Nat Sakimura has written a valuable post describing OpenID Connect in a nutshell. It shows by example how simple it is for relying parties to use basic OpenID Connect functionality. If you’re involved in OpenID Connect in any way, or are considering becoming involved, his post is well worth reading.
This is to announce the 2012 election of OpenID Foundation community board members. The Foundation plays an important role in the evolution of Internet identity technologies. Those elected will help determine what role the OIDF should play in helping facilitate faster and broader adoption of open standard identity systems.
Last year four community board members were elected to 2-year terms and so are not standing for election:
• Nat Sakimura
• Mike Jones
• John Bradley
• Kick Willemse
Other current community board members may seek re-election. They are:
• Allen Tom
• Axel Nennker
• Chris Messina
Brian Kissel has indicated he will likely not be a candidate. This is a good time to thank Brian, and all the current board members, for their time, attention and leadership over the last year.
For the purposes of the 2012 election, there are 5 confirmed sustaining members: Google, Microsoft, PayPal, Ping Identity, and Symantec. Thus, we will be electing 2 community members to the Board of Directors for 2-year terms. In order to be eligible for election, your candidacy must have been seconded by at least three other members.
The election will be conducted on the following schedule:
Nominations open: Monday, January 9
Nominations close: Monday, January 23
Election begins: Wednesday, January 25
Election ends: Wednesday, February 8
Results announced by: Wednesday, February 15
New board terms start: Thursday, March 1
Times for all dates are Noon, U.S. Pacific Time.
All members of the OpenID Foundation are eligible to nominate themselves, second the nominations of others who self-nominated, and vote for candidates. If you’re not already a member of the OpenID Foundation, we encourage you to join now at https://openid.net/foundation/members/registration.
Voting and nominations are conducted using the OpenID you registered when you joined the Foundation. Log in at https://openid.net/foundation/members/ with your OpenID to participate in the nomination and voting. If you are already a member, you will receive an email advising you the election is open and how to participate. If you experience problems participating in the election or joining the foundation, please send an email to help@oidf.org.
Board participation requires a substantial ongoing investment of time and energy. It is a volunteer effort that should not be undertaken lightly. Should you be elected, expect to be called upon to serve both on the board and on its committees where the work of the foundation is conducted. If you’re committed to OpenID and advancing open digital identity and are a person who works well with others, we encourage your candidacy. The OIDF’s Executive Committee has suggested a few questions candidates may want to publicly address in their candidate statements:
1. What is you view of the opportunity of the OpenID Foundation?
2. What are the key opportunities you see for the OpenID Foundation in 2012?
3. How will you demonstrate your commitment to the work of the foundation in terms of resources, focus and leadership?
4. What would you like to see accomplished over the next year, and how do you personally plan to make these things happen?
5. What resources can you bring to the foundation to help the foundation attain its goals?
6. What current or past experiences, skills, or interests will inform your contributions and views?
Candidates can address these questions in their election statements on various community mailing lists and at http://openid.net – especially openid-general@lists.openid.net, and via blog@oidf.org. Please forward questions, comments and suggestions to me.
Don Thibeau
Executive Director
The OpenID Foundation
Tags: board election, Foundation, vote
The OpenID AB+Connect Working Group recommends approval of the following specifications as OpenID Implementer’s Drafts:
An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This note starts the 45 days public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures. This review period will end on Monday, February 6, 2012.
Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve these drafts as OpenID Implementer’s Drafts.
The specifications are posted at these locations:
A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.
Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. Foundation members will be asked to vote on approving these specifications as Implementer’s Drafts.
You can send feedback on the specifications in a way that enables the working group to act on your feedback by
Tags: Implementer's Draft, OpenID Connect, spec, specification, vote
Verizon announced today an important milestone in the Open Identity arena.
Verizon announced that it is the first ever identity provider to achieve a Level 3 US Government certification in providing identity credentials and access management to relying parties. The importance of building a standardized framework that protects valuable personal data from Internet security risks is being recognized and addressed on a global scale and national level.
Verizon has established itself as a leader that is building a foundation for an open and secure Internet-identity ecosystem that people and business can trust. Beyond providing a safeguard for digital identities, certified identity providers will help speed conversations, interactions and transactions for people, businesses and relying parties now and in the future.
As one of the pioneers in building the trust frameworks, Verizon’s leadership as an identity provider is at the heart of building this new identity ecosystem. Verizon was one of the founding members of the Open Identity Exchange (OIX) an organization that now includes the leaders in internet, telco and data aggregation industries.
