パリ同時多発テロ~テロ時の心得




米国のオバマ大統領は、「これはパリやフランスの人々への攻撃にととまらず、人類すべてと我々が共有する価値観『自由、平等、博愛』への攻撃だ」と声明を出している[2]他、各国首脳が相次いで声明を出しています[3]。911テロの跡地に建ったOne World Trade Center では、アンテナをフランスのトリコロールカラーにライトアップして、連帯を呼びかけています。今夜、スカイツリーも同じような対応をするでしょうか…[4]




  • 窓には近づかない。(テロリスト・反乱側として警察や軍に射殺される可能性があります。)
  • カメラで外を撮ろうなどと思わない。(スコープで狙っていると思われて射殺されます。)
  • 窓から見通せるところには行かない。(流れ弾に当たります)
  • 跳弾の範囲を考えて居場所を決める。
  • 銃撃戦の可能性があるときには即座に伏せる。(特に味方の突入時。)
  • 知り合いの車らしきものが来ても、乗っている人は別人かもしれないので確実でない場合には門や扉を開けない。
  • 信頼できるソースからの情報を得る。



公式情報は、 から得られます。

スクリーンショット 2015-11-14 11.56.57

Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at November 14, 2015 03:29 AM

November 10, 2015

Kaliya Hamlin

Grace Hopper Celebration and Presentation – Ethical Market Models.

In mid-October I had the opportunity to attend the Grace Hopper Celebration for Women in Computing for the first time.

Here is a link to the paper that I presented – MarketModels-GHC Here are the slides

I also had the pleasure of working on a Birds of a Feather Session with Roshi from Google – she works on their identity team and was the one who asked me work on the session with her along with encouraging me submit a proposal for a lighting talk.
We had a great discussion about the internet of things and considering various ideas about what internet of things things…we might invent and how we might identify ourselves to them.
The conference is really a giant job fair for undergaduate women CS majors. There is not a lot there for mid-career women, all of the ones I spoke to felt this way.  I realize if I was a young woman….at a CS department where most everyone is a man.  Attending this event would make me feel like the whole world opened up…and anything was possible.
The event made me more committed to putting energy into helping She’s Geeky expand and serve more cities and more women and particularly those who are at high risk of leaving the industry – those who have been in the industry for around 10 years.

by Kaliya Hamlin, Identity Woman at November 10, 2015 02:51 AM

Kaliya Hamlin

Thinking Ahead: Sean some people did…you didn't.

So the Guardian is reporting about Sean Parkers remarks at the Techonomy conference.

Thinking ahead.

None of us could possibly have understood what it would mean to have a billion or two billion people potentially using these platforms regularly,” said Parker. “That wasn’t something that factored into anyone’s analysis in the starting of these companies. You just want to be a successful company. You want to understand the mechanisms that work, you want to play into them, you want to reinforce them, you want to be a successful company.”

While it is refreshing to hear some self reflection after the fact about the consequences of building a social platform driven by profit with an incentive to get people to engage with it – personal and social costs be-dammed.

I think people did for-see and could understand some of the negative effects he is discussing – the problem is they just were not in the mix of young men founding these companies at the time.  The fact is the narrow demographic of who was empowered with funds to create these systems (By men likc Sean Parker and Peter Theil) and who thcy subsequently chose to hire and listen to early on (Read the Boy Kings to get the inside scoop on that) speaks volumes about what was built.

As a side note I developed an outline for building a distributed social network for spiritual activist leaders and their followers in 2003-4. I even raised $35,000 and had two protoypes build in Drupal.    I like to think if I got funding beyond that and had the chance to develop the vision we were thinking about the social consequences.

Communities considering the future of social tools and online communities did think thoughtfully about the future and how things could play out and what was needed to support things evolving well from a user-centric perspective.  A great starting point published in 2003 is the Augmented Social Network: Building Identity and Trust into the Next Generation Internet.

by Kaliya Hamlin, Identity Woman at November 10, 2015 02:39 AM

November 05, 2015

Building on What’s Built: OpenID Certification Momentum

At the OpenID Certification Launch in April 2015, 6 organizations had certified 8 OpenID Connect Provider implementations for 21 conformance profiles. Now, as you can see at, 14 organizations and individuals have certified 16 OpenID Connect Provider implementations for 48 conformance profiles. The OpenID Foundation has championed self-certification as an important new trust building mechanism that can operate at Internet scale, and it’s working well.

