Planet OpenID

April 07, 2014

Kaliya Hamlin

BC Government Innovation in eID + Citizen Engagement.

I wrote an article for Re:ID about the BC Government's Citizen Engagement process that they did for their eID system.

Here is the PDF: reid_spring_14-BC

by Kaliya Hamlin, Identity Woman at April 07, 2014 02:48 AM

Kaliya Hamlin

Big Data and Privacy

On Friday I responded to the Government "Big Data" Request for Comment.

I will get to posting the whole thing in blog form - for now here is the PDF. BigData-Gov-2

by Kaliya Hamlin, Identity Woman at April 07, 2014 02:13 AM

April 01, 2014

OpenID.net

More Momentum: OpenID Connect Adoption

In my last blog, I noted, “it’s time to build out the final elements of OpenID Connect and move to mobile.” We’ll soon announce the official working group with the GSMA focused on a OpenID Connect mobile profile. Foundation members, partners and independent developers continue to integrate OpenID Connect in robust and interoperable identity services into enterprise solutions.  Enterprise solutions are the focus of OpenID Workshops preceding the European Identity Conference in Munich in May and the Cloud Identity Summit in Monterey, California.

OIDF member salesforce.com is hosting a webinar next week on Wednesday, April 9th, “OpenID Connect: The new standard for connecting to your Customers, Partners, Apps and Devices.” You can find more information and register by clicking on this link  Join Chuck Mortimore, Pat Patterson, and Ian Glazer’s socks as they overview how OpenID Connect can help better connect customers, partners, apps, and devices. Chuck, Pat and Ian will speak to how OpenID Connect builds on OAuth and how to consume OpenID Connect from identity providers with Social Sign-On. While this webinar is aimed at a technical audience, I’m confident that anyone looking to learn more about identity and standards will benefit.

I will continue to keep you abreast of OpenID Connect events and adoption success stories. Feel free to contact me directly with any events or experiences that you feel should be highlighted.

Thanks,

Don

by jfe at April 01, 2014 09:05 PM

March 31, 2014

Kaliya Hamlin

NSTIC WhipLash - Making Meaning - is a community thing.

Over a week-ago I tweeted that I had experienced NSTIC whiplash yet again and wasn't sure how to deal with it.I have been known to speak my mind and get some folks really upset for doing so - Given that I know the social media savy NSTIC NPO reads all tweets related to their program they know I said this. They also didn't reach out to ask what I might be experiencing whiplash about.

First of all since I am big on getting some shared understanding up front - what do I mean by "whiplash" it is that feeling like your going along ... you think you know the lay of the land the car is moving along and all of a sudden out of nowhere - a new thing "appears" on the path and you have to slam on the breaks and go huh! what was that? and in the process your head whips forward and back giving you "whip-lash" from the sudden stop/double-take.

I was toddling through and found this post.  What does it Mean to Embrace the NSTIC Guiding Principles?

I'm like ok - what does it mean? and who decided? how?

I read through it and it turns out that in September the NPO just decided it would decide/define the meaning and then write it all out and then suggest in this odd way it so often does that "the committees" just go with their ideas.

"We believe that the respective committees should review these derived requirements for appropriate coverage of the identity ecosystem.   We look forward to continued progress toward the Identity Ecosystem Framework and its associated trustmark scheme."

Why does the NPO continue to "do the work" that the multi-stakeholder institution they set up was created to do that is to actually figure out the "meaning" of the document.

Why not come to the Management Council and say - "hey we really need to as a community figure out what it "means" to actually embrace the guiding principles. We need to have a community dialogue that gets to a meaningful concrete list relatively quickly - how should we do that as a community." Then the Management Council would do its job and "manage" the process and actually figure out 1) if the NPO was right that indeed now would be a good time to figure out the meaning of embrace and 2) then figure out how to do it and the people on the council (and others in the community) who have some experience in leading real mulit-stakeholder efforts and skills inclusive methodologies would have debated and put forward a path. The Secretariate - (if it actually functioned as a support organ for the Management Council) would then help the council carry out the process/method and get to the needed "outcome" some community developed articulation of what embracing the principles means.  Instead we just have what the NPO staff thinks. Which while I am sure it is "great" and they are such "hard working, good folks"...it wasn't community generated and therefore not "owned" by the community which is not good if the outcomes of this effort are to be "trusted" by public at large all the core work items of a mutli-stakeholder institution can't just be done by the NPO.

by Kaliya Hamlin, Identity Woman at March 31, 2014 07:21 PM

March 21, 2014

OpenID.net

Growing list of OpenID Connect libraries available

The list of publicly available OpenID Connect libraries is growing, with implementations available for numerous development platforms and environments, including Drupal, Java, PHP, Python, and Ruby. See the Libraries page for a list of OpenID Connect libraries, as well as libraries implementing the related JSON Web Token (JWT) and JSON Object Signing and Encryption (JOSE) specifications. These libraries make it easy to join the likewise growing list of OpenID Connect deployments.

If your library isn’t listed and you’d like it to be, please drop us a note on the code@openid.net mailing list or the general@openid.net mailing list.

Also, if you’re interested in participating in OpenID Connect interop testing, please join the openid-connect-interop@googlegroups.com mailing list and ask to be added to the current OpenID Connect interop.

by Mike Jones at March 21, 2014 12:45 AM

March 20, 2014

Santosh Rajan

Browser supported Single Sign on with Email Addresses


In this post I would like to explore Single Sign on's with email addresses, with the support of the users browser. Browsers do not currently support Single Sign On. Recently Mozilla showcased their concept of BrowserID.

I am not comfortable with their use of asymmetric keys, because this requires the user to manage his own private/public keys. Indeed BrowserID will ease the process for the user, but he still needs a private key on every computer he uses. And this may include public computers at browsing centers etc.

So here, I will present a Single Sign on process, that will not require asymmetric keys. For the sake of this post we will call the users email provider "email.com". The site he wants to sign into "site.com", and "BSSO"  for Browser Supported Single Sign On. This article will not get into the details of algorithm's etc, because each step described here can be carried out in many ways, and has already been implemented in some form or the other by other protocols. A good example is OpenID 2.0.

First, I will describe the process when the user is already signed into "email.com", and wants to sign into "site.com".

Case 1 - User signed into email.com


Step 1
The user browses to "site.com". "site.com" needs to indicate to the user's browser that it supports BSSO. This can be done in many ways. I will give one example here. On site.com's page it can include two elements. One element in the html head part like below
<link href="https://site.com/bsso" rel="bsso_end_point"/>
In the body part it can have an element with id "bsso_sign_in_button".
The rel="bsso_end_point" link element will indicate to the browser that this site supports BSSO and it should listen to the click event of the element with id="bsso_sign_in_button".

Step 2
When the user clicks the "Sign In" button for "site.com" the browser will make an authentication request to "email.com" on behalf of "site.com" with "site.com"s end point. This will need the user to have pre selected his prefered email address(s) in the browsers BSSO setup, if not the browser will show a popup asking the user to select his prefered email address. The browser may also have discovered "email.com"s end point during setup using webfinger.

Step 3
"email.com" returns a positive assertion of the user's email address. This is not a problem because the user is currently signed into "email.com". Also a private "association key" is included along with the assertion.

Steps (2) and (3) are transparent to the user. The browser makes a cross-domain ajax request to "email.com". This is possible because it is the browser making the request and not any javascript on "site.com"s page.

Step 4
The browser now directs the user to "site.com"s end point url with a http post request, with the assertion returned from "email.com" in the post body.

Step 5
"site.com" will now verify the assertion by sending the assertion along with the association directly to "email.com"s endpoint. "site.com" would have also followed the webfinger protocol to determine the end point. It is possible for "site.com" to request a time bound association with "email.com", so that Step 5 and 6 can be avoided in subsequent requests.

Step 6
"email.com" will respond with success or failure. 

Case 2 - User Not signed into email.com

In the case where the user is not signed into "email.com", in Step 3 "email.com" will respond with a "user not signed in" response along with a sign in url that might have an encoded token in its query parameter. (The encoded token is for preventing phishing, I am not yet sure if this token is required or not as of now). The browser will pop up a window and listen to the popup's close event, and direct the user to the returned sign in url. After sign in "email.com" must "close" the popup via javascript. When the popup is closed the browser will continue with Step 2 again. In case the popup was closed without the user signing in, the browser will receive a "user not signed in" for the second time, in which case the browser has to query the user again.

Some Notes
This may look like a lot of steps, but the user only "see's" (1) and (4). Also (5) and (6) are not required after "site.com" and "email.com" have established an association.

Phishing is not possible, because there are no redirects from "site.com".

The user can sign in from anywhere, there is no need to have any private keys on the computer being used.

Unlike BrowserID "email.com" will be aware of the site's the user sign's into. I don't know how much of a problem this is. It's a debatable issue I guess.

by Santosh Rajan at March 20, 2014 03:56 AM

March 19, 2014

OpenID.net

Last Call on the Launch and the Move to Mobile

This is my first blog after a successful OpenID Connect launch in San Francisco, Barcelona and Japan on February 26th. The launch generated global buzz and coverage. Below are a few links to my previous posts highlighting statements of support and press coverage:
Statements of Support
Additional Statements of Support
OpenID Connect Press Coverage

Congratulations to the OpenID Foundation Marketing Committee and the membership as a whole for the creativity and commitment that launched OpenID Connect from Tokyo, San Francisco and Barcelona.

On behalf of the Foundation, a “thank you” to Tim Bray for his expertise and overall contributions to the OpenID Connect launch. We await news from Tim as he decides what‘s next in his highly successful career. We are happy to hear Tim will never be too far from the OpenID Foundation’s work.

Jeff Fishburn from OnPR led the PR efforts and ensured that OpenID Connect received the coverage it deserved at the very “noisy” RSA and Mobile World Congress events. I appreciate the efforts of the PR teams at the GSMA, Google, Microsoft, Ping, Salesforce, ForgeRock and others as well as our OpenID Foundation Japan colleagues in ensuring a successful launch. Thanks to Microsoft and Google providing direct funding to support of launch activities. Jeff Fishburn’s firm, OnPR, has been a long standing supporter of Jeff’s volunteer efforts on the Marketing Committee over the last few years.

And thanks to Mike Leszcz who has been working with me on OIXnet as Technical Program Manager. Mike helped coordinate the OpenID Connect launch with OIX members like the GSMA. Mike worked closely with Jeff Fishburn on communication efforts and coordinated launch support across time zones, late night deadlines and member organizations.

Now it’s time to build out the final elements of OpenID Connect and prepare to move to mobile. I spent last week in London at the headquarters of OIDF member, the GSMA. We had a big crowd for the kick-off of a new mobile centric working group. It was a diverse turnout of mobile network operators (MNOs), telcos, data aggregators, bureaus, IDPs, SPs, RPs, government standards representatives and others. The all-important scoping discussion was encapsulated in what to call this new working group. Should it be a profile for mobile network operators? Understandable, certainly legitimate, but even the GSMA representatives pushed for more. Tim Bray encouraged the group to leverage the momentum of OpenID Connect to address the systemic needs of the market, developers and consumers alike. Despite, or because of the diversity of stakeholders in the room, a strong consensus grew around the timeliness and importance of the work group’s focus.

OIDF Chairman Nat Sakimura used the OIDF Work Group chartering process to articulate what is now “The Mobile Profile for OpenID Connect Working Group.” No doubt soon to be nicknamed “Mobile Connect”. This Working Group plans to apply to the Specs council to develop an OpenID Connect profile intended for use by MNOs providing identity services to RPs and for RPs in consuming those services as well as any other party wishing to be interoperable with this profile. David Pollington, Senior Director of Technology at the GSMA, is acting Chair of the WG. The draft Charter is also available here and it has been submitted to the OIDF specs list for approval.

I draw your attention to that last part. As part of this work, the Working Group will identify and make recommendations for additional Connect standards items. This is a positive as it can complement and further strengthen Connect adoption. It also signals the increasingly important compatibility with other protocols in the OIDF pipeline, notably Account Chooser and NAPPs. This also strengthens emerging federation architectures in enterprise, government and other sectors.

Foundation members and others interested in the progress of this Working Group as well as others are invited to join. Foundation workshops detailing develop of all OIDF protocols are planned for the EIC in Munich, at the Yahoo! Campus before the May IIW, at the European Identity Conference in Munich, and at the Cloud Identity Summit in Monterey, CA in July.

None of this would not have been possible without the dedication, direct funding and on-going support of the OIDF and OIX members. Thank you again and I look forward to continuing our work together.

Don Thibeau
Executive Director
OpenID Foundation

by jfe at March 19, 2014 05:04 PM

March 13, 2014

Kaliya Hamlin

I'm not your NSTIC "delegate" any more ... pls get involved.

I have heard over the past few years from  friends and associates in the user-centric ID / Personal Cloud/ VRM Communities or those people who care about the future of people's identities online say to me literally - "Well its good  you are paying attention to NSTIC so I don't have to."

I'm writing to say the time for that choice is over. There is about 1 more year left in the process until the "outputs" become government policy under the recently released White House Cyber Security Framework (See below for the specifics).

Key items of work are progressing and the time for "our" world view showing up within the work is now and my ability to get them to be taken seriously is ZERO if I continue to be an almost lone voice expressing these key items - particularly

The functional Model Group is working on defining all the "bits" of the system. I believe this is where the "personal cloud" should be a key primary function/piece of the ecosystem. So far it has not been raised in a significant way and not be addressed by the powers that be leading the committee.

The Trust Framework work is progressing rapidly. This is the work to take existing what they call Trust Frameworks (and I think should be called Accountability Frameworks). These are where the existing rules/policies and technologies for various networks are all harmonized and then through that some how we get to a kind of mata/uber trust framework and interoperability.

The big challenge that I see is that it is all coming from existing frames within the conversation do NOT have a remotely "user centric" frame.