Today’s password-focused website login process is unsafe and risky and has led to personal information and data being compromised through phishing and hacking attacks on weak systems. The potentially devastating consequences associated with the hijacking and theft of digital identities highlights the need for a trusted and certified framework that relying parties can depend on for identity authentication.
OIX, its member companies and Verizon aim to provide an open framework that standardizes the security, privacy, and operation policies of identity service providers that people, businesses and governments can trust.
The Internet identity ecosystem is quickly evolving with companies playing many different roles. The OIX is focused on the roles of attribute providers, identity providers, and relying parties. Verizon is playing an important role as a leader and advocate for OpenID. We congratulate Verizon on this significant achievement.
Sony announced today that a large number of accounts were hijacked using an attack based on the fact that people reuse passwords across websites. These “weakest link hijackings” are an evolution of the phishing attacks that have become so well known over the last few years.
These attacks are referred to as “weakest link hijackings” because the hackers attack websites with the weakest security, and then collect user passwords. Since it is common for users to reuse passwords across websites, hackers can then try those collected passwords against other websites like Sony as well as social network accounts, email accounts, work accounts, etc. When hackers take over the user’s social network or email account, they frequently change the user’s password on the account to lock the real user out, then use it to try to trick the user’s friends into sending money. One scam claims the person was stuck while travelling and needs money wired to them. Imagine losing access to all your contacts, email, photos, etc. and then having your friends lose thousands of dollars.
Unfortunately it is extremely difficult for websites to protect themselves against the weaker security of these other websites. Only some of the largest websites with the most sophisticated security tools can detect these types of attacks and try to automatically reduce their impact on their own accounts as Sony has done. Some of those websites offer users the option to add an additional layer of security to their account, for example by sending a code to their phone number each time they want to login. However if every website took that approach, users would revolt because of the pain it would create for them.
It’s time for website owners to wake up and realize they are probably the “weakest link.” Most websites need to stop trying to run their own login system and instead rely on third-party tools and websites that provide users with highly secure login systems. This type of login approach has become popular with websites that want to integrate with social networks, but it can also be used by any website by simply letting users choose an identity provider that runs a secure login system. It also has the advantage of making it easier for users to register for a new website on a mobile device and we all know what a hassle that can be.
Consortiums of companies such as the OpenID Foundation are working together to solve the problem of passwords and weak login systems, and are making great strides on security, usability, and privacy. With so much of our digital identities and information at stake, it’s critical that we create a better, more secure system before we see more victims of the “weakest link”.
Since we posted in July about the availability of preliminary OpenID Connect specifications, developers have been building implementations and submitting feedback on the specs. The specs have been revised to incorporate their feedback. A new map of the specs is as follows:
The biggest difference you’ll notice is that there is now only one spec to implement for “Minimal” clients (rather than previously three). A number of people had asked that there be a single, simple, self-contained spec that basic relying parties could implement. That spec is the OpenID Connect Basic Client Profile. That’s all you need for a web-based relying party utilizing a pre-configured set of OpenID Providers.
For “Dynamic” configurations, where the set of OpenID Providers is not pre-configured, Discovery and Dynamic Client Registration capabilities are added to enable RPs to discover OP endpoints and to connect with the OP selected. This functionality is needed for “open” OpenID Connect interactions.
OpenID Providers, native client applications, and clients needing more functionality than that provided by the Basic Client Profile implement the OpenID Connect Standard binding for the OpenID Connect Messages. Finally, OPs and RPs needing session management capabilities, including logout, also implement OpenID Connect Session Management.
As you can see, the current organization remains highly modular, where implementations can build and deploy only what they need. Now that modularity is even better reflected in the way that the specs are written – particularly that there is a single, self-contained basic client specification.
In closing, we’d like to thank developers for the valuable feedback provided to date. Your input has both improved the technical content of OpenID Connect, and possibly even more importantly, made the specs simpler and easier to understand.
Tags: connect, interop, spec, specification
There is now a set of functionally complete specifications for OpenID Connect. The diagram below shows the relationships between the current specs and contains links to each of them. These specifications are ready for early developer feedback and prototype implementation work. Please send feedback on them to the OpenID Artifact Binding Working Group Mailing List.
OpenID Connect uses the best practices of widely used OAuth/REST/JSON based APIs to define a standard and interoperable way to authenticate users. Developers should care because rather than having to learn an new and slightly different version of essentially the same API every time they want to integrate with a different identity provider, they can just do it in a standard way using a consistent interface. In the long run, OpenID Connect will make the web more interoperable, because it makes it easier for developers to integrate with multiple services.