The new certifications represent a broad set of industries and application areas: large companies like Deutsche Telekom – a leading European mobile operator, and small companies like Privacy Vaults Online (PRIVO) – which manages parental consent for children’s online access. This latest wave of certifications include more from Microsoft – certifying their on-premises identity software, as well as developers like Cal Heldenbrand – in the real estate industry, and Dominick Baier, Brock Allen, Michael Schwartz, Justin Richer, and Roland Hedberg, each certifying their open source identity software. Congratulations to all for their achievements and for advancing interoperable digital identity across international borders and industry sectors.

Keep those certifications coming! Meanwhile, the ability to self-certify OpenID Connect Relying Parties is being finalized in anticipation of pilot RP certifications in 2016.

Don Thibeau
OpenID Foundation Executive Director

by Don Thibeau at November 05, 2015 07:28 AM

October 22, 2015

Announcing the OIDF iGov Working Group

A recent US NIST announcement describes the newly formed OIDF International Government Assurance Profile (iGov) Working Group which is an international public and private sector collaboration that will develop an interoperable profile of OpenID Connect to allow users to authenticate and share consented attribute information in a consistent and user-centric manner. With over 10 international governments and multiple private sector organizations already participating, iGov will help enable secure and privacy-enhancing authentication and authorization transactions based on common requirements from the global community. The iGov WG Page is set up at: The link to subscribe to the mailing list is:

Those interested in participating will need to submit signed IPR agreements indicating the iGov Profile WG. The link to the IPR agreement is at The IPR agreement can be submitted online via DocuSign. IPR agreements have been received from NIST, Ping, and Microsoft. Once interested parties and OIDF members have signed up they will need to approve the iGov charter. Document contributions to the Working group should be sent to the mailing list, and then can be added to our official document repository.

by jfe at October 22, 2015 09:58 PM

October 18, 2015

Nat Sakimura

リスク管理とテクノロジー:相次ぐ「生体認証カード」詐欺 ATM引き出し限度額の20倍 警視庁



  • 詐欺グループが、東京都内の70代女性宅に3月、「老人ホームの社債購入のため名義を貸してくれ」と電話があり、女性が了承。
  • 次に、「名義貸しは犯罪」などとトラブル処理費用を要求。
  • 女性は電話の指示に従い、金融機関で生体認証キャッシュカードを作製。ATMで現金計約600万円を引き出し、だまし取られた。






Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at October 18, 2015 06:54 AM

October 13, 2015

Nat Sakimura

Pre-IIW OpenID Workshop @ Mountainview (2015/10/26)


OpenID Foundation Workshop before Fall 2015 IIW Meeting

Hosted by Symantec for the OpenID Foundation

Monday, October 26, 2015 from 11:00 AM to 6:00 PM (PDT)

ここで、iGov WGと、FIDO認証手段などの「Strong Authenticator」とConnectとの組合せを検討するSAP(Strong Authentication Protocol) WGの第1回も開催されます。

Planned Agenda:

11:00 – 11:30   Introduction – Don Thibeau
11:30 – 12:00   OpenID Connect – Mike Jones, John Bradley
12:00 – 01:00   Lunch
01:00 – 02:00   OpenID Connect Conformance Testing – Mike Jones and Roland Hedberg, UMEA University
02:00 – 02:30   iGOV Profile of OpenID Connect – John Bradley, et. al
02:30 – 03:00   MODRNA (Mobile OpenID Connect Profile) – Torsten Lodderstedt, John Bradley
03:00 – 03:30   Break
03:30 – 04:00   Account Chooser – Pamela Dingle
04:00 – 04:30   RISC – Adam Dawes
04:30 – 05:00   Native Applications – Paul Madsen
05:00 – 05:30   Health Relationship Trust Profiles (HEART) – Deb Bucci, Eve Maler

Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at October 13, 2015 04:17 AM

October 12, 2015

OpenID Connect’s Real Estate Identity

One of the sure signs of adoption momentum is when other standards organizations, particularly those not typically involved in online identity, implement OpenID Connect and leverage self certification throughout their networks. A new member, Cal Heldenbrand shared the context for a new deployment and the value of self certification in his notes below:

The Real Estate Standards Organization (RESO) is tasked with the difficult goal of standardizing all of the real estate data in the US and Canada. This includes the data payload, the fields, formats, transport mechanism, and authentication/authorization. This is effectively called the Real Estate Transaction System (RETS). RETS is a 16 year-old standard based on XML, and every real estate website uses it.