  • I don't hear any conversation about how individuals will be protected from their "Identity Provider" (the entity that has "all" their identity information and vouches for them at a Relying Party).
  • I don't hear any conversation about how people will be protected from over zealous relying parties asking for way to much information.
  • I don't hear any conversation about how individuals will be protected from IdP's and RP's being able to sell their data into the data broker industry.
  • I don't hear any conversation about how people could collect their own attributes and information in a Personal Cloud and from that center of personal sovereignty use it in the ecosystem.

I do see:

  • Assertions that Relying Parties can ask for whatever they want / think they need to complete a transaction and that "the market will decide"
  • Assertions that concerns about people's rights around how they choose to name and identify themselves should be set aside for future iterations.
  • I do see that one of the pilots in the last round of multi-million dollar grants went to a defense industry consortium specifically for "development of an open source, technology-neutral Trust Framework Development Guidance document"

So what should you DO?

1) Sign up to attend the April 1-3 Plenary in Mountain View (bonus you don't have to attend in person) Link Here.

2) Sign up to watch and contribute to the Trust Framework and Functional Model Groups - please see this post OR any of a number of groups with activity.

3) Sign up to join the IDESG organization (that way you can be "official members") of the committees and "vote" on things.  See this Post.

4) Let me know you are keen on getting more involved and I can help connect you others also "diving in" right now [ kaliya AT identitywoman DOT net].

5) Bonus - Attend the Internet Identity Workshop in Mountain View May 6-8 and work with others in the user-centric community on this and other more fun issues (like building cool decentralized, empowering technologies).

This is what I referenced above it becoming government policy and practice.

As the White House announcement details below, today marked the release of the Cybersecurity Framework crafted by NIST – with input from many stakeholders – in response to President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity issued one year ago.

NSTIC is not discussed in the framework itself – but both it and the IDESG figure prominently in the Roadmap that was released as a companion to the Framework.  The Roadmap highlights authentication as the first of nine different, high-priority “areas of improvement” that need to be addressed through future collaboration with particular sectors and standards-developing organizations.

The inadequacy of passwords for authentication was a key driver behind the 2011 issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which calls upon the private sector to collaborate on development of an Identity Ecosystem that raises the level of trust associated with the identities of individuals, organizations, networks, services, and devices online.

NSTIC is focused on consumer use cases, but the standards and policies that emerge from the privately-led Identity Ecosystem Steering Group (IDESG) established to support the NSTIC – as well as new authentication solutions that emerge from NSTIC pilots – can inform advances in authentication for critical infrastructure as well.

NSTIC will focus in these areas:
· Continue to support the development of better identity and authentication solutions through NSTIC pilots, as well as an active partnership with the IDESG;

· Support and participate in identity and authentication standards activities, seeking to advance a more complete set of standards to promote security and interoperability; this will include standards development work to address gaps that may emerge from new approaches in the NSTIC pilots.

by Kaliya Hamlin, Identity Woman at March 13, 2014 06:19 AM

March 11, 2014

Kaliya Hamlin

Meta-Governance

This spring I attended the Executive Education program Leadership and Public Policy in the 21st century at the Harvard Kennedy school of government with fellow Young Global Leaders (part of the World Economic Forum).  A line of future inquiry that came to me by the end of that two weeks -

How do we design, create, get functioning and evolve governance systems?

The governance of governance systems = Meta-Goverancne. 

At the Kennedy program all they could talk about was "individual leadership" (with good advice from good teams of course) at the top of  Organizations.  They all waved their hands and said "Good luck young leaders, We know its more complicated now...and the problems are bigger then just organizational size but we don't really know how what to tell you about how to interorgainzational collaborative problem solving and innovations...so "good luck".

It was surreal because this inter-organizational, complex space is where I spend my work life helping design and facilitate unconferneces - it is in that complex inter organizational place.

I have this clear vision about how to bring my two main career bodies of knowledge together (digital identity + digital systems & design and facilitation of unconferneces using a range of participatory methods) along with a range of other fields/disciplines that I have tracked in the last 10 years.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:18 AM

Kaliya Hamlin

Core Concepts in Identity

One of the reasons that digital identity can be such a challenging topic to address is that we all swim in the sea of identity every day.  We don't think about what is really going in the transactions....and many different aspects of a transaction can all seem do be one thing.  The early Identity Gang conversations focused a lot on figuring out what some core words meant and developed first shared understanding and then shared language to talk about these concepts in the community.

I'm writing this post now for a few reasons.

There is finally a conversation about taxonomy with the IDESG - (Yes! after over a year of being in existence it is finally happening (I recommended in my NSTIC NOI Response  that it be one of the first things focused on)

Secondly I have been giving a 1/2 day and 1 day seminar about identity and personal data for several years now (You can hire me!).  Recently I gave this seminar in New Zealand to top enterprise and government leaders working on identity projects 3 times in one week.  We covered:

  • The Persona and Context in Life
  • The Spectrum of Identity
  • What is Trust?
  • A Field Guide to Internet Trust
  • What is Personal Data
  • Market Models for Personal Data
  • Government Initiatives Globally in eID & Personal Data

I created a new section of this presentation to cover some core concepts that I realized needed to be fully articulated to talk about

Identifiers (generic)

Identifiers are pointers.

A description of an object and a location can be an identifier for it - "The green chair in the corner."

Names

Names are identifiers.

The names of people are ways to identify them in the context of the society in which they live.  Different societies have different conventions for naming people.

Names are asserted by people about themselves.

Some people use different names in different contexts.

Names are often not unique (that is more then one person will have the same name as another person).

Identifiers in modern systems 

In modern society governments, organizations and businesses all provide services to people (citizens). If names are not unique the builders of these systems needed to figure out how to identify them to do the record keeping.  A sensible solution to this was to assign a unique identifier number to people so that interactions between the person and the system could be correlated.

Examples: 

An identifier that people in the United States have to track their engagement with the pension system is the Social Security Number. It is issued or assigned to people by the Social Security Administration.  Today it is common practice for this number to be issued at birth to babies born in the US. People born outside of the US who come to the country can apply to get a number.

It is normal practice to register children's births with the jurisdiction in which they are born. A form is filled out by the parents and signed by a physician and submitted. Then a birth certificate is issued. The birth certificate has a serial number on it that identifies it as a unique document.

Note: Billions of people world wide do NOT have this type of document.

Companies issue numbers to their customers to track them and their interactions with a company.  When you call a company to interact with them they ask you what your customer number is.  The bar code on loyalty cards encodes a customer number and when they scan it with a purchase - which then links that purchase with prior ones.

Identifiers with End-Points (Digital Identifiers)

The above type of identifiers that are issued by bureaucratic systems that point to particular people.  They are however not end-points on a network. Information can not be sent to them.  The person who the identifier points at can not do a technical authentication to prove that indeed at the end of the end point to receive the information.

One type of network with an end-points that we are familiar with is relatively modern but presides electronic networks is the street address system.  Integrity in this system is backed up by laws in the US that impose sever consequences for its use for fraudulent purposes. It is also illegal to open mail not addressed to you.

In electronic systems we have identifiers that point to people and are end points. These include phone numbers, e-mail addresses, debit card numbers, employee login's etc. Information is sent to these identifiers and access to resources is available via the end-point. To protect the information, to make sure it is only seen by the person who it was for (the person that the identifier points at) and only that person can access resources.  These electronic systems support the person claiming they are indeed the person that a particular identifier points at - proving they are that person.  This requires that systems provide ways to do Technical Authentication AuthN.

This can be done in a variety of ways - sharing a secret only they know (password or PIN), sharing a changing secret that only they have access to it (a code that changes on a token or in software generating a one time password), scanning a body part to see if it matches the body part that matches one that was enrolled, having a thing that only they have (a phone with the SIM card in it, a debit card). Different types of technical authentication are possible for different systems but they have the basic function of supporting the person who the identifier points at being able to prove to the system that they are the person a particular identifier points at.

More sophisticated systems issue both a "core" identifier that is the primary pointer at a particular person AND a different identifier that is an authentication end-point.  This has an advantage because if control over the authentication end-point is lost then it can be re-issued but the core identifier stays the same.

Attributes

Attributes are things about a person (or an entity).

They include personal details like birthday, age, gender, residence, place of work, income, preferences and habits, credentials from educational institutions, record of employment.

Claims

Claims can include identifiers (both authenticatable end-points, identifiers that are not end-points / not resolvable) and attributes.

Proofing / Verification 

This is the process where the certain things that you claim about yourself are checked to see if the assertions line up with how you presented yourself in the past or how facts about you were recorded in record keeping systems.

One way that proofing is done is the presentation in person of formal government issued paperwork that affirm certain claims: a birth certificate asserts a birth date, a passport asserts citizenship, and has a photo asserting likeness, a drivers license has a photo for asserting likeness, a residential address (asserted by the person when getting the license),

Another way to do proofing is to look up claims by people about themselves in databases managed by data brokers.

Document Validation 

This is the process where documents presented can checked to see if they are valid - were in fact issued by the authority and the name on the presented document matches the one on file.  These are typically set up so that the person viewing a document presented by an individual can type in the document information, serial number, birthdate, name and find out via a yes-no answer if it is a valid document.

The e-verifiy program for employers is a system designed to do this. It should be noted that this process does have negative impact on particularly transgender people who have hidden their gender at birth from their employer and who are rejected by the system when the gender they present to their employer does not match the one in the social security administration records. 

Enrollment 

This is the process that people go through to be issued an identifier in a system. This is true for identifiers with and with-out Authentication end-point. What information do they need to present? How is it checked or verified? Do they need to it in person? Does it involve the collection of a biometric (photo, fingerprint, iris scan)?  The end result of an enrollment process is the issuance of an identifier and often some type of credential that can be used to authenticate into a system. For example: a student ID card at a university has a student number on it AND a magnetic stripe (with an identifier for that particular card) that can be used to authenticate (via swiping it in a card reader) the student to gain access to the student dorm one lives in or libraries on campus.

Authentication - AuthN

This is what happens after one is enrolled in a system and an individual has an end-point that they want to use - they have to Authenticate via any one of a number of methods to prove they are indeed the person who set up the account or was issued the identifier.

(repeated from above) This can be done in a variety of ways - sharing a secret only they know (password or PIN), sharing a changing secret that only they have access to it (a code that changes on a token or in software generating a one time password), scanning a body part to see if it matches the body part that matches one that was enrolled, having a thing that only they have (a phone with the SIM card in it, a debit card). Different types of technical authentication are possible for different systems but they have the basic function of supporting the person who the identifier points at being able to prove to the system that they are the person a particular identifier points at.

Authorization - AuthZ

Once Authentication is done in a digital system the question is what resources can be accessed and what can be done to them (just read them, read and write them, delete them) - What is Authorized.

One way Authorization is managed is by defining roles and determining access based on roles.

More definitions to come soon include : Delegation, Triangulation, Persona, Role, Context

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:17 AM

Kaliya Hamlin

Personal Clouds, Digital Enlightenment, Identity North

Next week Thursday August 22nd is the Personal Cloud Meetup in San Francisco. It will be hosted at MSFT.  If you want to get connected to the community it is a great way to do so. Here is where you register. 

In September I'm heading to Europe for the Digital Enlightenment Forum September 18-20th. I'm excited about the program and encourage those of you in Europe who might be reading this to consider attending. We are doing a 1/2 day of Open Space (what we do at IIW) where the agenda is created live at the event.

October 1-2 is Identity North in Toronto and Vancouver. I'm working with Aran and the other organizers again. The first day will be curated talks and the 2nd day will be Open Space (what we do at IIW) where the agenda is created live at the event.

I'm heading to Investing with a Gender Lens Convergence in CT.  Topic that I'm bringing there is Gender and Big Data.

I'm considering plan to spending the week of October 7th in Boston and/or New York. If you think this is a good idea and want to meet with me or make something happen out there this week let me know.

NSTIC's next IDESG Plenary is the week of October 14th in Washington, DC.

Then its the Internet Identity Workshop October 22-24th in Mountain View.

The next thing on my calendar is a tentative dates in December for the UnMoney Convergence December 10th.

Then in the new year its She's Geeky! at the end of January.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:16 AM

Kaliya Hamlin

Personal Cloud Gathering Sept 25th - Video's from August 22

The next SF Personal Cloud Community Gathering is September 25th in downtown.

Please head over to the Eventbrite to register and learn who is speaking.

Jospeh Boyle record and posted the presentations from the last meetup you can find them here.

Trovebox by Jaisen Mithai

priv.ly - Daniel

Cozycloud - Benjamin Andre

Update on Nym Research - aestetix

Indie Box - Johannes Ernst

Following the presentations about the futures and what people are building now and how it links together - you can find them on the wiki.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:15 AM

Kaliya Hamlin

She's Geeky! Bay Area, January 24-26

Calling all Geeky women!

We are doing it again - a weekend of fun and connection and nerding out.

January 24-26th at Microsoft in Mountain View.

http://www.shesgeeky.org

It is one of my favorite weekends of the year. If you are a woman and you do anything related to tech or science or math or day dream about science fiction, are a gamer.  The diversity of women is amazing.

It is a great place to practice a talk you are thinking about or have to give at some other event, talk about critical issues like NSA spying, learn about other nerdy things like bee-keeping and knitting weird math shapes.

Feel free to ask me any questions you have about it.

If you are a guy reading this...please let women friends and colleagues know about it.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:15 AM

Kaliya Hamlin

How to Join NSTIC, IDESG - A step by step guide.

The National Strategy for Trusted Identities in Cyberspace calls for the development of a private sector lead effort to articulate an identity ecosystem.

To be successful it needs participation from a range of groups.

An organization was formed to support this - the Identity Ecosystem Steering Group in alignment with the Obama administration's open government efforts.