FYI, the working group *is* planning to reorganize the specs to have the minimal set of OpenID Connect functionality be contained in a single document, although this will likely not be in place for a few weeks. Even before that is done, we wanted to make people aware of this set of specs now so early implementation work and technical feedback can occur. Remaining edits to the specs should consist of corrections, clarifications, and reorganization, rather than additions of significant new functionality. For now, developers should start with the (admittedly awkwardly named) OpenID Connect HTTP Redirect Binding spec.
Let the feedback and prototyping begin! [*1]
[*1] The easiest way to do is to join the AB list at http://lists.openid.net/mailman/listinfo/openid-specs-ab, submit the contribution agreement from http://openid.net/intellectual-property/ (which you can now do online!), and then send comments to the openid-specs-ab@lists.openid.net .
Tags: connect, developer, openid, spec, specification
The OpenID Foundation (OIDF), the open standard community dedicated to driving the development and broad adoption of OpenID technology, today announced that the Intel Application Security and Identity Products Group has joined the Foundation. By joining the OIDF, Intel is demonstrating their support for OpenID as a solution of choice for Internet digital identity.
Intel joins a diverse set of industry leaders including Google, Facebook, Yahoo, Microsoft, PayPal, Symantec, and Ping Identity, reflecting the growing support for OIDF’s open standards approach to digital identity. The broadening influence and impact of OpenID is demonstrated by the active engagement of these organizations and in the markets where they operate and illustrates the importance of identity solutions like OpenID across a wide ranging set of needs and use cases.
OIDF members are dedicated to accelerating open options for securely managing digital identities and are committed to extending the functionality of Internet single sign-on across a growing number of critical corporate and consumer communication channels.
“As a market leader Intel understands the importance of an open standard approach to digital identity” said Don Thibeau, executive director of the OpenID Foundation. “We are excited to have the opportunity to share in the unique expertise and the key market insights they bring to the Foundation.”
“Seamless interoperability between the Enterprise, their partners, and cloud service provider platforms starts with safe, secure, federated identity exchange,” said Girish Juneja, director, Application Security and Identity Products at Intel . “OpenID is focused on solving the identity interoperability challenge by delivering a simplified access protocol. Intel is actively engaged to further develop this standard and our Intel® Expressway Cloud Access 360 Single Sign-on product helps scale & manage OpenID deployments.
Internet Identity System Said Readied by Obama Administration
2011-01-07 05:00:01.9 GMT
By James Sterngold
Jan. 7 (Bloomberg) — The Obama administration plans to
announce today plans for an Internet identity system that will
limit fraud and streamline online transactions, leading to a
surge in Web commerce, officials said.
While the White House has spearheaded development of the
framework for secure online identities, the system led by the
U.S. Commerce Department will be voluntary and maintained by
private companies, said the officials, who spoke on condition of
anonymity ahead of the announcement.
A group representing companies including Verizon
Communications Inc., Google Inc., PayPal Inc., Symantec Corp.
and AT&T Inc. has supported the program, called the National
Strategy for Trusted Identities in Cyberspace, or NSTIC.
“This is going to cause a huge shift in consumer use of
the Internet,” said John Clippinger, co-director of the Law Lab
at Harvard’s Berkman Center for Internet and Society in
Cambridge, Massachusetts. “There’s going to be a huge bump and
a huge increase in the amount and kind of data retailers are
going to have.”
Most companies have separate systems for signing on to e-
mail accounts or conducting secure online transactions,
requiring that users memorize multiple passwords and repeat
steps. Under the new program, consumers would sign in just once
and be able to move among other websites, eliminating the
inconvenience that causes consumers to drop many transactions.
Fewer Passwords
For example, once the system is in place, Google would be
able to join a trusted framework that has adopted the rules and
guidelines established by the Commerce Department. From that
point, someone who logged into a Google e-mail account would be
able to conduct other business including banking or shopping
with other members of the group without having to provide
additional information or verification.
Bruce McConnell, a senior counselor for national protection
at the Department of Homeland Security, said NSTIC may lead to a
big reduction in the size of Internet help desks, which spend
much of their time assisting users who have forgotten their
passwords. Because the systems would be more secure, he said, it
may also result in many transactions that are now done on paper,
from pharmaceutical to real estate purchases, to be done online
faster and cheaper.
A draft paper outlining NSTIC was released for comment by
the White House in June.
‘Who Do You Trust?’
