Archive for the ‘News’ Category
Posted at 12:39 pm on May 16, 2012 by jfe
European-based identity and security analyst firm, KuppingerCole, announced last week that OpenID Connect was awarded the 2012 European Identity and Cloud Award in the category for Best Innovation/New Standard. This recognition was largely based on OpenID Connect’s potential to significantly change digital identity using a simple interoperable Internet identity protocol to improve the way we interact with each other online.
According to Dave Kearns of KuppingerCole, OpenID Connect’s design philosophy to “make simple things simple and make complicated things possible” can play a critical role in creating the technical specifications (“tools”) necessary for advancing Internet identity across both traditional and evolving digital platforms.
“What’s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors. I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices.”
As Dave sees it, OpenID Connect is to OpenID 2.0 as Gigabit Ethernet is to Bob Metcalfe’s original Ethernet. First, where integration of OpenID 2.0 requires an extension, OpenID Connect, which performs many of the same functions as OpenID 2.0, is built into the protocol and is API-friendly. Second, OpenID Connect provides a secure, flexible and interoperable identity layer on top of OAuth 2.0 specifications, enabling participants to exchange any claims relevant to their application. It doesn’t define ways to authenticate users or communicate information about them. Instead, OpenID Connect uses a default set of common claims about a user (e.g., name, email address, user identifier enabling SSO) to allow digital identities to be used across websites and applications.
In an indirect but important way, OpenID Connect supports the mission of the Open Identity Exchange (OIX), which similarly suggests open source for Internet identities. The relationships, dependencies and synergies between OpenID Connect and the OIX can play an integral role in the advancement of digital identities.
OpenID Connect’s modular design “tools” give relying parties the flexibility to deploy the attributes they need to improve operational efficiency and security while remaining interoperable. From a policy standpoint, OIX helps set the stage for industry stakeholders and policymakers to create and publish the policy “rules” for open identity trust frameworks that improve the user experience and protect identity and privacy..
Together, this new open approach for creating custom “tools and rules” can play a useful role in establishing the levels of assurance and elevating trust in internet identities across multiple jurisdictions and improving the way public and private industry interacts with users over the Internet.
This entry was posted
on Wednesday, May 16th, 2012 at 12:39 pm and is filed under News.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 9:27 am on April 18, 2012 by Nat Sakimura
Today at the European Identity and Cloud Conference it was announced that OpenID Connect has won the 2012 European Identity and Cloud Award for “Best Innovation / New Standard”. The OpenID Foundation and the Connect working group members want to thank Kuppinger Cole for this prestigious award and their vote of confidence in the significance of OpenID Connect.
Dave Kearns of Kuppinger Cole said this about the award:
“I’m pleased that Kuppinger Cole has granted OpenID Connect the award for Best Innovation/New Standard this year. What’s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors. I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices. My congratulations to the OpenID Foundation!”
The application presented by the OpenID Foundation that resulted in the award follows.
European Identity & Cloud Awards 2012
| Project company: |
OpenID Foundation |
| Award category: |
Best Innovation / New Standard in Information Security |
1) Name of the Standard
OpenID Connect
2) Brief description of the Standard
OpenID Connect is a simple JSON/REST-based interoperable identity protocol built on top of the OAuth 2.0 family of specifications. Its design philosophy is “make simple things simple and make complicated things possible”.
While OAuth 2.0 is a generic access authorization delegation protocol, thus enabling the transfer of arbitrary data, it does not define ways to authenticate users or communicate information about them. OpenID Connect provides a secure, flexible, and interoperable identity layer on top of OAuth 2.0 so that digital identities can be easily used across sites and applications. While enabling a default set of common claims about the user (such as name, e-mail address, and a user identifier enabling SSO) to be easily employed, OpenID Connect also enables participants to exchange any claims relevant to their application using simple JSON-based data structures.
As it is based in OAuth 2.0, OpenID Connect reaches beyond the Web. OpenID Connect brings identity interactions to “apps” and “native applications” on both smart phones and traditional computing devices, in addition to Web sites.
From a security perspective, OpenID Connect was built to be able to gracefully range from the low security levels typically employed for social networks to medium security levels needed for business applications to high security requirements needed for many government applications. OpenID Connect spans this wide range of applications by using JSON-based digital signature and encryption standards.
From a privacy perspective, OpenID Connect allows the selective sharing of attributes with user consent. It also enables the use of pairwise pseudonymous identifiers, thereby avoiding correlations as appropriate.
From a business perspective, OpenID Connect meets business needs for the use of claims from multiple Claims Providers in a single context (rather than a single Identity Provider being the source of all claims for any given interaction). It enables the use of Aggregated Claims, where signed claim values can be collected and passed on by OpenID Providers and the use of Distributed Claims, where claims are passed by reference, rather than by value, and dynamically retrieved by Relying Parties.