The "joining" process is not EASY but I guess that is part of its charm. It is totally "open and free" but challenging to actually do.

PART 1 - Getting an Account on the Website!

Step 1: Go to the website: http://www.idecosystem.org

Step 2: Find this box on the right hand side of the site.

IDESG-1 Step 3: Login to the website.

You can use any e-mail address you want to do so. If you click on the IDESG labelled button.

If you have a Yahoo! e-mail address OR a Google/GMail account you can use that by clicking on their respective buttons - but the next steps that follow are for the IDESG button path (recommended).

Step 4:  Click on the button circled below.

IDESG-3b

Step 5: Enter the information requested.

IDESG-4

Step 6: Pick a Time Zone!

The note in red is making it clear that when you are sent a form to fill out with the membership agreement in step __. you must write down the same e-mail address that you have here so they can correlate your account to membership.

IDESG-4

Step 7: Confirm that you want an account. Click the Button.

Unknown

Step 8: You Should See this Screen. Make sure you check your e-mail account - it will have a link you click on. Then you can login to the website.

IDESG-6b

Step 9: You might see this screen.

IDESG-6

Step 10: Contact the site Administrator at this e-mail address : idecosystem@trustedfederal.com or phone them (240) 403-4092

IDESG-7

PART 2 - Filling out Membership Form on Website!

Step 11: Go to this page to access the new member registration application http://www.idecosystem.org/page/join-idesg-0   Fill out the fields of the application.

You will be asked to pick a stakeholder category. 

I recommend either the #11 Small Business and Entrepreneur category if you are an individual who has a business.

OR the #3 Consumer Advocate Group if you represent people in your work .

PART 3 - Sign and SEND in the form

Step 12: You will get an e-mail from the administrators of the organization with a membership agreement.

  • You need to print it out and read it or at least scan it
  • Sign it
  • Return it  (via fax OR scan -> email)

The agreement has a clause about intellectual property - this can scare some people. It is basically saying that contributions you make to public mailing lists can be posted online by the organization and used in the work outputs of the organization. It is common in technical communities and supports sharing and development of collective work products.

Step 3: You will get a confirmation from the administrators and you will be officially a member.

Trouble Shooting

How you can get involved is another post....so stay tuned.

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:14 AM

Kaliya Hamlin

How to Participate in NSTIC, IDESG - A step by step guide.

The Identity Ecosystem Steering Group is a multi-stakeholder organization (See this post about how join.) Technically You can participate on lists even if you are not members but it is better that you go through the process of joining to be "officially" part of  the organization.

If you join the IDESG it is good to actively participate in at least one active committee because that is where organization work is done by committees - any person or organization from any stakeholder category can participate.

The committees have mailing lists - that you subscribe to (below click through where it says Join Mailing list and put in the e-mail address you want to use, share your name and also a password).

On the list the group chats together on the list and talk about the different work items they are focused on.  They have conference calls as well to talk together (these range from once a week to once a month).  You can also contact the chair of the committee and "officially" join but that is not required.

If you are reading this and getting involved for the first time - read through this list and pick one of the committees that sound interesting to you.  They are friendly folks and should be able to help you get up to speed - ask questions and ask for help. This whole process is meant to be open and inclusive.

It might be confusing but that is ok.  You haven't learned all the language of this very particular sub-industry. Remember you can always ask me questions and I can connect you to a community of others who are engaging with this field for the first time.

The next Face to Face meeting is happening April 1-3 in Mountain View California. It is totally open and free you can register here. Follow just one of the committees and maybe two and join us there - if you can only make it for part of a day you can come when the committee you have been following meets.

Trust Framework and Trust Mark Committee

Very important work is going on in this committee.  It will define the legal, policy and technology underpinnings of the whole effort to get identities work.  Some of the questions that I have about the outcomes of this work are

  • Will the policy and technology choices (they call these trust frameworks) they respect people and their rights online?
  • Will they let people who are citizens define how they are "seen" online or will they only permit "real name - verified identities" to be used?
  • How will end users be protected both with policies and technologies from the sites they use their digital identities? and services that help them use their digital identities?

This group is VERY active right now - that means they are producing work very fast and the outcome is basically the CENTRAL DOCUMENT outlining "how" this identity system will work. It needs attention to track it and ask quesitons and give substantive input.

The Committee Work products, Work Plan and Collaboration space.

Join the mailing list hereDocuments for meetings - It meets EVERY Wednesday at 3pm EST / noon PST for two hours.  To see all their documents click on this page and then on the file folder for "Functional Model AHG"

Functional Model Group

It is currently working on getting feedback on these documents:
The Functional Elements Applied PPT.
Functional Models Applied PDF to go with the PPT

Yep they are very confusing - they are confusing to me too.

Join the Mailing list is here - I can't find its meetings on the calendar.

To see all their documents click on this page and then on the file folder for "Functional Model AHG". The wiki is here.

Policy Committee

This committee is working on the development of policy recommendations for the White House and Legislators. These will likely influence what provisions that might come into law all with the goal of helping the vision of the Identity Ecosystem being developed in this institution coming into being.

The current draft of the document IDESG Policy Committee findings on policy incentives(As best as I could find)

Join the Mailing List is here - It does not have meetings currently scheduled they will be announced on the list.

To see all their documents click on this page and then on the file folder for "Policy Coordination Committee"

Use Case Committee

This group is defining all the different Use-cases that is the stories of how regular citizens will use the system.  My concern is they have developed detailed cases such as ____ and ___.  Without ever speaking to real people from those groups or have those need.  The generic use-cases about Authentication and Proofing also impact different populations of people differently and diverse input is essential.

The use-cases are then used to define the different technology and policy building blocks in what they call a Functional Model.

Join the  Mailing list is here - It meets Every Wednesday at 4pm EST/1pm PST

To see all their documents click on this page and then on the file folder for "Use Case AHG". The wiki is here.

Security Committee

This group is looking to define a security model for use in Identity Ecosystem. It has many different sub-committees including Taxonomy, Attributes, Functional Model and Use-Cases.

The Mailing list is here.  It meets every Thursday 2pm EST/11am PST  

To see all their documents click on this page and then on the file folder for "Security Committee".

They are just starting to begin meetings on the Security Evaluation Methodology.

Standards Committee

This committee is working on so many different things and has spawned 4 Ad-Hoc/Sub Committees.

The Standards Coordination Committee will be responsible for coordinating, reviewing, and recommending the adoption of technical standards to facilitate interoperability within the Identity Ecosystem.

The Mailing list is here -  Its Documents are here. It meets every Thursday 11am EST/8am PST

To see all their documents click on this page and then on the file folder for "Standards Committee"

Taxonomy Committee

This committee is defining the words that we use to talk about the Identity Ecosystem - such as Pseudonymous Transactions, Credentials, Attributes, Identifier.

The Mailing list is here - It meets every Thursday 12:30 EST/9:30 PST

To see all their documents click on this page and then on the file folder for "Taxonomy AHG"

Privacy Coordination Committee

The Privacy Coordination Committee will be responsible for seeing that other Committees’ work products adhere to the Privacy-enhancing and Voluntary Guiding Principle.  All work products developed from all other committees pass through this one. The model of privacy they have is oriented to the Fair Information Principles and Practices developed in the 1970's - and doesn't necessarily look at new ideas of how to manage the needs of people having dignity.

Join the Mailing List here - It meets the first Tuesday of the month at 4pm EST/1pm PST.

To see all their documents click on this page and then on the file folder for "Privacy Coordination Committee"

Financial Services Committee

This group creates space for those from the Financial Industry to contribute the specific needs of that industry into the work of the IDESG.

Join the Group Mailing List on this Page   They meet the 2nd & 4th Tuesday of every month at 11am Eastern Standard Time

To see all their documents click on this page and then on the file folder for "Financial Services Committee"

Health Care Committee

This group creates space for those from the Health Care Industry to contribute the specific needs of that industry into the work of the IDESG.

Join the Mailing List here -  It meets

To see all their documents click on this page and then on the file folder for "Health Care Committee"

Attributes Committee

Join the Mailing ListHere - It meets every 2nd Friday

Their wiki page is here. To see all their documents click on this page and then on the file folder for "Attributes AHG"

User Experience Working Group

Join the Meeting List here - It meets

To see all their documents click on this page and then on the file folder for "User-Experience Committee"

International Coordination Committee

The International Coordination Committee will be responsible for reviewing– and where appropriate, coordinating alignment with – similar international standards and policies.

The Mailing List is here - It currently doesn't have a meeting scheduled - it sill be announced on the list.

To see all their documents click on this page and then on the file folder for "International Coordination Committee"

by Kaliya Hamlin, Identity Woman at March 11, 2014 05:14 AM

March 06, 2014

Kaliya Hamlin

What is a Functional Model?

I have been working in the identity industry for over 10 years. It was not until the IDESG - NSTIC plenary that some folks said they were working on a functional model that I heard the term.  I as per is normal for me pipped up and asked "what is a functional model", people looked at me, looked back at the room and just kept going, ignoring my question.  I have continued to ask it and on one has answered it.

I will state it out loud here again -

What is a Functional Model?

by Kaliya Hamlin, Identity Woman at March 06, 2014 07:22 PM

February 28, 2014

OpenID.net

No Oscars, But OpenID Connect Launch Receives International Raves

This past Wednesday, February 26th, the OpenID Foundation, it’s members and the OpenID Connect Working Group successfully launched the OpenID Connect standard in the US, Europe and Japan. The launch generated press coverage at RSA in San Francisco and the Mobile World Congress in Barcelona. This was made possible by you; our members, contributors. Thanks for a successful launch and reaching this important milestone.

Below is the OpenID Connect launch coverage to date:

February 27, 2014
InfoWorld
Google, Microsoft, Salesforce back OpenID Connect — but it’s not enough
Despite big-name support, newly finalized OpenID Connect protocol is a security building block, not a silver bullet
http://www.infoworld.com/t/identity-management/google-microsoft-salesforce-back-openid-connect-its-not-enough-237258

The Register
OpenID Foundation launches XML-free ID handler
OpenID Connect spec touts simpler messaging
http://www.theregister.co.uk/2014/02/27/openid_foundation_launches_xmlfree_id_handler/

heiseDeveloper
OpenID Connect als Standard ratifiziert
Der von Unternehmen wie Google, Microsoft, Deutsche Telekom und Salesforce.com ausgearbeitete Standard soll über kurz oder lang OpenID 2.0 im Web ablösen – auch dank der ungemeinen Popularität von OAuth..
http://www.heise.de/developer/meldung/OpenID-Connect-als-Standard-ratifiziert-2126073.html

Help Net Security
OpenID Foundation launches the OpenID Connect Standard
http://www.net-security.org/secworld.php?id=16445

Golem.de
OpenID Connect fertiggestellt
http://www.golem.de/news/authentifizierung-openid-connect-fertiggestellt-1402-104838.html

Cnews
Мобильные операторы заменят пароли номером телефона
http://www.cnews.ru/news/top/index.shtml?2014/02/26/562446

DataNews
Des opérateurs sortent une alternative ‘sûre’ à Facebook Connect
http://datanews.levif.be/ict/actualite/des-operateurs-sortent-une-alternative-sure-a-facebook-connect/article-4000539065405.htm

Nikkei ITPro
グーグル、マイクロソフトが採用する「OpenID Connect」の仕様が最終承認
http://itpro.nikkeibp.co.jp/article/NEWS/20140227/539966/?top_tl1

dig.no
OpenID tar ny sats
http://www.digi.no/927406/openid-tar-ny-sats

February 26, 2014
ZDNet
Cloud-era authentication infrastructure taking shape
Google, Microsoft, Salesforce, GSMA, UK, welcome final OpenID Connect spec in effort to scale ID services across cloud, mobile
http://www.zdnet.com/cloud-era-authentication-infrastructure-taking-shape-7000026718/

ZDNet
Deutsch Telekom on cutting edge for ID management, mobile log-ins
German company puts faith in OpenID Connect to secure infrastructure, integrate SSO with partners
http://www.zdnet.com/deutsch-telekom-on-cutting-edge-for-id-management-mobile-log-ins-7000026717/

SecureIDNews
OpenID Connect enables online identity
http://secureidnews.com/news-item/openid-connect-enables-online-identity/

TechCrunch
OpenID Connect Identity Protocol Launches With Support From Google, Microsoft & Others
http://techcrunch.com/2014/02/26/openid-foundation-launches-openid-connect-identity-protocol-with-support-from-google-microsoft-others/
- Techmeme – http://www.techmeme.com/140226/p19#a140226p19
- Daily Motion – http://www.dailymotion.com/video/x1dhp1g_openid-connect-identity-protocol-launches-with-support-from-google-microsoft-others_tech
- TechCrunch Japan – http://jp.techcrunch.com/2014/02/27/20140226openid-foundation-launches-openid-connect-identity-protocol-with-support-from-google-microsoft-others/?utm_source=dlvr.it&utm_medium=twitter

T.H.E. Journal
OpenID Connect Standard Extends Digital Identities Across the Web
http://thejournal.com/articles/2014/02/26/new-openid-connect-standard-extends-digital-identities-across-the-web.aspx
- Campus Technology – http://campustechnology.com/articles/2014/02/26/new-openid-connect-standard-extends-digital-identities-across-the-web.aspx

SDTimes
The OpenID Foundation launches an authentication protocol
http://www.sdtimes.com/content/article.aspx?ArticleID=68832&page=1

WSJ MarketWatch
The OpenID Foundation Launches the OpenID Connect Standard
http://www.sdtimes.com/content/article.aspx?ArticleID=68832&page=1

Bloomberg
The OpenID Foundation Launches the OpenID Connect Standard
http://www.bloomberg.com/article/2014-02-26/asf8Wzgm0W00.html

telecompaper
OpenID members finalise OpenID Connect standard (subscription required)
http://www.telecompaper.com/news/openid-members-finalise-openid-connect-standard–998934