The world has changed quite a bit since 1999, and we needed something new and easy to use. Mobile friendly, and developer friendly. The initial learning curve for RETS can be a little daunting, and we want to attract new software companies and developers to our industry. We’ve created the RESO RETS Web API to make life a little easier in the real estate sector. The data transport is using OData V4. On the auth side, we started using OAuth2 around January 2014. At that time, OpenID Connect was very cool looking, but I was hesitant to recommend it to RESO until it was a fully finalized, ratified standard.

There are hundreds of software companies working together in our industry. Writing an interoperable OAuth2 protocol using the framework was difficult. Since there is no OAuth2 standard, it seems like every major installation in the world has their own spin on it. That’s bad. It also meant that I couldn’t just copy how someone else did it, I had to make our own.

Plus, the absence of endpoint metadata means we have to document where everything lives, then ask clients to hard code URLs for every OAuth2 provider. It’s a lot of busywork for a developer to add a new IdP to a software installation.

After OpenID Connect became a finalized standard, I gave a presentation to RESO showing how one website in our industry could accept identities from Google, Microsoft, Amazon, and also from our own OpenID Connect Provider, Spark Platform. Since it’s an actual protocol standard, we could simply plug in IdPs with a small configuration change, and the OpenID Connect client libraries would handle the rest. That’s really powerful. We’re used to SSO integrations taking weeks to complete. With OpenID Connect, that turns into minutes.

One suggestion I do have though — I’d like to see the Discovery specification be part of the required Core. It’s such a simple piece to write, and very integral in the grand scheme of what makes OpenID Connect easy to use.

The certification process was pretty easy as well. I was expecting it to be more intensive! Our environment is Ruby on Rails, and I used Nov’s openid_connect Ruby gem for constructing ID Tokens. Other than that, my Provider is written from scratch. It took me about 2 weeks to have a very simple provider running for demo purposes. Then another 2 weeks to have it fully compliant with the certification tools. This is also along side my usual day job tasks of web operations. I’d have to say this was a breeze compared to the old OpenID 2.0.

Thanks for making a great standard!”

And thanks to Cal and the Real Estate Standards Organization (RESO) team for sharing their use case and feedback.

Don Thibeau
The OpenID Foundation

by jfe at October 12, 2015 01:23 PM

October 06, 2015

Nat Sakimura




  1. 公的な相談窓口を名乗る人物から、電話で偽のマイナンバーを伝えられる。
  2. 別の男性から「マイナンバーを貸して欲しい」と頼まれ、教える。
  3. 翌日、「マイナンバーを教えたことは犯罪に当たる」と現金支払いを要求。女性は郵送と手渡しで数百万円を支払う。





[1] 消費者庁『マイナンバー制度に便乗した不正な勧誘や個人情報の取得にご注意ください!』(2015/10/6)

Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at October 06, 2015 03:34 PM

September 30, 2015

Nat Sakimura

11月13日 第5回バイオメトリクスと認識・認証シンポジウムで講演します

来る11月13日(金) 15:50分より、「第5回バイオメトリクスと認識・認証シンポジウム」で講演します。


Privacy Trust Frameworks and the Personal Data Utilisation

個人情報保護法が 12 年ぶりに改正され た。改正法では個人識別符号の概念の導入による個人情 報の定義の明確化などが行われたものの、個人情報の性 質によるプライバシーインパクトごとのリスクに応じた 取扱に関しては、要配慮個人情報関連以外は3年後改正 へ先送りとなった。 一方、個人情報の取扱に関しては、個人情報保護法だ けを見ていれば良いというものではなく、他の法令に準 拠するのはもとより、「炎上させない」取り組みも必要と なる。そのためには、取扱に関する透明性とアカウンタ ビリティの確保が必須である。リスクに応じた情報の取 扱い方をラベリングするプライバシー・トラストフレー ムワークはそのための一助となりうるもので、今後の取 り組みが期待される。

バイオメトリクスと認識・認証シンポジウム in 東京 は、11月12日〜13日に、東京大学 本郷キャンパス 武田先端知ビル でおこなわれる、バイオメトリクスおよび関連研究分野を対象としたシンポジウムです。詳細情報はこちら[1]にありますので、みなさん奮ってご参加ください。

[1] 第5回バイオメトリクスと認識・認証シンポジウム

Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at September 30, 2015 05:53 AM