From a design perspective, OpenID Connect’s modular design enables flexible deployments. Implementations can use only the components they need, while still remaining interoperable. For instance, “Discovery” and “Dynamic Client Registration” can used in deployments where OpenID Providers can be chosen dynamically, whereas they aren’t needed if the site or application uses only a fixed set of OpenID Providers.
Unlike the previous version of OpenID, user identities can be e-mail addresses that people already have and know, rather than being URLs that most people have difficulty using.
3) Who is contributing to the standard?
OpenID Connect was developed in an OpenID Foundation working group. OpenID working groups are open to all free of charge who sign the IPR Contribution agreement. Contributors include a diverse international representation of industry and independent technology leaders: AOL, Deutsche Telecom, Facebook, Google, Microsoft, Mitre Corporation, mixi, Nomura Research Institute, PayPal, Salesforce, Yahoo! Japan, and others.
4) When is it expected to be finalized?
OpenID Connect is in the Implementer’s Draft review period. That stage is similar to the DIS (Draft International Standard) phase of the ISO process. The approval vote will complete on February 15, 2012. The OpenID Connect specifications are expected to be competed in the second half of 2012.
5) What are the key Identity management objectives?
- Interoperability
- Security
- Ease of deployment
- Flexibility
- Wide support of devices
- Enabling Claims Providers to be distinct from Identity Providers
6) Does the standard exceed key objectives?
Yes.
7) Are there live deployments?
Yes. e.g., Google, Gakunin (Japanese Universities Network), Nikkei Newspaper, etc.
Mature deployments are under way by working group participants.
8) Does the deployment touch customers/consumers/citizens? If so, what benefit(s) is the application delivering to customers/consumers/citizens?
- More secure and familiar online interactions
- Easier to use authentication and attribute sharing
9) Does the deployment successfully address one of more of the following identity issues? If so, please provide brief examples.
- Help prevent/reduce identity theft? Yes.
- Help address ease of use issues? Yes.
- Help meet regulatory requirement? Yes.
- Meet unique vertical market objectives? Yes.
10) Why should this standard win the European Identity/Cloud Award?
OpenID Connect is a significant advance in digital identity that:
- is simple to build and deploy, being based upon existing JSON/REST standards,
- spans both Web and native applications, including mobile “apps”,
- has wide support from major cloud service providers, enterprise companies, and social networking companies,
- helps combat identity theft by reducing the number of passwords in use,
- enables new Web based services and expands existing online markets,
- spurs global economic growth by enabling simple and secure exchange of verified attributes from multiple sources at Internet scale.
OpenID Connect is an important contribution to a safer, privacy protecting, and easy to use computing environment that spans the cloud, the Web, enterprises, and mobile applications and has broad industry backing. For these reasons, OpenID Connect merits the 2012 European Identity/Cloud Award.
Tags: #eic12, European Identity and Cloud Conference, European Identity Award, OpenID Connect
This entry was posted
on Wednesday, April 18th, 2012 at 9:27 am and is filed under News, Press Releases, Specs.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 10:11 pm on February 16, 2012 by Nat Sakimura
The OpenID membership has approved the following specifications as OpenID Implementer’s Drafts in the vote held from February 7th to 15th, 2012:
• Basic Client Profile – Simple self-contained specification for a web-based Relying Party. (This spec contains a subset of the information in Messages and Standard.)
• Discovery – Defines how user and provider endpoints can be dynamically discovered.
• Dynamic Registration – Defines how clients can dynamically register with OpenID Providers.
• Messages – Defines all the messages that are used in OpenID Connect. (These messages are used by the Standard binding.)
• Standard – Complete HTTP binding of the Messages, for both Relying Parties and OpenID Providers.
• Multiple Response Type Encoding – Registers OAuth 2.0 response_type values used by OpenID Connect.
The voting results were:
- Approve (86 votes)
- Disapprove (1 vote)
- Abstain (2 votes)
Total Votes: 89 (out of 363 members = 25% > 20% quorum requirement)
An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification.
The specifications are posted at these locations:
• http://openid.net/specs/openid-connect-basic-1_0-15.html
• http://openid.net/specs/openid-connect-discovery-1_0-07.html
• http://openid.net/specs/openid-connect-registration-1_0-08.html
• http://openid.net/specs/openid-connect-messages-1_0-07.html
• http://openid.net/specs/openid-connect-standard-1_0-07.html
• http://openid.net/specs/oauth-v2-multiple-response-types-1_0-03.html
A description of OpenID Connect can be found at http://openid.net/connect/.
The working group page is http://openid.net/wg/connect/.