InformationWeek
‘Connect’: A Modern Approach to Mobile, Cloud Identity
Patrick Harding, CTO Ping Identity (contributed article)
http://www.informationweek.com/security/identity-and-access-management/connect-a-modern-approach-to-mobile-cloud-identity/d/d-id/1113894

InternetWatch
ID連携のAPI標準仕様「OpenID Connect」が承認される
http://internet.watch.impress.co.jp/docs/news/20140227_637343.html

RELATED NEWS
Bloomberg Businessweek
Carriers Back Mobile-Based IDs to Match Google, Facebook Service
http://www.businessweek.com/news/2014-02-24/carriers-back-mobile-based-ids-to-match-google-facebook-service

FierceWireless
U.S. operators are MIA in the GSMA’s new Mobile Connect universal login program
http://www.fiercewireless.com/story/us-operators-are-mia-gsmas-new-mobile-connect-universal-login-program/2014-02-24

LightReading
Operators See Eye-to-Eye on SIM-Based Security
http://www.lightreading.com/services-apps/mobile-services/operators-see-eye-to-eye-on-sim-based-security-/d/d-id/707918?_mc=RSS_LR_EDT

Rude Baguette
Mobile World Congress Day 1 Highlights – Connected Living, Samsung, Mobile Connect & Zuckerberg
http://www.rudebaguette.com/2014/02/25/mobile-world-congress-day-1-highlights-connected-self-samsung-zuckerberg-mobile-connect/

Mobile News
GSMA and operators to use mobile to protect digital security
http://www.mobilenewscwp.co.uk/2014/02/24/gsma-and-operators-to-use-mobile-to-protect-digital-privacy/

telecompaper
Orange to offer Mobile Connect across EMEA by 2015
http://www.telecompaper.com/news/orange-to-offer-mobile-connect-across-emea-by-2015–998177

OIDF MEMBER BLOGS AND NEWS RELEASES
Google Developers Blog
Welcome OpenID Connect
http://googledevelopers.blogspot.com/2014/02/welcome-openid-connect.html

GSMA
Leading Mobile Operators Unveil GSMA Mobile Connect Initiative to Provide Consistent and Interoperable Approach to Managing Digital Identity
http://www.gsma.com/newsroom/leading-mobile-operators-unveil-mobile-connect-initiative/

Microsoft Active Directory Team Blog
OpenID Connect is Now Final!
http://blogs.technet.com/b/ad/archive/2014/02/26/openid-connect-is-now-final.aspx

Microsoft – Mike Jones Self-Issued Blog
OpenID Connect Specifications are Final!
https://self-issued.info/?p=1191

Matias Woloski – Auth0 Blog
OpenID Connect specs are final! (with links to open source implementations)
http://blog.auth0.com/2014/02/26/openid-connect-final-spec-10/

Nat Sakimura
OpenID Connect is here! – An Identity Layer on the internet
http://nat.sakimura.org/2014/02/26/openid-connect-is-here/

OpenID Connect リリース~インターネットのアイデンティティ層
http://www.sakimura.org/2014/02/2277/

Ping Identity CTO Blog
Now, OpenID Connect is Real (and ratified)
https://www.pingidentity.com/blogs/cto-blog/2014/02/now-this-morning-openid-connect-became-real.html

by jfe at February 28, 2014 06:54 PM

February 26, 2014

OpenID.net

The OpenID Foundation Launches the OpenID Connect Standard

Providing Increased Security, Usability, and Privacy on the Internet

RSA 2014 and Mobile World Congress- San Francisco, CA, and Barcelona, Spain – Feb. 26, 2014 – The OpenID Foundation announced today that its membership has ratified the OpenID Connect standard.  Organizations and businesses can now use OpenID Connect to develop secure, flexible, and interoperable identity Internet ecosystems so that digital identities can be easily used across websites and applications via any computing or mobile device. OpenID Connect has been implemented worldwide by Internet and mobile companies, including Google, Microsoft, Deutsche Telekom, salesforce.com, Ping Identity, Nomura Research Institute, mobile network operators, and other companies and organizations. It will be built into commercial products and implemented in open-source libraries for global deployment.

“Widely-available secure interoperable digital identity is the key to enabling easy-to-use, high-value cloud-based services for the devices and applications that people use,” said Alex Simons, Director of Program Management for Microsoft Active Directory. “OpenID Connect fills the need for a simple yet flexible and secure identity protocol and also lets people leverage their existing OAuth 2.0 investments. Microsoft is proud to be a key contributor to the development of OpenID Connect, and of doing our part to make it simple to deploy and use digital identity across a wide range of use cases.”

OpenID Connect is an efficient, straightforward way for applications to outsource the business of signing users in to specialist identity service operators, called Identity Providers (IdPs). Most importantly, applications still manage their relationships with their customers but outsource the expensive, high-risk business of identity verification to those better equipped to professionally manage it.

The Strength of Mobile Identity

Mobile operators are placed ideally to offer identity services with their differentiated assets such as the SIM card, strong registration process, authentication, and fraud detection and mitigation processes. They have the ability to provide sufficient authentication to enable consumers, businesses and governments to interact in a private, trusted and secure environment and enable access to services. The GSMA earlier this week announced the launch of the Mobile Connect service, a collaborative initiative, supported by leading mobile operators, to develop an innovative new service that will allow consumers to securely access a wide array of digital services using their mobile phone account for authentication.

“The GSMA’s role is to work with the Mobile Operators to deliver relevant services to their customers; one such area that is growing in importance is the use of the mobile phone for authentication or identification purposes,” said Marie Austenaa, Head of Personal Data, GSMA. “In order to achieve global scale and ease of implementation both for Mobile Operators and for the Service Providers, it is important to have a consistent approach and this is what OpenID Connect provides.”

“Today is an important milestone in the evolution of online identity; the launch of OpenID Connect provides an open standard enabling global interoperability,” said Don Thibeau, Executive Director of the OpenID Foundation. “The strength of the standard is validated by industry competitors cooperating to lead the development and adoption of OpenID Connect. It is further validated by the plans for adoption by the GSMA, which represents over 800 global Mobile Network Operators.”

OpenID Connect Makes Online Transactions Easier and More Secure

OpenID Connect is the third generation of OpenID technology. Its predecessors, OpenID 1.1 and OpenID 2.0, were well received and are in production today by many well-known Internet companies worldwide.

“Google is betting big on OpenID Connect because it’s simple for developers to understand and makes it easy to federate with identity providers. It also protects users by only sharing account information that users explicitly tell us to,” said Eric Sachs, Group Product Manager for Identity. “As of today, Google offers support for OpenID Connect as an identity provider and we are excited to see how this standard will make Internet use easier for users without having to enter passwords.”

“Salesforce.com is committed to unlocking new ways for companies to build meaningful relationships with their customers, and that engagement starts with standards-based identity,” said Chuck Mortimore, vice president, Identity product management, salesforce.com. “We’ve built OpenID Connect into the core of the Salesforce1 customer platform, allowing companies to connect the next generation of apps, devices and products—delivering a unified customer experience through a single identity.

“Today’s ratification of OpenID Connect is a big step forward in making business interaction easier and more secure,” said Ping Identity CTO Patrick Harding. “Standards are critical to supporting a new era of identity-centric business. OpenID Connect spans Web, API and mobile, making it an especially important protocol in our collective efforts to move identity from application to infrastructure.”

The formalization of OpenID Connect as an open global standard allows developers, businesses, governments, accreditors, and other interested parties to build creation and adoption of sector-specific OpenID Connect profiles into 2014 plans and priorities. Next week in London at the GSMA Headquarters, OpenID Foundation Members including Google, Microsoft, Ping Identity and others will meet with counterparts at the GSMA to begin work on ensuring interoperability across global Mobile Network Operators. The OpenID Foundation, the Open Identity Exchange, and the GSMA are collaborating on pilot and discovery projects and in 2014 will begin testing how OpenID Connect implementations can enhance online choice, efficiency, security, and privacy.

Internet identity initiatives like the UK Identity Assurance Program (IDAP) rely on open standards. The UK Cabinet Office has been a global leader in discovering how commercial identity providers and mobile network operators can contribute to the goals of its Digital By Default Strategy. The GSMA, OpenID Foundation, the Open Identity Exchange, and four leading Mobile Network Operators are collaborating on a set of tests in support of the UK IDAP program using open standards.

Why OpenID Connect?

Barely a week goes by without another news story about some Internet-facing organization suffering a damaging data breach, often including passwords, sometimes numbering in the tens of millions. The constant drumbeat of data breaches is damaging organizations’ reputations, the Internet as a whole, and in particular, the trust of Internet users worldwide.

OpenID Connect provides a simple, standard way to outsource site and application login to operators who continually invest in sophisticated authentication infrastructure and who have the specialized skills required to securely manage sign-in and detect abuse. That investment is coupled with the increased cost of helping users with lost-account recovery, password changes, and so on. The organizations that contributed to OpenID Connect are leading the way in the development of advanced authentication technologies such as risk-based authentication and multi-factor authentication and deploying them at their OpenID Connect IdPs. This ongoing investment in technology and expertise is increasingly beyond the reach of most application providers. It is not a core competence, and is thus an excellent candidate for outsourcing.

OpenID Connect builds on the foundation of successful open identity and security standards like OAuth 2.0 and TLS (also known as SSL or “https”). As a result, it has the advantage is that it is substantially easier for developers to implement and deploy than other identity protocols, enabling simpler deployments without sacrificing security.

“NRI has been actively involved in developing OpenID Connect as one of the authors. We have deployed an open source implementation of OpenID Connect as a backend technology provider for media companies, mobile operators, credit card and commerce companies,” said Nat Sakimura, Senior Researcher of Nomura Research Institute, Ltd.

OpenID Connect was developed by a working group of independent security experts and specialists from several continents at companies including Microsoft, Google, salesforce.com, Ping Identity, AOL, Nomura Research Institute, and Deutsche Telekom and tested for interoperability among over 20 implementations.

About The OpenID Foundation

The OpenID Foundation is an international non-profit organization of individuals and companies committed to enabling, promoting and protecting OpenID technologies. Formed in June 2007, the foundation serves as a public trust organization representing the open community of developers, vendors, and users. The OIDF assists the community by providing needed infrastructure and help in promoting and supporting expanded adoption of OpenID technologies. This entails managing intellectual property and brand marks as well as fostering viral growth and global participation in the proliferation of OpenID.

# # #

News Media Contacts:

Jeff Fishburn

OnPR for OpenID Foundation

jefff@onpr.com

by Don Thibeau at February 26, 2014 02:08 PM

February 25, 2014

OpenID.net

A Great Day for Internet Identity

Passwords are a pain. Internet security is difficult. But getting consensus among competing vendors, independent developers, privacy advocates seemed impossible. But OpenID Connect is finally done. This internet identity layer is already helping websites, enterprises and mobile network operators identify people. OpenID Connect enables better privacy controls and stronger (and more user friendly) authentication. Application developers have responded the working group’s mantra, “Keep simple things simple, make complex things possible.” Given the almost daily drumbeat of data breaches, websites operators, mobile applications developers and enterprise architects are welcoming the increased security options OpenID Connect provides for their domains.

Standards are only as good as their adoption. And adoption is a product of the hard work of the OpenID Connect Working Group and our member organizations that have continued to support the painstaking work on building OpenID Connect:

GSMA
“The GSMA’s role is to work with the Mobile Operators to deliver relevant services to their customers; one such area that is growing in importance is the use of the mobile phone for authentication or identification purposes,” said Marie Austenaa, Head of Personal Data, GSMA. “In order to achieve global scale and ease of implementation both for Mobile Operators and for the Service Providers, it is important to have a consistent approach and this is what OpenID Connect provides.”

salesforce.com
“Salesforce.com is committed to unlocking new ways for companies to build meaningful relationships with their customers, and that engagement starts with standards-based identity,” said Chuck Mortimore, vice president, Identity product management, salesforce.com. “We’ve built OpenID Connect into the core of the Salesforce1 customer platform, allowing companies to connect the next generation of apps, devices and products—delivering a unified customer experience through a single identity.”

Ping Identity
“Today’s ratification of OpenID Connect is a big step forward in making business interaction easier and more secure,” said Ping Identity CTO Patrick Harding. “Standards are critical to supporting a new era of identity-centric business. OpenID Connect spans Web, API and mobile, making it an especially important protocol in our collective efforts to move identity from application to infrastructure.”

Nomura Research Institute Ltd.
“NRI has been actively involved in developing OpenID Connect as one of the authors. We have deployed an open source implementation of OpenID Connect as a backend technology provider for media companies, mobile operators, credit card and commerce companies,” said Nat Sakimura, Senior Researcher of Nomura Research Institute, Ltd.

by jfe at February 25, 2014 07:53 PM

February 20, 2014

OpenID.net

OpenID Connect FAQ Now Available

With the OpenID Connect specifications expected to be approved on Tuesday, February 25, 2014, a set of answers to Frequently Asked Questions has been published at http://openid.net/connect/faq/ to help answer questions people might have about OpenID Connect.

OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows with a design goal of “making simple things simple and complicated things possible”. It’s uniquely easy for developers to integrate, compared to any preceding Identity protocol.

Regards,
Don

by jfe at February 20, 2014 05:40 PM

February 18, 2014

OpenID.net

OpenID Connect Launch: Statements of Support

Last week I blogged about how we are in the final stretch of launching OpenID Connect on Thursday, February 26, 2014 at RSA in San Francisco, Mobile World Congress in Barcelona and in Tokyo with OpenID Foundation Japan. In that blog, I mentioned some of the industry leaders who have been and will be adopting the OpenID Connect standard. As a follow-up to my comments from last week, below are some of the statements of support for OpenID Connect received thus far:

Microsoft
“Widely-available secure interoperable digital identity is the key to enabling easy-to-use, high-value cloud-based services for the devices and applications that people use,” said Alex Simons, Director of Program Management for Microsoft Active Directory. “OpenID Connect fills the need for a simple yet flexible and secure identity protocol and also lets people leverage their existing OAuth 2.0 investments. Microsoft is proud to be a key contributor to the development of OpenID Connect, and of doing our part to make it simple to deploy and use digital identity across a wide range of use cases.”