September 26, 2015

Nat Sakimura

UPQ Phone A01 開封の儀→ありゃ技適が→リコールの巻

当初の目論見よりも約1ヶ月遅れてUPQ Phone A01が届きました。




バッテリーは、中国製ですね。Made in Chinaじゃなくて、Made in PRCという表示です。PRC=People’s Republic of China、つまり中華人民共和国の略とは今回知りました。Made in Chinaだと売れないのでPRCを使い出したという話も読みましたがどうなんでしょうね。






注目点としては、技適マークですね。認証技術支援センター(018)から取得しているんですが、この下の部分の赤丸で囲ったところ、これがD15-0035018 となっています。この頭のアルファベットは認定を受けた端末の種類を表しています。[1]









というわけで、SIMは入れずに起動。ちょっとかっこいい画面、Designed in Tokyoが良いですね。こういうのが黒から始まって、色んな色を経過していきます。


ちなみに、起動後ですが、初期設定画面が出てきていろいろ設定するのかなと思ったら何事も無く、さくっと立ち上がってしまいました。Google Accountを設定し、メールアカウントも設定すると、一応データ端末としては使えるようになります。ということで、今日はここまで。SIMを入れての続きは…リコール端末が返ってきてからですかね…。

[1] (一財) 電気通信端末機器審査協会『電気通信端末の適合認定等制度について』

[2] ちなみにiPhoneだとこんな風になっております。



Copyright © 2016 @_Nat Zone All Rights Reserved.

by Nat at September 26, 2015 02:35 AM

September 23, 2015

Foundation Activity and Progress Report September 2015

I spoke last week at the European Identity Management Conference in Amsterdam and this week in Florida at the Global Identity Summit, in both venues the adoption and interest in the evolution of OpenID Connect was clearly evident and important. In a panel I chaired, OpenID Foundation member GSMA referenced the important role OpenID Connect plays in their Mobile Connect deployment. Bjorn Hjelm of Verizon shared an overview of the MODRNA WG  and potential synergies with Account Chooser he is testing with Pam Dingle.

Together with leaders from the US NIST, OpenID Foundation will announce the formation of our newest work group, “iGOV” a profile intended to optimize OpenID Connect for government to citizen applications. NIST is organizing a collaboration with UK and European peers. John Bradley has provide important continuity and leadership in this regard and will post the appropriate WG information soon at OpenID Foundation member Justin Richer provides important continuity in these matters that may benefit the HEART WG as well.

Our colleagues at the US NIST plan to include iGOV and OpenID Connect in a workshop planned for January 2016 in the Washington DC area. I will provide more details on OpenID Foundation’s involvement as details become available.

In Amsterdam, the European audience and our colleagues at companies like CA, Ping, Forgerock and others were quite vocal about the importance of the OpenID Foundation providing more information, viability and support of adoption efforts in the UK and Europe. The high viability and potential impact of upcoming EU regulation  of identity systems is a forcing function for interest, investment and education in open identity standards and associated trust frameworks.

The request of European members and potential members was such that I tentatively committed the OpenID Foundation to workshops in Amsterdam and London in the first quarter of 2016. The Foundation will coordinate with member companies like Ping and Forgerock that have company specific efforts now underway to coordinate calendars and content. We hope to build on this interest to optimize the run up to the planned OpenID Foundation Workshop in Munich at the EIC May 10 to 13. The OpenID Foundation will also coordinate with the Open Identity Exchange to find economies of scale and other synergies.

Your comments and contributions are requested.

Don Thibeau

by jfe at September 23, 2015 02:31 PM

September 09, 2015

OIDF Summit in Tokyo November 10, 2015

The OpenID Summit Tokyo 2015 will be held this November 10 and will feature technical discussions about OpenID Connect as well as governance in Identity Ecosystem and the IoT (Internet of Things).

Registration is now open and registration details for the event are available here:

The call for presentations is available here: We are soliciting 15 minute presentations plus a 5 minute Q&A including those on:
– New approaches in patient centric consent; e.g., HEART WG
– OpenID Connect for mobile applications; e.g., MODRNA

Proposed presentations will complement those the OpenID Foundation has already secured:
– General Overview of the OpenID Foundation and its Work Groups by Don Thibeau Executive Director OpenID Foundation
– The market impact of OpenID Connect Self Certification, plans for RP certification and its value in internal OA/QC development processes by Mike Jones of Microsoft;
– New models and initiatives in security, e.g., RISC WG and the curation of best practice reference libraries, e.g., Native Applications WG by John Bradley of Ping Identity

The OpenID Foundation Board of Directors has authorized a delegation to meet with new and current OpenID Foundation Japan members, prospective members, and government agencies like the Ministry of Economy, Industry and Trade, the Ministry of Internal Affairs and Communications, and the National Center of Incident Readiness and Strategy for Cyber Security.