Tags: Implementer's Draft, openid, OpenID Connect, specification
This entry was posted
on Thursday, February 16th, 2012 at 10:11 pm and is filed under News, Specs.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 9:33 am on February 14, 2012 by Nat Sakimura
Thanks to all who voted for the board members who will represent the OpenID community at large for the next two years. Having received the two highest number of votes cast, Greg Keegstra and Axel Nennker have been elected to two years terms. Greg is new to the board and brings a fresh eye to OpenID marketing and outreach. Axel is a returning community board member, bringing his technical expertise in mobile identity research and an informed European perspective to the Foundation. They join current community representatives John Bradley, Mike Jones, Nat Sakimura, and Kick Willemse, serving the second years of their terms. Their leadership, together with sustaining member company representatives; Pam Dingle of Ping Identity, Farhang Kassaei of PayPal, Tony Nadalin of Microsoft, Nico Popp of Symantec, and Eric Sachs of Google was important to the success of last years OpenID Connect Summits. This is a good time to thank Brian Kissel, Chris Messina, and Allen Tom for their service to the Foundation and the OpenID community. Brian’s leadership as Chairman of the Board was crucial to managing the Foundation’s transition from its community roots to where we are today. Chris Messina’s marketing sense and Allen Tom’s technical chops went a long way towards maintaining OIDF’s user centric perspective and industry influence.
Last year, Dave Recordon and I often talked about how the OpenID Foundation should evolve. My view was that OpenID does indeed have a “second act” and that the Foundation’s leadership of open identity standards development is important in a rapidly changing internet identity ecosystem. The sponsorship and attendance at the OpenID Summits, the hard work of the OpenID Connect WG and the promise of “Account Chooser” all indicate there is much to do and look forward to in 2012. It will be a pivotal year for OpenID and digital identity.
The new board’s first meeting on March 1 will consider long term operational and strategic issues. Feel free to make your thoughts known on this list, by contacting community representatives or me.
106 members voted in this election, casting a total of 151 votes. The results (in order of votes received) were:
- Greg Keegstra 66
- Axel Nennker 33
- George Fletcher 28
- Sébastien Brault 12
- Patrice Vuillard 6
- Yosef Vuillard 6
- David Marceau 0
Don Thibeau
Executive Director
The OpenID Foundation
Tags: board elections
This entry was posted
on Tuesday, February 14th, 2012 at 9:33 am and is filed under Foundation, News.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 9:25 pm on February 7, 2012 by Nat Sakimura
Link: https://openid.net/foundation/members/polls/62
The OpenID AB+Connect Working Group recommends approval of the following specifications as OpenID Implementer’s Drafts:
• Basic Client Profile – Simple self-contained specification for a web-based Relying Party. (This spec contains a subset of the information in Messages and Standard.)
• Discovery – Defines how user and provider endpoints can be dynamically discovered.
• Dynamic Registration – Defines how clients can dynamically register with OpenID Providers.
• Messages – Defines all the messages that are used in OpenID Connect. (These messages are used by the Standard binding.)
• Standard – Complete HTTP binding of the Messages, for both Relying Parties and OpenID Providers.
• Multiple Response Type Encoding – Registers OAuth 2.0 response_type values used by OpenID Connect.
An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification.
The specifications are posted at these locations:
• http://openid.net/specs/openid-connect-basic-1_0-15.html
• http://openid.net/specs/openid-connect-discovery-1_0-07.html
• http://openid.net/specs/openid-connect-registration-1_0-08.html
• http://openid.net/specs/openid-connect-messages-1_0-07.html
• http://openid.net/specs/openid-connect-standard-1_0-07.html
• http://openid.net/specs/oauth-v2-multiple-response-types-1_0-03.html
A description of OpenID Connect can be found at http://openid.net/connect/. The working group page ishttp://openid.net/wg/connect/.
Please vote at: https://openid.net/foundation/members/polls/62
The vote is open between Feb. 7 to 15.
Tags: Implementer's Draft, OpenID Connect, vote
This entry was posted
on Tuesday, February 7th, 2012 at 9:25 pm and is filed under Foundation, News, Specs.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 10:29 pm on January 24, 2012 by Mike Jones
Nat Sakimura has written a valuable post describing OpenID Connect in a nutshell. It shows by example how simple it is for relying parties to use basic OpenID Connect functionality. If you’re involved in OpenID Connect in any way, or are considering becoming involved, his post is well worth reading.
Tags: specification
This entry was posted
on Tuesday, January 24th, 2012 at 10:29 pm and is filed under News, Specs.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 9:36 am on January 3, 2012 by jfe
This is to announce the 2012 election of OpenID Foundation community board members. The Foundation plays an important role in the evolution of Internet identity technologies. Those elected will help determine what role the OIDF should play in helping facilitate faster and broader adoption of open standard identity systems.