Google
“Google is betting big on OpenID Connect because it’s simple for developers to understand and makes it easy to federate with identity providers. It also protects users by only sharing account information that users explicitly tell us to,” said Eric Sachs, Group Product Manager for Identity. “As of today, Google offers support for OpenID Connect as an identity provider and we are excited to see how this standard will make Internet use easier for users without having to enter passwords.”

ForgeRock
“There is more pressure than ever for CIOs to drive revenue and new business models across mobile platforms,” said Lasse Andresen, CTO, ForgeRock. “OpenID Connect is an essentials standard for any organization wanting a simple, repeatable approach for extending identity relationships to any device and directly impacting top-line revenue.”

Additional statements of support are forthcoming and I will include those in a follow-up blog.

-Don

by jfe at February 18, 2014 07:22 PM

February 15, 2014

Kaliya Hamlin

NSTIC - Elections & Giving It One More Go

I wrote an essay to give some context for these elections.  You can see part 1 below.

If you are a voting member of the IDESG you were just sent an invitation to vote for leadership positions.

For Management Council Chair please vote for

Salvatore D'Agostino

For at Large Delegate please vote for

Ian Glazer

Kim is the only person running for Plenary Chair and she will be great in that role.

Plenary Vice-Chair I like Colin, from New Zealand and Andrew, from Vancouver, Canada - both would be great in the position - so read and evaluate.

I am running again to represent small businesses and entrepreneurs - elections for those positions are in week or so.

The Essay:

I could write a long essay about all that, in my opinion, has gone wrong with the NSTIC process over the last  years.  I’m not doing that now.

I’m instead writing about why still have a bit of hope for the effort and why I’m making a choice to run once again for the Identity Ecosystem Steering Group - Management Council as the representative for Small Businesses and Entrepreneurs.

Lets be REAL.
There are some serious doubts about the state of the IDESG.

They built a gi-enormous super (super monstrously, extra big, kluge tower) structure before they defined work they wanted to do.

NSTIC has metastasized yet another entity but hopefully this is the last.

The execution of the strategy never cohered and the foundations are crumbling. The execution and instansiation fundamentally flawed.

I basically agree with these statements.

The key one, where my seeds of hope lie, is the fact that there is an entirely new organization - the IDESG is now a nonprofit corporation that is independent.

The Kay Chopard Cohen who was hired by the Secretariat to be the Executive Director of the organization will now actually be playing that role. She had been very limited in her ability to actually lead organizational development by the man who owned the company (Trusted Federal) who won the bid Secretariat.

The NSTIC NPO will be providing funding to support the IDESG dot org so we have another year of life/runway before it has to collect dues from the private sector.

Andy Ozment from the White House came to speak at the last NSTIC meeting in Atlanta and said  - Identity is a fundamental part of any cybersecurity framework.  The outcomes of our work will be part of their framework for protecting critical infrastructure.
He reiterated the importance of the work we are doing because it requires a multi-stakeholder process to find the right way to integrate Technology, Public Policy and Public Concerns.  The solutions need to  respect privacy AND earn the trust of consumers.

The newly elected management council will be going on a multi-day retreat.  This will give us the chance to really figure things out to get in sync and from there support a effective organization emerging.

Taking the time to get to know each other, our motivations for being involved in NSTIC, hearing our highest hopes and greatest fears around the effort.
Learning about the gifts we have to bring to the project - what we have to offer and how we want to contribute.
We all share the same goal we want the organization to function effectively. What does that look like? and what are the priorities of the organization? How is staff time dedicated towards these goals/priorities?

This fall a communications firm came in and listening to those involved in the IDESG to write our “value proposition” and “differentiators”:

IDESG provides an inclusive forum for organizations, government and citizens to take on the complex issues of online security and privacy. IDESG spurs dialogue and action for common ground and common sense solutions.  

Our unique value comes from integrating public policy, individual perspectives and cross-sector industry leadership and collaboration. This dynamic partnership enhances choice and stimulates innovation and growth.

An organization that is seeking to “take on complex issues” in a way that is “inclusive” needs to actually use processes and methods that are capable of holding complexity AND being inclusive.

We as the Management Council need to grapple with HOW to do this in the emerging IDESG dot org.

We have to go beyond what has been unfolding so far.

Roberts Rules of Order is the default modality that “everyone knows” so it is how virtually all committees use along with the management council.  It is fine for what it is good at - but it does not actually make space for listening to a broad group like the IDESG Plenary (or at least what could be the NSTIC plenary of 1000’s if not 10’s of thousands of people & organizations)

In committees I participate in we have a culture where you can not object to something “unless you have a solution” so it is suppressing the ability to raise concerns. Those who work at corporate day jobs in middle management run them under “their rules” there is no space for collective discernment and consensus to emerge.

We also have the challenge that committees of the plenary where formed and the “work products” would be focused on were outlined in detail before there ever was a management council.  Who defined them? David Temoshok via the NSTIC NPO also wrote an entire work plan of how they saw getting to the “end work product” of an Identity Ecosystem Framework.

Instead of bringing the governments version a potential work plan and the government’s idea of what committees should be brought into being and why to work on a work plan to the newly formed IDESG and working with the Management Council’s elected stake holder delegates to figure out a work plan for this private sector led organization.

It ended up that because the NPO was main instigator (via the Secretariat that they funded to support the functioning of the IDESG) of the first meeting of the IDESG in Chicago - it set all the committees in motion motion before a management council ever existed.

Committee topics were just single words like “Security” or Standards” and people who were in attendance went to these first meetings and then “elected leaders” out of the blue at those initial meetings.  These leaders have all been defining what they thought a particular group of people who were interested in “Trust Frameworks” or “International Outreach” or “Privacy” - should do - and muddling through how they thought they should relate/work together.  All of this was done outside of any connection or interaction with the Management Council.

This alone should make clear some of the origins of why people have doubts about the organization.

So the leadership retreat we will be having is key - it will give us a chance to re-set, get in sync - really for the first time and provide LEADERSHIP.

We as a management council discern what we want to accomplish - to find agreement amongst ourselves regarding what a Trust Framework actually is and how we as an organization/community tasked with helping

The gap between the optics of everything going well and the substance of what is happening has to be closed in the coming year or there will be no IDESG.

The NPO has gone to great lengths to ensure that appearances of the organization functioning are “kept up”.  Of course that is there job - they need to have it look good so they can continue funding and avoid congressional investigation.

The reality is that the NSTIC / IDESG regulars see through the image of it working.

Example 1) [self-censored]

Example 2) [self-censored]  For this election I went through the list of all the members of the organization there was only 4 State, Tribal and City governments who are members of the IDESG.There are only 5 Relying parties that are members of the IDESG - these are two groups who play critical roles in the ecosystem and well they are barely represented. [self-censored]

Example 3) We have consensus on what any of the following words actually mean.

  • an Identity Ecosystem,
  • a Trust Framework
  • an Identity Ecosystem Framework

I have rough outlines of the remainder of this essay but I ran out of time to finish it. I will post part 2 in the coming days.

by Kaliya Hamlin, Identity Woman at February 15, 2014 07:25 PM

February 11, 2014

OpenID.net

Vote for Final OpenID Connect Specifications and Implementer’s Drafts is Open

The vote is closed.

Please vote now at https://openid.net/foundation/members/polls/80.

The OpenID Connect Working Group recommends approval of the following specifications as Final OpenID Specifications:

The working group also recommends approval of the following specifications as OpenID Implementer’s Drafts:

  • OpenID Connect Session Management – Defines how to manage OpenID Connect sessions, including logout functionality.
  • OAuth 2.0 Form Post Response Mode – Defines how to return OAuth 2.0 Authorization Response parameters (including OpenID Connect Authentication Response parameters) using HTML form values that are auto-submitted by the User Agent using HTTP POST.

A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision. An Implementer’s Draft is a stable version of a specification also providing intellectual property protections, but that is subject to further revision before becoming a final specification.

The official voting period will be between Tuesday, February 18 and Tuesday, February 25, 2014, following the 60 day review of the specifications. For the convenience of members, voting will actually open a week before Tuesday, February 18 on Tuesday, February 11 for members who have completed their reviews by then, with the voting period still ending on Tuesday, February 25, 2014.

If you’re not already a member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration.

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.

Locations for the proposed Final Specifications are:

Locations for the proposed Implementer’s Drafts are:

– Michael B. Jones, OpenID Foundation Secretary

by Mike Jones at February 11, 2014 06:38 PM

February 07, 2014

OpenID.net

In the Final Stretch of Launching OpenID Connect

After 4 years of painstaking (and occasionally painful) collaboration among industry competitors, we are a few weeks away from launching OpenID Connect at the RSA Conference in San Francisco, in Tokyo via OpenID Foundation Japan and Mobile World Congress in Barcelona with the GSMA. This is an important milestone in the evolution of online identity providing an open standard enabling global interoperability. More simply said, this helps move us away from the use of passwords. And in light of yet more breaches, the sooner the better.

Standards are as strong as the sum of those that adopt them. OpenID Connect has been and will be adopted by Internet leaders worldwide including Google, Microsoft, Nomura Research, mobile network operators and so many others that I’ll blog just on that. Connect is now a part of product roadmaps across industry sectors, built into global commercial products and implemented in open-source libraries for deployment.

While we are in the final stretch of launching OpenID Connect, now the hard work begins. It’s time to roll-up the sleeves and focus on continued promotion, global adoption and proving the power of the standard. The week following launch in London at the GSMA Headquarters, OpenID Foundation Members such as Google, Microsoft, Ping Identity and others will meet with counterparts at the GSMA to begin work on ensuring interoperability across 850+ global Mobile Network Operators. The OpenID Foundation, the Open Identity Exchange, and the GSMA are collaborating on pilot and discovery projects and in 2014 will begin testing how OpenID Connect implementations can enhance online choice, efficiency, security and privacy.

These 2014 efforts beginning with GSMA complements the work that companies like Verizon, Daon and others have in flight in US NSTIC pilots, in the UK with the IDAP program and benefiting from the leading edge deployments in Japan. Thanks to all of you who labored long to make this important milestone. I look forward to our work together in 2014.

Don

by jfe at February 07, 2014 04:50 PM

February 06, 2014

OpenID.net

Result of First Election for Corporate Member Board Seat

Beginning in 2014 and each year thereafter, Corporate Members of the OpenID Foundation will elect a member to represent them on the OIDF board. All corporate members were eligible to nominate themselves, second the nominations of others who self-nominate, and vote for candidates. It is rare that the OpenID Foundation suffers from an embarrassment of riches but we just had that happen in the candidacy of three well qualified candidates – Lasse Andresen from ForgeRock, Chuck Mortimore from Salesforce.com and Torsten Lodderstedt from Deutsche Telekom. I agree with Chuck Mortimer’s comment that any one of the candidates would do a fine job.

The voting closed on February 5, and I am very pleased to announce the election of Torsten Lodderstedt as the Corporate member representative to the Board of Directors. Board participation is a substantial investment of time and energy and requires painstaking consensus building. We sincerely thank Lasse, Chuck and Torsten for their candidacies and congratulate Torsten for his election. As their elected corporate Director, Torsten will help build our partnership with the GSMA and guide the role OIDF will play in facilitating faster and broader adoption of open identity standards like OpenID Connect and Account Chooser. Torsten’s candidate statement follows below.

Regards,

Don Thibeau

Torsten Lodderstedt, Deutsche Telekom Candidate Statement
In my daily work as Product Owner for identity management services at Deutsche Telekom I see an increasing demand for secure, powerful, and ease-to-use identity management protocols due to cloud-based business models and e-Government. The OpenID foundation addresses this demand through the results of its working groups. Especially OpenID Connect will allow the foundation to foster the secure and interoperable implementations of various innovative cloud and app use cases and therewith gain more visibility in the mainstream of the industry. As a director of the OIDF I will contribute needs and lessons learned from daily business to the work of the foundation, with a focus on European businesses/organizations as well as the Telco operators. Within working groups I will advocate to always seek for a balance between innovation and maturity in protocol design. I will drive adoption of OpenID within Deutsche Telekom and promote it at other operators and other organisations throughout Germany and Europe. In order to support the OIDF’s working groups, Deutsche Telekom’s IDM team will adopt OIDF standards early (in alignment with DT’s business needs) and continuously contribute experiences to the respective working group. We will also continue to participate in interop tests. In 2014, I see two major focus areas. First, the OpenID Connect specifications must be finalized. Second, the foundation should drive the adoption of OpenID Connect throughout industry and government beyond early adopters, from small business to enterprises and government agencies. I also think it is important to promote the idea of id federation in general as means to leverage reach and verified identity data to new/small business. In the end, OpenID should become mainstream and also substitute home grown “login with OAuth” solutions, OpenID 2.0, and SAML. I will work with GSMA and Telco operators towards industry-wide adoption of OpenID. My contributions are based on more than 18 years of experience as engineer, architect, and product owner in the software industry, especially 7 years of practical experience in development, operation, and marketing of large-scale identity management services for both Internet and Telco services. Moreover, I have been contributing to the work of the OpenID Connect and OAuth working group for 3 years now.

by jfe at February 06, 2014 08:22 PM

February 05, 2014

OpenID.net

14 Day Notice of Vote for Final OpenID Connect Specifications and Implementer’s Drafts

The official voting period will be between Tuesday, February 18 and Tuesday, February 25, 2014, following the 60 day review of the specifications. For the convenience of members, voting will actually open a week before Tuesday, February 18 on Tuesday, February 11 for members who have completed their reviews by then, with the voting period still ending on Tuesday, February 25, 2014.