The OpenID Foundation delegation will meet also with Masanori Kusunoki, the new chair of the OpenID Foundation-Japan and an executive advisor to the Japanese Government CIO.

Please feel free to contact me for more information.

Don Thibeau
The OpenID Foundation

by jfe at September 09, 2015 07:01 PM

September 02, 2015

Nat Sakimura

OpenID Summit Tokyo 2015 発表募集開始


来る11月10日に、東京・飯田橋でOpenID Summit Tokyo 2015が開催されます。

これの発表募集(Call for Presentation)が開始されました[1]



講演の内容は以下の領域に関する、OpenID Foundationで策定済・策定中の各種規格[2]の適用事例、適用提案、技術提案となります。

  • IoT
  • モバイル・アプリケーション
  • Fintech
  • AdTech
  • 電子政府(電子行政)
  • デジタル・アイデンティティ政策
  • エンタープライズ・アクセス管理
  • 電子商取引
  • プライバシー
  • トラストフレームワーク
  • 開発方法論


  • 岡部 寿男(京都大学)
  • 佐藤 周行(東京大学)
  • 山地 一禎(国立情報学研究所)
  • 下道 高志(電気通信大学)
  • 小畑 雅人(KDDI)
  • 崎村 夏彦(野村総合研究所)
  • 楠 正憲 (ヤフー・ジャパン)
  • 米谷 修 (リクルートテクノロジーズ)
  • 林 達也 (レピダム)
  • 江川 淳一(OIDF-J Enterprise Identity WG議長)
  • 真武 信和(OIDF-J 翻訳WG議長)



[1] 募集要項:

[2] 以下の規格が対象となる。

  • Connect
    • MODRNA (Mobile Operators’ Discovery, Registration and Authentication)
    • HEART (Health Relationship Trust)
    • RISC (Risk and Incident Sharing and Coordination)
    • AC (Account Chooser)
  • IETF OAuth WGで策定済・策定中の各種仕様
  • IETF JOSE WGで策定済の各種仕様
  • IETF ACE WGで策定中の各種仕様
  • OpenID Connect Certification

by Nat at September 02, 2015 08:08 AM

August 18, 2015

Registration Now Open for OIDF Workshop October 26, 2015

Registration is now open for the OpenID Foundation Workshop being held on October 26, 2015, the Monday before the Fall IIW meeting) at Symantec’s HQ in Mountain View, CA. OpenID Foundation Workshops provide early insight and influence on widely adopted online identity standards like OpenID Connect. The workshop provides updates and hands-on tutorials on new OpenID Connect Self Certification Tests by developer Roland Hedberg and the UMEA University team. We’ll review progress on the MODRNA (Mobile Profile of OpenID Connect) as well as other protocols in the OIDF pipeline like RISC, HEART, Account Chooser and Native Applications. We hope to launch the new iGOV Work Group’s development of a profile of OpenID Connect for government applications. Leading technologists from Forgerock, Microsoft, Google, Ping Identity and the US Government will review work group progress and discuss how they enable new solutions for enterprise and government Internet identity challenges. Thanks to OpenID Foundation Board Members Roger Casals and Brian Berliner and Symantec for hosting the workshop.
Planned Agenda:
11:00 – 11:30 Introduction – Don Thibeau
11:30 – 12:00 OpenID Connect – Mike Jones, John Bradley, Nat Sakimura
12:00 – 01:00 Lunch
01:00 – 01:30 iGOV Profile of OpenID Connect – John Bradley, et. al
01:30 – 02:00 MODRNA (Mobile OpenID Connect Profile) – Torsten Lodderstedt, John Bradley
02:00 – 02:30 Break
02:30 – 03:00 Account Chooser – Pamela Dingle
03:00 – 04:00 RISC – Adam Dawes
04:00 – 04:30 Native Applications – Paul Madsen
04:30 – 05:00 Health Relationship Trust Profiles (HEART) – Deb Bucci, Eve Maler, HMG Cabinet Office Chairs
05:00 – 06:00 OpenID Connect Conformance Testing – Mike Jones and Roland Hedberg, UMEA University

by jfe at August 18, 2015 09:19 PM

July 24, 2015

The Path Forward for Self-Certification

The increasing adoption of OpenID Connect deployments has required the OpenID Foundation to develop new certification models that support the practical business, legal and technical realities of today’s Internet scale deployments. Throughout 2015, the pilot phase of OpenID Connect self-certification has been testing the efficiencies, cost effectiveness and trustworthiness of this new approach. Early adopters helped “test the tests” and put a wide range of solutions through the first iteration of OpenID Connect self-certification.