“NSTIC could go a long way toward advancing one of the
fundamental challenges of the Internet today, which is — Who do
you trust?” said Don Thibeau, chairman of the Open Identity
Exchange, an industry group based in San Ramon, California,
representing companies that support development of the new
framework.
“What is holding back the growth of e-commerce is not
technology, it’s policy. This gives us the rules, the policies
that we need to really move forward.”
The new system will probably hasten the death of
traditional passwords, Clippinger said. Instead, users may rely
on devices such as smartcards with embedded chips, tokens that
generate random codes or biometric devices.
“Passwords will disappear,” said Clippinger. “They’re
buggy whips. The old privacy and security conventions don’t
work. You need a new architecture.”
Secure, Efficient
Development of a more advanced security system began in
August 2004, when President George W. Bush issued a Homeland
Security Presidential Directive that required all federal
employees be given smartcards with multiple uses, such as
gaining access to buildings, signing on to government websites
and insuring that only people with proper clearances would have
access to restricted documents. The system was intended to be
more secure and more efficient.
The Obama administration advanced the process when it
issued its “Cyberspace Policy Review” in 2009. One of the 10
priorities was the security identification system.
The federal government is facilitating what it calls a
“foundational” system in two ways. It is developing the
framework for the identification plan, and it will make a large
number of government agencies, services and products available
through the secure system, from tax returns to reserving
campsites at national parks.
“Innovation is one of the key aspects here,” said Ari
Schwartz, a senior adviser for Internet policy at the Department
of Commerce. “There’s so much that could be done if we could
trust transactions more.”
Schwartz said use of the system, once companies voluntarily
choose to participate, may spur a range of efficiencies and e-
commerce similar to the way ATM machines transformed banking,
opening the way to a growing number of services little by
little.
Privacy Concerns
Civil libertarians have expressed concern that the system
may not protect privacy as well as the government is promising.
“If the concept were implemented in a perfect way it would
be very good,” said Jay Stanley, a senior policy analyst for
privacy and technology at the New York-based American Civil
Liberties Union. “It’s a convenience. But having a single point
of failure may not be good for protecting privacy. The devil’s
really in the details.” He said the ACLU would “vehemently
oppose” anything that resembled a national ID card.
Aaron Brauer-Rieke, a fellow at the Center for Democracy &
Technology in Washington, a civil liberties group, said it was
important that the system would be operated by private
companies, not the government. He said he was concerned about
how the data on consumer online transactions would be used.
“New identity systems will allow moving from one site to
another with less friction and open up data flows, but might
also enable new kinds of targeted advertising,” he said. “We
have to make sure privacy doesn’t get lost in this.”
Schwartz and McConnell said the new system wouldn’t be a
national identity card and that companies, not the government,
would manage the data being passed online.
“There will not be a single data base for this
information,” McConnell said.
For Related News and Information:
Internet shopping stories: TNI INTERNET RET <GO>
Top retail stories: RTOP <GO>
Top government stories: GTOP <GO>
–Editors: Elizabeth Wollman, Joe Winski
To contact the reporter on this story:
James Sterngold in New York at +1-212-617-4946 or
jsterngold2@bloomberg.net
To contact the editor responsible for this story:
David Scheer at +1-212-617-2358 or dscheer@bloomberg.net.
by Brian Kissel
In Q1 of 2011 PayPal, the OpenID Foundation and Janrain will be facilitating the OpenID Retail Summit hosted by PayPal in Silicon Valley. We are also in discussions with the National Retail Foundation (NRF) about their possible participation. The meeting date is tentatively being scheduled around the NRF Innovate 2011 Conference in San Francisco March 8th-10th.
Over the last few years, many industries and market segments have been embracing social sign-on and publishing solutions to increase customer engagement through online channels. Open standard technologies including OpenID, OAuth, Portable Contacts, Activity Streams, and OpenSocial are enabling organizations to better serve their customers and members while increasing the return on investment (ROI) of their online initiatives.
One market segment which is demonstrating accelerated adoption are online retailers. For example, earlier this year Sears hosted an OpenID Summit at their headquarters in Chicago. In order to serve this segment better, the OpenID Foundation has established a Retail Advisory Committee (RAC). More information about the RAC can be found at
Prior to the Q1 OpenID Retail Summit, there are two planning sessions where retailers can participate in the development of the agenda for the event.
We hope you will consider participating in either or both of the planning events and also attending the Retail Summit at PayPal in Q1 of next year.
Tags: retail, retail advisory committee