If you’re not already a member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration.

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.

The vote will be conducted at https://openid.net/foundation/members/polls/80.

– Michael B. Jones, OpenID Foundation Secretary

by Mike Jones at February 05, 2014 01:57 AM

December 21, 2013

OpenID.net

Review of Proposed Final OpenID Connect Specifications and Implementer’s Drafts

The OpenID Connect Working Group recommends approval of the following specifications as Final OpenID Specifications:

The working group also recommends approval of the following specifications as OpenID Implementer’s Drafts:

  • OpenID Connect Session Management – Defines how to manage OpenID Connect sessions, including logout functionality.
  • OAuth 2.0 Form Post Response Mode – Defines how to return OAuth 2.0 Authorization Response parameters (including OpenID Connect Authentication Response parameters) using HTML form values that are auto-submitted by the User Agent using HTTP POST.

A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision. An Implementer’s Draft is a stable version of a specification also providing intellectual property protections, but that is subject to further revision.

This note starts the 60 day public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures. This review period will end on Tuesday, February 18, 2014. Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve these drafts as Final Specifications and Implementer’s Drafts. For the convenience of members, voting may begin up to two weeks before Tuesday, February 18th, with the voting period still ending on Tuesday, February 25, 2014.

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not already a member, please consider joining to participate in the approval vote.

You can send feedback on the specifications in a way that enables the working group to act upon your feedback by (1) signing the contribution agreement at http://openid.net/intellectual-property/ to join the working group (please specify that you are joining the “AB+Connect” working group on your contribution agreement), (2) joining the working group mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-ab, and (3) sending your feedback to the list.

Locations for the proposed Final Specifications are:

Locations for the proposed Implementer’s Drafts are:

These informational Implementer’s Guides also accompany these specifications:

Locations for the accompanying Implementer’s Guides are:

– Michael B. Jones, OpenID Foundation Secretary

UPDATE: The working group has updated the non-normative sentence in Section 3.3.1, item 5 of the Core specification to apply an editorial correction. The originally posted version is available at the location below to facilitate comparison between the original version and the current version with the correction applied:

by Mike Jones at December 21, 2013 05:49 AM

November 15, 2013

OpenID.net

OpenID® Trademark and Service Mark License

The OIDF board recently voted to adopt an OpenID Trademark and Service Mark License policy. The following are some of the guidelines regarding acceptable uses of OIDF trademarks outlined in the license:

  • The owner of OIDF marks must be clearly identified as the “OpenID Foundation”. For example, “OpenID® is a trademark (registered in numerous countries) of the OpenID Foundation”.
  • To describe or reference OIDF specifications, documents, software, or other products listed at the OIDF web sites
  • To describe non-OIDF products that implement the required features and operations of OIDF Products. Required features and operations are defined within specifications. Representations that products or services comply with OIDF specifications must clearly indicate that the representations are made by the licensee and not by the OIDF
  • OIDF Trademarks must be used in a way that accurately reflects the status associated with the OIDF Products. The status of an OIDF document describes the context in which the product was developed including the publication date, intellectual property disclosures (e.g., copyright or patent terms), location (URI), its publication level (Draft, Implementer’s Draft, Final Specification, Note, Whitepaper), and future expectations regarding OIDF Products
  • OIDF Trademarks may not be used to indicate any kind of endorsement by the OIDF, official status with respect to the OIDF, or any kind of relationship with the OIDF aside from a representation that the above requirements have been met.
  • OIDF will audit the use of the OIDF trademarks to determine compliance with these terms of the license
  • No right to create modifications or derivatives of OIDF Trademarks is granted pursuant to the license

Please contact me if you have any questions regarding the OIDF trademark license and policies.

Regards,

Don Thibeau
OIDF Executive Director

by jfe at November 15, 2013 06:28 PM

November 08, 2013

OpenID.net

Microsoft publicly participates in OpenID Connect interoperability testing. | Thread Safe

While the testing of Windows Azure Active Directory (WAAD) support for OpenID Connect has been going on for some months, Microsoft is now publicly participating in the OSIS interoperability testing.

While most people think of Connect as being adopted by Social sites like Google for Login, it is also gaining traction in enterprise targeted services like WAAD , Ping Federate and PingAccess.

In combination with provisioning protocols like SCIM I expect Connect to see a fair amount interest from Enterprises wanting a simple way to connect to the many Cloud based Software as a Service providers that they are now starting to use as well as protecting there own enterprise API.

John B.
@ve7jtb

(SOURCE) Microsoft publicly participates in OpenID Connect interoperability testing. | Thread Safe.

by Nat Sakimura at November 08, 2013 05:21 PM

September 06, 2013

OpenID.net

Login to Your Salesforce Org with OpenID Connect in Winter ’14

The Winter ’14 release includes OpenID Connect Authentication Providers, allowing your org to be an OpenID Connect Client, and leverage an Authorization Server for user login. Let’s take a look at how this works:

If you want to walk through the protocol in detail, there’s an excellent, detailed description on Google’s Developer site.

(Source) http://blogs.developerforce.com/developer-relations/2013/09/login-to-your-salesforce-org-with-openid-connect-in-winter-14.html

by Nat Sakimura at September 06, 2013 05:00 AM

August 15, 2013

OpenID.net

Vulnerability Alert – OpenID 2.0 Implementations Vulnerabilities found in some OPs

Please be advised a number of OpenID Authentication 2.0 server implementations were found to be vulnerable due to non-compliance to the normative requirements of the OpenID Authentication 2.0 specification.

The nature of the vulnerability
In section 11.4.2.1 of the OpenID Authentication 2.0, it is stated that “For verifying signatures an OP MUST only use private associations and MUST NOT use associations that have shared keys.” However, vulnerable implementations were not making distinction between the private associations and shared associations and was performing the signature verification on the shared associations.

Impact of the vulnerability
Any relying party (RP) that has established a shared association with a vulnerable OP can impersonate a victim at any relying party by crafting a signature using its shared association. This is because the RP that has received the crafted response would not find the association handle in its list of shared associations and thus consider it as being signed by the OP’s private association and send it to the OP for the verification. If the OP was implemented according to the specification, the OP will return false since it is using the shared association. However, if the OP is not making distinction between two types of association, it would respond the RP that the signature is valid allowing the attacker to login to the RP.

How to find if your OP implementation is vulnerable
The OP implementation that has this bug will not pass the following OSIS I5 test. http://test-id.org/OP/CheckAuthSharedSecret.aspx

We hope this notice was helpful. The attentiveness of the open source community is one of the safe guards maiming the integrity of OpenID Foundations standards.

Don Thibeau
Executive Director, The OpenID Foundation

by jfe at August 15, 2013 08:41 PM

July 31, 2013

OpenID.net

Second OpenID Connect Implementer’s Drafts Approved

The OpenID membership has approved the following specifications as OpenID Implementer’s Drafts in the vote held from July 23 and July 30, 2013:

  • Basic Client Profile – Simple, self-contained profile for a Web-based Relying Parties using the OAuth code flow.
  • Implicit Client Profile – Simple, self-contained profile for a Web-based Relying Parties using the OAuth implicit flow.
  • Messages – Defines the messages that are used by OpenID Connect.
  • Standard – Defines an HTTP binding for the Messages, for both Relying Parties and OpenID Providers.
  • Discovery – Defines how Relying Parties dynamically discover information about OpenID Providers.
  • Dynamic Registration – Defines how Relying Parties dynamically register with OpenID Providers.
  • Session Management – Defines how to manage OpenID Connect sessions, including logout functionality.
  • Multiple Response Type Encoding – Registers OAuth 2.0 “response_type” values used by OpenID Connect.

The voting results were:

  • Approve (55 votes)
  • Disapprove (0 votes)
  • Abstain (2 votes)

Total Votes: 57 (out of 245 members = 23% > 20% quorum requirement)

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. The working group intends for the final specifications to be compatible with these Implementer’s Drafts.

The approved Implementer’s Drafts are available at:

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.

by Mike Jones at July 31, 2013 07:48 AM

OpenID.net

OpenID Connect Server in a Nutshell

Nat Sakimura has written a valuable post describing how to write an OpenID Connect server in three simple steps. It shows by example how simple it is for OAuth servers to add OpenID Connect functionality. This post is a companion to his previous post OpenID Connect in a Nutshell, which described how simple it is to build OpenID Connect clients. If you’re involved in OpenID Connect in any way, or are considering becoming involved, these posts are well worth reading.

by Mike Jones at July 31, 2013 07:08 AM

July 23, 2013

OpenID.net

Vote for Second OpenID Connect Implementer’s Drafts is Open

Please vote now at https://openid.net/foundation/members/polls/68. The vote is open between July 23 and July 30, 2013.

The OpenID Connect Working Group recommends approval of the following specifications as OpenID Implementer’s Drafts:
• Basic Client Profile – Simple, self-contained profile for a Web-based Relying Parties using the OAuth code flow.
• Implicit Client Profile – Simple, self-contained profile for a Web-based Relying Parties using the OAuth implicit flow.
• Messages – Defines the messages that are used by OpenID Connect.
• Standard – Defines an HTTP binding for the Messages, for both Relying Parties and OpenID Providers.
• Discovery – Defines how Relying Parties dynamically discover information about OpenID Providers.
• Dynamic Registration – Defines how Relying Parties dynamically register with OpenID Providers.
• Session Management – Defines how to manage OpenID Connect sessions, including logout functionality.
• Multiple Response Type Encoding – Registers OAuth 2.0 “response_type” values used by OpenID Connect.

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This vote follows the 45 day public review period that concluded on July 22nd.

These specifications are available at:
http://openid.net/specs/openid-connect-basic-1_0-28.html
http://openid.net/specs/openid-connect-implicit-1_0-11.html
http://openid.net/specs/openid-connect-messages-1_0-20.html
http://openid.net/specs/openid-connect-standard-1_0-21.html
http://openid.net/specs/openid-connect-discovery-1_0-17.html
http://openid.net/specs/openid-connect-registration-1_0-19.html
http://openid.net/specs/openid-connect-session-1_0-15.html
http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.

by Mike Jones at July 23, 2013 10:25 PM

July 22, 2013

OpenID.net

OpenID Connect / Account Chooser Meeting @ IETF 87 Berlin

OpenID Foundation is hosting a joint WG meeting at IETF 87 Berlin on Sunday, July 28.

People interested in OpenID ConnectAccount Chooser, and how they relate to IETF specifications such as OAuth, JSON Web Token (JWT), and JSON Object Signing and Encryption (JOSE) are meeting at IETF #87.  We will meet at 2:00 on Sunday, July 28th, and have the room all afternoon.  An overview of the specifications and status will be provided.

Toppics will include:

  • Interoperability
  • Compliance
  • Using the OAuth Assertion profile
  • Bootstraping a Web session from a native client.
  • Non-Web clients
  • RS-AS communication.
  • OpenID 2.0 to Connect transition

Non Members are welcome to attend, but must be aware of the OIDF IPR policy.

NOTICE: An OpenID IPR contribution agreement is not mandatory in order to participate in this workshop.  If participants provide feedback, they (on behalf of themselves and any organization they represent) are deemed to agree that;Attendee gives s OIDF the right to use their feedback and comments. Attendee  grants to OpenID Foundation a perpetual, irrevocable, non-exclusive, royalty-free, worldwide license, with the right to directly and indirectly sublicense, to use, copy, license, publish, and distribute and exploit the Feedback in any way, and to prepare derivative works that are based on or incorporate all or part of the Feedback for the purpose of developing and promoting OpenID Foundation specifications and enabling the implementation of the same. Also, by giving Feedback, attendee warrants that they have rights to provide this feedback. Please note that feedback is not treated as confidential and that OpenID Foundation is not required to incorporate feedback into any version of an OIDF specification.

by Nat Sakimura at July 22, 2013 11:25 PM

July 11, 2013

Kaliya Hamlin

Value Network Mapping an Ecosystem Tool

My response, two years ago to the NSTIC (National Strategy for Trusted Identities in Cyberspace) Program Office issued Notice of Inquiry about how to govern an Identity Ecosystem included a couple of models that could be used to help a community of companies & organizations in an ecosystem co-create a shared picture. A shared co-created picture is an important community asset to develop early on because it becomes the basis for a real conversation about critical issues that need to be addressed to have a successful governance emerge.

The Privacy Committee within NSTIC has a Proactive Privacy Sub-Committee and before I went on my trip around the world (literally) a month ago.  I was on one of the calls and described Value Network Mapping and was invited to share more about the model/method and how it might be used.

Value Network Maps are a tool that can help us because both the creation of the map and its subsequent use by the companies, organizations, people and governments that are participating strengthens the network.   This is important because we are dealing with a complex problem with a complex range of players. In the map below we are in the top left quadrant - we NEED strong networks to solve the problems we are tasked with solving.  If we don't have them we will end up with Chaos OR we will have a hierarchical solution imposed to drive things towards the complicated and simple but ...given the inherent nature of the problem we will NOT fully solve the problem and fall off the "cliff" on the edge between simplicity and into chaos.

(In this diagram based on the cynefin framework developed by David Snowden architect of children's birthday parties using complexity theory and the success of Apolo 13 )

So - what is a Value Network Map?

It models technical & business networks by figuring the roles in any given system and then understanding the value that flow between different roles.  Value flows include payment for the delivery of goods or services (these are tangible deliverables) but also intangible deliverables such as increased level of confidence because information was shared between parties (but was not contractually obligated and no payment was made).

Drawing from Verna's book/site that lays out how to do it. There are four steps to a value network map.