OpenID Connect self-certification is underway for the first set of OP tests with additional OP and new RP pilot testing planned later for this year. Certification costs/fees to be determined by the Executive Committee will reference the guidelines below as adopted by the OpenID Foundation Board. In this way, OpenID Connect self-certification is breaking new ground and setting precedents for certification in the foundation’s future.

OpenID Foundation Self-Certification Guidelines
1. Adoption is the foundation’s highest priority.
2. The foundation’s goals include incentivizing membership, certification of multiple profiles per implementation and international participation.
3. Certification Profiles are rolled out in three phases: pilot by early adopters, membership beta and general availability.
4. OpenID certification pilots and betas are to be available to all members in good standing.
5. Upon completion of the beta and pilot phases, certification for those profiles will be made available to non-members.
6. All fees are waived during the pilot phase; fees will be charged during the beta and general availability phases.
7. The Foundation intends to authorize fees sufficient to cover the costs of operating a certification program once the corresponding pilot phase is complete.
8. OpenID Foundation certification fees are to be the same for all members.
9. Certification fees are due at the time of submission and are charged per implementation.
10. Certification(s) will be approved once payment is received.

The Executive Committee is now working through the actions needed to make the planned OP and RP self-certification available to members and non-members and fully operationalize the OpenID Connect self-certification program. Your feedback is welcome at

Don Thibeau

by jfe at July 24, 2015 02:42 PM

July 23, 2015

Introducing RISC: Working together to protect users

According to a recent Gallup poll, more people are worried about their online accounts being hacked than having their home broken into.With more and more of our digital lives accessible online, attackers are redoubling efforts to steal our personal information, and increasingly exploiting the interconnectedness of web services and apps to “leapfrog” from one account to the next.

Attackers often target multiple accounts across service providers for a single individual, knowing that users normally register for all their internet services with just a few email addresses. For example, a victim’s social networking account may send password recovery information to their email account, or they might log into her photo sharing account using their social network credentials. When criminals exploit these linkages, a single weak link can create a cascade of account takeovers.

That’s why the OpenID Foundation is pleased to announce a new effort dedicated to tackling this problem by working together on account defense. This month, a consortium of technology companies including Aol, Confyrm, Deutsche Telekom, Google, LinkedIn, Microsoft, Nomura Research Institute, and Ping Identity chartered an initiative to design an “early warning system” that safely and securely raises the alarm when accounts are at risk.

This Risk & Incident Sharing and Collaboration Working Group (RISC) initiative has set its initial mission as the development of standards designed to enable providers to prevent attackers from compromising linked accounts across multiple providers and coordinate in restoring accounts in the event of compromise.

The RISC group takes the approach that through open collaboration, the internet industry can design and deploy mechanisms that significantly lessen the impact of account hijacking. The effort focuses on sharing security events that occur at the individual account level, like the fact that a specific account was put on hold because of a suspected compromise. The group will also work with an attention to minimizing impacts on user privacy. The RISC group is not focused on identification or defense against malware or other system or network level attacks.

To learn more about the working group please visit the OpenID Foundation RISC Workgroup or contact Don Thibeau Executive Director,

by Adam Dawes at July 23, 2015 07:13 PM

July 16, 2015

Kaliya Hamlin

I'm Quoted in Guardian Article re: Ellen Pao

Yesterday a reporter called me up and asked me for comment on Ellen Pao. I said “What did you expect?” It became the headline! – I continued “Ellen was at the center of a high-profile sexual discrimination suit versus a major VC firm and she was put in charge of the teenage boy section of the internet. What did you expect was going to happen? It was inevitable that they would turn on her,”

You can read the whole article here – I wasn’t the only one unsurprised by what happened. 🙂

‘What did you expect?’ Women in tech reflect on Ellen Pao’s exit from Reddit

by Kaliya Hamlin, Identity Woman at July 16, 2015 07:29 PM