1. Define the scope and boundaries, context, and purpose.

2. Determine the roles and participants, and who needs to be involved in the mapping.

3. Identify the transactions and deliverables, defining both tangibles and intangibles.

4. Validate it is complete by sequencing the transactions.

I've worked on several value network mapping projects.
I worked with the Journalism that Matters to document he old and new journalism ecosystem.I have lead several community Value Network Mapping efforts.

This projects highlights how the method can be used to talk about a present/past state about how things happen "now". How do people today or 20 years ago share verified attributes with business and government entities one does business with?  If we understand the roles that exist in a paper based version/world How do those roles change in a future enable with technology and how do the value flows change and what new roles are created/needed?

A value networm map can be used to map the flow of rights and duties between different roles in an ecosystem can also be considered along with the flow of monetary and other value.

Two years ago I went with Verna Allee (the innovator of the method) to  the Cloud Identity Summit  to work on a map for my organization the Personal Data Ecosystem Consortium focused on the "present state" map to explain what currently happens when someone visits a website and clicks on an add to go buy something and then is asked to provide identity attributes.

We took this FCC submitted map that has the individual at the center and data flows to the businesses, government and organizations they do business with and is sold on to Data Brokers and then Data Users buy it to inform how they deal with the individual all without their awareness or consent.

PersonalData-VNA-NowMapWe added in a wrinkle to this flow and asked what happens when an individual has to prove something (an attribute) about themselves to make a purchase.

Our hope was to do this and then work on a future state map with a Personal Cloud provider playing  a key role  to enable new value flow's that empower the  Individual with their data and enabling similar transactions.

This is best viewed in PDF so if you click on the link to the document it will download.

Creating this map was an interactive process involving involved two dozen industry professionals that we met with in small groups.  It involved using large chart paper paper and post-it notes and lines on the map.   We came into the process with some of the roles articulated, some new roles were added as we began mapping with the community.

An example to give you a sense of what it looks like when you do it in real life is this map that shows how trust frameworks & the government's reduction of risk in the credit card system.

This was a small piece of the original map for the Personal Data Ecosystem (it did not end up getting included in the PDF version).  The roles are the orange flowers and the green arrows are tangible value flows and the blue arrows are intangible value flows.

So how could the Proactive Privacy Sub-Committee use this method?

At an IIW11 one of the practitioners of value network mapping came to share the method and we broke up into smal groups to map different little parts of an identity ecosystem. We had a template like this picking four different roles and then beginning to map.

The exercise is written about here on Verna's website.

Scott David was a community member there and really saw how it was a tool to understand what was happening in systems AND to have a conversation about the flow of rights and responsibilities flow.

The method is best done face to face in small groups.  It helps if the groups are diverse representing a range of different perspectives.  A starting point is a use-case a story that can be mapped - what are the roles in that story and then walking through the different transactions.

So how do we "do" it. Well a starting point is for those interested in helping lead it to identify themselves in the context of the pro-active privacy committee.  We should work together  to figure out how we lead the community using this process to figure out the privacy implications and see where the money flows for different proposed solutions.

We can try to do a session at the upcoming July or October plenary.

We could also organize to do some meetings at:

  • conferences in the next few months were we can identify 5-10 interested IDESG members to participate in mapping an ecosystem chunk for an hour or two.
  • in cities around the country where we identify 5-10 folks who want to spend an hour or two mapping an ecosystem chunk.

It would be great if we decide to do this that the Secretariat lead by Kay in her role as Executive Director of the IDESG can support us in organizing this (That is why we are paying htem 2.5 million buck s to help us  do the work of  organizing in a meaningful way.

I am friends with Verna Allee and can ask her for advice on this however I think the kind of help/advice we need to really use this method and do it WELL would behove us to actually use NSTIC IDESG moneys to hire Verna to engage with us in a serious way. When I wrote my NSTIC NOI I did so thinking that their would finally be monies available to pay people to do community conference building work like this.  Perhaps it is not to late to do so.

by Kaliya Hamlin, Identity Woman at July 11, 2013 12:44 AM

July 01, 2013

OpenID.net

[seminar] Simplifying Enterprise IdM – OpenID Connect and SCIM

OpenID Foundation Japan’s Enterprise identity working group (EIWG) will host the following seminar. The working group is a joint working group with Japan Network Security Association’s Identity Management WG.

  • Date: July 4, 2013
  • Time: 14:00-17:00
  • Venue: Nomura Research Institute, Marunouchi Centre 9F. (Tokyo)
  • Entrance: Free
  • Capacity: 100
  • Langauge: Japanese

Cloud environment has spread through the enterprise IT environment. The IdM systems which hitherto has been targeting the internal audit (J-SOX) etc. needs to adopt to the new environment.

RESTful identity federation technology and API management is drawing attention under such circumstances.

In this seminar, overview of the new identity federation protocol that is gaining momentum, OpenID Connect, and the provisioning protocol which is going through the standardization process at IETF, SCIM will be given. Through them, you will be able to understand why they are necessary and what kind of things you need to take into consideration.

In addition, there will be a comparison between OpenID Connect and SAML, not only on the technical point but also in the Cloud Provider’s activities and from the point of view of the API Economy.

Also, there will be some introduction to the implementation guideline on those protocols.

Timetable

  • 14:00-14:05 About Enterprise Identity WG, Shingo Yamanaka, OpenID Foundation Japan
  • 13:05-14:20 Things needed by the enterprise IdM now, Jun’ichi Egawa, Exgen Networks
  • 14:20-14:50 SAML to OpenID Connect – Expansion of the federation technologies
    Standardization situation in OpenID Connect and SCIM, Tatsuo Kudo, Nomura Research Institute (NRI)
  • 14:50-15:05 Break
  • 15:05-15:25 Enterprise IT OpenID Connect Usage Guideline, Tatsuo Kudo, NRI
  • 15:25-15:45 Enterprise IT SCIM Usage Guideline, Masahiko Kuwata, NEC
  • 15:45-16:05 SaaS Implementation Use case, T. Ueda, Exgen Networks
  • 16:05-16:10 Way forward for the WG and how to participate, Shingo Yamanaka, OpenID Foundation Japan
  • 16:05-16:30 Questions and Answers

To join the seminar, please see http://www.openid.or.jp/news/2013/06/74-id—openid-connectscim–.html

by Nat Sakimura at July 01, 2013 04:29 PM

June 12, 2013

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

Today we are informing all users of Sxipper that we will be shutting down Buy macrobid online, the sxipper.com servers and not updating Sxipper to Firefox 4.0.  The writing has been on the wall for a while that Sxipper might be put to rest and it was a hard decision to make. It has been over [...]

by Dick Hardt at June 12, 2013 03:34 PM

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

At the last OpenID Foundation BUY VERONAL NO PRESCRIPTION, board meeting I gave the presentation below. Buy VERONAL online cod, I had hoped to have posted this sooner, but my dearth of video skills meant recording to video was significantly harder than creating the presentation -- which was non-trivial itself, VERONAL samples. VERONAL without a [...]

by Dick Hardt at June 12, 2013 03:34 PM

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

Products can be looked at falling into three categories: Vitamins, Painkillers and Viagra. The type of product being sold will dictate the product management, sales and marketing culture of a company.

by Dick Hardt at June 12, 2013 03:34 PM

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

BUY KLONOPIN OVER THE COUNTER, Yesterday was my last day at Microsoft. I worked there a year, KLONOPIN photos. Real brand KLONOPIN online, When I reflect on 2009, I think of it as the Year of Darkness, online buying KLONOPIN hcl. Buying KLONOPIN online over the counter, I only  wrote a couple blog posts. I [...]

by Dick Hardt at June 12, 2013 03:34 PM

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

REDUCTIL FOR SALE, As one of the first Twitter users, @Dick seemed like an appropriate handle. As you can imagine, buy REDUCTIL without a prescription, REDUCTIL mg, now that Twitter is popular, the @reply noise from people commenting about '@Dick Clark', online buying REDUCTIL hcl, REDUCTIL interactions, '@Dick Cheney', '@Tom @Dick & @Harry' and numerous [...]

by Dick Hardt at June 12, 2013 03:34 PM

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

The Mozilla Identity Team  recently released BrowserID Macrobid birth control, , a user-centric identity initiative that uses email as the identifier. The Drupal community, typically quick to support open identity protocols, released support within 24 hrs, which shows how easy it is to implement, macrobid without prescription. If you read my recent post on the OpenID Foundation, you will know [...]

by Dick Hardt at June 12, 2013 03:34 PM

Dick Hardt

REDUCTIL FOR SALE - FDA Checked Pharmacy

Buy macrobid without prescription, Three years after the release of OAuth WRAP, OAuth 2.0 is finally an official standard as IETF RFCs 6749 and 6750. The inspiration for OAuth was to standardize how users authorize a site or application (the client) to access data at another site (the resource server). Clients wanting to access data [...]

by Dick Hardt at June 12, 2013 03:34 PM

June 08, 2013

OpenID.net

Review of Proposed Second OpenID Connect Implementer’s Drafts

The OpenID Connect Working Group recommends approval of the following specifications as OpenID Implementer’s Drafts:

  • Basic Client Profile – Simple, self-contained profile for a Web-based Relying Parties using the OAuth code flow.
  • Implicit Client Profile – Simple, self-contained profile for a Web-based Relying Parties using the OAuth implicit flow.
  • Messages – Defines the messages that are used by OpenID Connect.
  • Standard – Defines an HTTP binding for the Messages, for both Relying Parties and OpenID Providers.
  • Discovery – Defines how Relying Parties dynamically discover information about OpenID Providers.
  • Dynamic Registration – Defines how Relying Parties dynamically register with OpenID Providers.
  • Session Management – Defines how to manage OpenID Connect sessions, including logout functionality.
  • Multiple Response Type Encoding – Registers OAuth 2.0 “response_type” values used by OpenID Connect.

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This note starts the 45 day public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures. This review period will end on Monday, July 22, 2013. Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve these drafts as OpenID Implementer’s Drafts.

These specifications are available at:

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not already a member, please consider joining to participate in the approval vote.

You can send feedback on the specifications in a way that enables the working group to act upon your feedback by (1) signing the contribution agreement at http://openid.net/intellectual-property/ to join the working group (please specify that you are joining the “AB+Connect” working group on your contribution agreement), (2) joining the working group mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-ab, and (3) sending your feedback to the list.

UPDATE: The working group has updated some of the specifications to apply errata identified during the review period. The working group recommends that these versions be used for the Implementer’s Drafts. Any contributor may request that the 45 day review period be restarted based upon these updates, however the working group does not believe that this is necessary due to the minimal size and nature of the changes.

The original versions of the proposed Implementer’s Drafts are posted at the locations below to facilitate comparison between the original versions and those with the errata applied:

by Mike Jones at June 08, 2013 02:27 AM

June 07, 2013

OpenID.net

AB/Connect WG recommends for the 2nd Implementer’s Drafts

Today, OpenID AB/Conenct Working Group recommended the OpenID Foundation management that the OpenID Connect drafts are ready for vote for the 2nd Implementer’s Draft. The working group believes that the drafts have attained a stable state that the working group do not foresee normative technical change hereafter.

The list of the drafts that the working group recommends as Implementer’s Drafts are:


- http://openid.net/specs/openid-connect-basic-1_0-28.html

- http://openid.net/specs/openid-connect-implicit-1_0-11.html

- http://openid.net/specs/openid-connect-messages-1_0-20.html

- http://openid.net/specs/openid-connect-standard-1_0-21.html

- http://openid.net/specs/openid-connect-discovery-1_0-17.html

- http://openid.net/specs/openid-connect-registration-1_0-19.html

- http://openid.net/specs/openid-connect-session-1_0-15.html

- http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html

With this recommendation, OpenID Foundation secretary will be announcing the 45 days public review period.

by Nat Sakimura at June 07, 2013 06:55 PM

June 05, 2013

OpenID.net

OpenID Foundation Workshop at the European Identity Conference

Another European Identity (and Cloud) Conference has come and gone, and once again it was accompanied by an OpenID Foundation Workshop with excellent attendance as a pre conference event. John Bradley presented OpenID Connect at the Kantara workshop as well. The presentations on OpenID Connect, Account Chooser and Backplane exposed attendees from the EU, Australia, New Zealand, Japan, South Africa and all over north and south America. It was gratifying to see Mike Jones receive the recognition of OAuth 2.0 as an important protocol. Unfortunately, OIDF Board member Axel Nennker was unable to attend due to illness.

Many of the presentations and photos have now been uploaded to the conference website. Please log in using the same email address used for registration and get in touch with support@kuppingercole.com if you face any difficulty.

Dr. Mandl of Daimler was one of the attendees that expressed interest in OpenID Connect and the work of the foundation.

Don Thibeau
The OpenID Foundation

by jfe at June 05, 2013 04:47 PM

May 21, 2013

Chris Messina

17FEET. Small. Mighty. [Flickr]

factoryjoe posted a photo:

17FEET. Small. Mighty.

We’ve got new teammates on Google+!

by factoryjoe at May 21, 2013 12:04 AM

May 20, 2013

Chris Messina

May 16, 2013

Chris Messina

May 10, 2013

Chris Messina

Chris Messina

March 22, 2013

Kaliya Hamlin

She's Geeky Seattle: April 26-27

She's Geeky is coming to Seattle in April 26-27.

She's Geeky Logo

I will be heading up to facilitate and am very excited to finally have this event coming to the North West.

She's Geeky is a kind of magical event where women geeks of all kinds, gaming geeks, linux geeks, fandom geeks, crafting geeks, beekeeping geeks, drupal geeks, raspberry pi geeks, Arduino geeks, geeks in training, come together and hang out learning from each other.

Maybe we can even get some women from my native Vancouver to come down. :)

by Kaliya Hamlin, Identity Woman at March 22, 2013 09:16 PM

March 19, 2013

Kaliya Hamlin

Online Community Unconfernece "Its BACK!"

I am really excited to be working with a super awesome crew of leaders of the Online Community Manager Tribe - or OCTribe.  We have been considering reviving the event and the pieces have finally come together to do it.

May 21st at the Computer History Museum

Registration is Open!

I really love the other co-organizers who are all rockstar community managers.

The conference was originally produced by Forum One and I contracted with them to help design and facilitate. That event itself grew out of an invitational summit they hosted annually on online communities.  I actually attended one of these in 2004 as a replacement for Owen Davis who I worked for at the time at Identity Commons (1).

My firm Unconference.net is doing the production and facilitation for the event.

I plan to bring forward topics of digital identity forward at the event and hopefully get some of the amazing expertise on identity and reputation to participate in NSTIC.

by Kaliya Hamlin, Identity Woman at March 19, 2013 07:26 PM

March 14, 2013

Kaliya Hamlin

Another Bill of Rights

I did a collection called the Bill o' Rights o Rama. 

Here is a new proposed one a Gamers Bill of Rights  based on another gamers bill of rights (this one looks beautiful)

Preamble
Gamers are customers who pay publishers, developers, and retailers in exchange for software.

They have the right to expect that the software they purchase will be functional and remain accessible to them in perpetuity.

They have the right to be treated like customers and not potential criminals.

They have the right to all methods of addressing grievances accessible by other consumer.

They have the right to the game they paid for, with no strings attached beyond the game and nothing missing from the game.

Gamers' Bill of Rights
I. Gamers shall receive a full and complete game for their purchase, with no major omissions in its features or scope.

II. Gamers shall retain the ability to use any software they purchase in perpetuity unless the license specifically and explicitly determines a finite length of time for use.

III. Any efforts to prevent unauthorized distribution of software shall be noninvasive, nonpersistent, and limited to that specific software.

IV. No company may search the contents of a user's local storage without specific, limited, explicit, and game-justified purpose.

V. No company shall limit the number of instances a customer may install and use software on any compatible hardware they own.

VI. Online and multiplayer features shall be optional except in genre-specific situtations where the game's fundamental structure requires multiplayer functionality due to the necessary presence of an active opponent of similar abilities and limitations to the player.

VII. All software not requiring a subscription fee shall remain available to gamers who purchase it in perpetuity. If software has an online component and requires a server connection, a company shall provide server software to gamers at no additional cost if it ceases to support those servers.

VIII. All gamers have the right to a full refund if the software they purchased is unsatisfactory due to hardware requirements, connectivity requirements, feature set, or general quality.

IX. No paid downloadable content shall be required to experience a game's story to completion of the narrative presented by the game itself.

X. No paid downloadable content shall affect multiplayer balance unless equivalent options are available to gamers who purchased only the game.

by Kaliya Hamlin, Identity Woman at March 14, 2013 12:00 AM

March 11, 2013

Kaliya Hamlin

Web Wide Sentence Level Annotation -> Hypothes.is

I first met Dan Whaley last spring via an introduction from Jim Fournier co-founder of Planetwork.  I was inspired by the vision he was working on building Hypothes.is -  a way to have sentence level annotation of news and other articles on a web wide scale. Really a foundation for peer review on the web. The motivation for his work is to support greater discernment of the truth around climate change and other key issues facing our society and our planet.  (Another area I could see this being really useful right now is around accountability in the financial system and ways to make that real.)

He asked me to be a part of the project as an advisor particularly around identity issues and technology options for identity.  He is taking my advice and coming to IIW this coming week.  Its an honor to be amongst other distinguished advisors like Brewster Kahle,  John Perry Barlow,  Mark Surman and others..

He has been working on a development plan and has a solid on one in place.  He has launched a Kickstarter Campaign and  stars in the video that articulates the vision of the project.  If you are inspired by the vision I encourage you to contribute.

Related posts:

  1. Google+ says your name is "Toby" NOT "Kunta Kinte"
  2. Is Google+ is being lynched by out-spoken users upset by real names policy?
  3. More identity management next week.

by Kaliya Hamlin, Identity Woman at March 11, 2013 01:34 AM

Kaliya Hamlin

The Nymwars and what they mean: summary of my posts to date.

UpDATE: Google relented a bit, however I am still waiting to see if my name of choice was approved. You can read about the process I had to go through here. The New Google Names Process

-----------------

For those of you coming from the Mercury News story on the NymWars exploding...

I STILL have my Google+ profile suspended for using a  [  .  ] as my last name.  Prior to that I had "Identity Woman" as my last name and prior to that... before I ever got a G+ profile and since I started using Gmail and Google Profiles I had a   [  *   ]as my last name. [see the complete list of posts about this whole saga below]

It is my right to choose my own name online and how I express it.  Names and identities are socially constructed AND contextual... and without the freedom to choose our own names, and the freedom to have different names (and identifiers) across different contexts we will end up with a social reality that I don't want to live in: Participatory Totalitarianism.

The last names that I have had during my life are Young, and currently Hamlin (my soon-to-be ex-husband's last name). I plan to have a last name of my own, different from either of those, within the next few years.  I do not choose to "promote" this last name as the HEADLINE of my profile in Google - that is a representation of my professional self online.  Yes, people walk up to me IRL (In Real Life) and say "Yeah! You're Identity Woman, aren't you" - yep :) .  It is, believe it or not, a "common" name for me as the G+ "requirements" call for. Just like it is common for BotGirl Questi to be called that when she is in that persona online. Botgirl has the best collection of articles on the web about #nymwars  and amazing art protesting what happened to her and all of us who have been suspended - comic book covers, songs re-written with new lyrics, impassioned monologs.

In the digital world "identifiers" are totally linkable across contexts - that is, different communities and contexts that would never meet In Real Life cross online with common identifiers. So if you don't have the freedom to choose which identifiers (name, e-mail address, phone number, physical address,) you don't have the freedom to keep identifiers in different contexts separate, and if you can't keep them separate, that means they are linkable.  Without that freedom, you can't explore or be a part of niche communities of interest that are not mainstream or not appropriate for some other context you also belong to. Here are some examples:

  • the gambler at church,
  • the "crazy" ferret lady at work
  • the gardening gun lover
  • being part of a minority sexual community
  • proactive environmental activist working at a logging company
  • being a Buddhist in a part of the country where everyone goes to church on Sunday and doesn't talk about religion because they would be ostracized  OR the other way around being a very devout christian in a part of the country where when they do inter-religious services they include everyone except christianity...and you just would rather your faith not be "public"
  • going out in the woods every few weekends dressed up like knights and ladies, while being in the Army Reserve on other ones.

This freedom to have multiple personas for multiple contexts, just like the right to vote for our government in a secret ballot box, is essential for a free society. If we do not fight for and maintain these rights, we will end up with Participatory Totalitarianism.

Google+ and my "real" name: Yes, I'm Identity Woman  My first post on Google+ surprise to find my profile suspended.... I think this will all be over very soon.

Nymwars: IRL on Google Lawns. My idea to "occupy" the lawn of Google with a colourful range of folks who want the right to choose their names.  I wrote this after I figured out a week into this that it wasn't going to end, and they hadn't just made a mistake.

danah boyd writes a very good post on How to design for social norms (and avoid angry mobs) all about the nymwars and what is/was going on. 

August 8th Google Suspension Update - they now think I should wait for business accounts.

August 27th Let's try going with the Mononym for Google+

August 28th  Google+ says your name is "Toby" NOT "Kunta Kinte"

This post was written after watching Tim O'Reilly talk to Bradley Horowitz the manager for social at Google. In it, Tim calls users asking for the right to choose their own name self-righteous and strident.  I make a link to a classic American story, Roots, where Kunta Kinte, a man stolen from his village in Africa, taken to the United States, and sold into slavery refuses to take the name his slaveowner gives him, Toby - he is whipped until he accepts this name.  I asked Tim and Brad if Kunta Kinte was self righteous for standing up for his own name... Tim said no, but that is a self-righteous question to ask.... well, that was on Twitter and a very interesting conversation followed with several tweeters, that resulted in Tim framing what was happening as a lynch mob against Google.... you can see that in this post.

August 29th - Is Google+ is being lynched by out-spoken users upset by real names policy?

Please also check out this post about "Tone and Silencing" to understand what the underlying dynamics are in this conversation and speaking up to the powers that be.

"Bonus suppression" Google runs YouTube and they took the clip of the movie scene down for "inappropriate nudity or sexual" - it has neither, it just made a dramatic point and made them look bad. In the clip Kunta Kinte is facing the camera with part of his chest showing being whipped from behind by a white man who is working for the slaveowner until he breaks. After repeating his name is Kunta Kinte when asked what his name is, he finally says... it is Toby. 

August 30sh - One Month of the Gag by Google.

September 5th - Mononym officially not accepted. I am Kaliya - Google, Get a clue.

Posted Sept 9th.

Potential Future: Google-Zon

With the nymwars unfolding (Nym = Pseudonym , Anonymous and other varities on this theme) this video of the Google-Zon story in the year 2014 seems more prescient then ever.

EPIC in this video stands for the Electronic Personalized Information Construct

Please watch the video on the original site; the way it was done is amazing. 

The computer writes a new story for every user (sound like the Filter Bubble?) everyone contributes and in exchange gets a cut of the revenue...

Relevant background

Who is Harmed by Real Names Policies developed by the Geek Feminism Community... prophetically I included in the response I gave to the Notice of Inquiry about governance of the Identity Ecosystem as outlined in the National Strategy for Trusted Identities in Cyberspace that I wrote, before I myself was affected.

by Kaliya Hamlin, Identity Woman at March 11, 2013 01:30 AM

Kaliya Hamlin

UnMoney & NewWallSt

March 11th.
TEDx New Wall St.
re-imagining banking re-built for the Information Age in Silicon Valley on a New Wall Street, as described in the attached press release, and here http://.www.TEDxNewWallStreet.org

April 24th.
UnMoney Convergence
Fosters dialogue and collaboration among the range of interesting emerging ideas around money and exchange systems and to explore connections with issues of land and property tenure. In addition to topics on alternatives to the current currency systems, we invite all who are looking at new ways to look at land tenancy and stewardship, hard currency versus energy, time and food based currencies. We are looking for synergies between folks who see the need for more grounded, materially based economics and those looking at the spiritual, energetic and values based approaches.
Register here!
Website here (might be new in a few days).

by Kaliya Hamlin, Identity Woman at March 11, 2013 01:27 AM

Kaliya Hamlin

UnMoney Convergence Topics

Tomorrow is the UnMoney Convergence - an un-conference about all sorts of topics related to money, currency, land, value, reputation, identity.

Here are the topics that people are hoping to discuss:

  • Collaborative Consumption and Sharing
  • new currencies
  • How we can work together to make the movement for community currencies stronger and more synergistic.
  • BACE Timebank- open source currency
  • What are the best ways we can move from the current debt based, imperial economic system towards a life serving, peaceful, gift economy?
  • where are the most inspiring, promising, transition currencies being conceptualized, implemented, how can we work together to help them go viral and allow people to move their money from the old system towards creating a better alternative structure.
  • Fostering robust public debate on creating "public money" so that legitimate governments can fund activities which serve people and planet rather than threaten them.
  • Deep Wealth and new currencies as an emerging language of value. A Living Systems Model of Wealth
  • The role of co-operatives in startup investment.
  • how to enable trust agility?
  • governance, mobile payments oauth/opentransact
  • Designing Intentional Community Economic Systems
  • "Co-Creating Community Economics as a Path of the Heart"
  • Working together, can we do more than just taking care than our respective unmoney "babies/pets".
  • Going from niches to relevance.
  • Emotions in money experiments: dealing with fears
  • Crowdfinancing! technical development values based investing
  • How are other people designing an ecosystem of currencies to create engines of social action?
  • designing currencies as/like games
  • social ecosystem design and the use of currencies
  • work-share
  • micro credit;
  • time dollars
  • How to manage debt in a web based on distribution of small composable documents.
  • Ripple, Metacurrency, actual usage
  • What does unmoney tell us about changing relationships between incentives and motivation? How unmoney works as incentive and /or motivation
  • What does unmoney tell us about changing relationships between incentives and motivation?
  • How unmoney works as incentive and /or motivation
  • How do we teach about these alternative forms of currency and economics to potential early adopters?
  • Which of these different approaches are approaching reality?
  • What are the most pragmatic and useful? Who is making progress on deployment?
  • Teaching about money in a Sustainable MBA curriculum.
  • What kinds of alternative currencies are being used and thriving in local communities?
  • What are all the alternative types of currency - i.e. time banking, etc. Perspective of a young person coming of age and recognizing there are different ways to engage with money, currency and economics.
  • What is a sensible balance between social customs and accounting systems in the economics of the near future?
  • Currency backing methods
  • Mutual credit systems, small-scale democracy
  • What is the best example of alternative currency active today?
  • What is the best model that needs to be tested?
  • Where are the communities of trust willing to test a promising model?
  • Friendly Barter - A model of a cashless online payment developed with Tom Greco this last Winter.
  • How to share deeper value and wealth together and build an economy based on this sort of wealth.
  • How to share deeper value and wealth together and build an economy based on this sort of wealth.
  • Particularly interested in alternative and parallel currencies The potential for mobile phones to disrupt in the alternative currency space

by Kaliya Hamlin, Identity Woman at March 11, 2013 01:24 AM

Kaliya Hamlin

Info Sharing Agreements! Support it! Make it Real!

Joe Andrieu and the Information Sharing Working Group has put a lot of work and effort into creating a Standard set of Information Sharing Agreements represented by a standard label. They want to invest in user -research to make it really work.

I am putting in $100 and I encourage all of you to do the same. They need to raise $12000 in the next 8 days.

See the Kickstarter Campaign here.

by Kaliya Hamlin, Identity Woman at March 11, 2013 01:20 AM