Last year four community board members were elected to 2-year terms and so are not standing for election:
• Nat Sakimura
• Mike Jones
• John Bradley
• Kick Willemse
Other current community board members may seek re-election. They are:
• Allen Tom
• Axel Nennker
• Chris Messina
Brian Kissel has indicated he will likely not be a candidate. This is a good time to thank Brian, and all the current board members, for their time, attention and leadership over the last year.
For the purposes of the 2012 election, there are 5 confirmed sustaining members: Google, Microsoft, PayPal, Ping Identity, and Symantec. Thus, we will be electing 2 community members to the Board of Directors for 2-year terms. In order to be eligible for election, your candidacy must have been seconded by at least three other members.
The election will be conducted on the following schedule:
Nominations open: Monday, January 9
Nominations close: Monday, January 23
Election begins: Wednesday, January 25
Election ends: Wednesday, February 8
Results announced by: Wednesday, February 15
New board terms start: Thursday, March 1
Times for all dates are Noon, U.S. Pacific Time.
All members of the OpenID Foundation are eligible to nominate themselves, second the nominations of others who self-nominated, and vote for candidates. If you’re not already a member of the OpenID Foundation, we encourage you to join now at https://openid.net/foundation/members/registration.
Voting and nominations are conducted using the OpenID you registered when you joined the Foundation. Log in at https://openid.net/foundation/members/ with your OpenID to participate in the nomination and voting. If you are already a member, you will receive an email advising you the election is open and how to participate. If you experience problems participating in the election or joining the foundation, please send an email to help@oidf.org.
Board participation requires a substantial ongoing investment of time and energy. It is a volunteer effort that should not be undertaken lightly. Should you be elected, expect to be called upon to serve both on the board and on its committees where the work of the foundation is conducted. If you’re committed to OpenID and advancing open digital identity and are a person who works well with others, we encourage your candidacy. The OIDF’s Executive Committee has suggested a few questions candidates may want to publicly address in their candidate statements:
1. What is you view of the opportunity of the OpenID Foundation?
2. What are the key opportunities you see for the OpenID Foundation in 2012?
3. How will you demonstrate your commitment to the work of the foundation in terms of resources, focus and leadership?
4. What would you like to see accomplished over the next year, and how do you personally plan to make these things happen?
5. What resources can you bring to the foundation to help the foundation attain its goals?
6. What current or past experiences, skills, or interests will inform your contributions and views?
Candidates can address these questions in their election statements on various community mailing lists and at http://openid.net – especially openid-general@lists.openid.net, and via blog@oidf.org. Please forward questions, comments and suggestions to me.
Don Thibeau
Executive Director
The OpenID Foundation
Tags: board election, Foundation, vote
This entry was posted
on Tuesday, January 3rd, 2012 at 9:36 am and is filed under Foundation, News.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 6:41 am on December 23, 2011 by John Bradley
The OpenID AB+Connect Working Group recommends approval of the following specifications as OpenID Implementer’s Drafts:
- Basic Client Profile – Simple self-contained specification for a web-based Relying Party. (This spec contains a subset of the information in Messages and Standard.)
- Discovery – Defines how user and provider endpoints can be dynamically discovered.
- Dynamic Registration – Defines how clients can dynamically register with OpenID Providers.
- Messages – Defines all the messages that are used in OpenID Connect. (These messages are used by the Standard binding.)
- Standard – Complete HTTP binding of the Messages, for both Relying Parties and OpenID Providers.
- Multiple Response Type Encoding – Registers OAuth 2.0 response_type values used by OpenID Connect.
An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This note starts the 45 days public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures. This review period will end on Monday, February 6, 2012.
Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve these drafts as OpenID Implementer’s Drafts.
The specifications are posted at these locations:
A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.
Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. Foundation members will be asked to vote on approving these specifications as Implementer’s Drafts.
You can send feedback on the specifications in a way that enables the working group to act on your feedback by
- signing the contribution agreement at http://openid.net/intellectual-property/ to join the AB+Connect working group,
- joining the working group mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-ab, and
- sending your feedback on that list.
Tags: Implementer's Draft, OpenID Connect, spec, specification, vote
This entry was posted
on Friday, December 23rd, 2011 at 6:41 am and is filed under Foundation, News, Specs.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 2:37 pm on December 7, 2011 by Don Thibeau
Verizon announced today an important milestone in the Open Identity arena.
Verizon announced that it is the first ever identity provider to achieve a Level 3 US Government certification in providing identity credentials and access management to relying parties. The importance of building a standardized framework that protects valuable personal data from Internet security risks is being recognized and addressed on a global scale and national level.
Verizon has established itself as a leader that is building a foundation for an open and secure Internet-identity ecosystem that people and business can trust. Beyond providing a safeguard for digital identities, certified identity providers will help speed conversations, interactions and transactions for people, businesses and relying parties now and in the future.
As one of the pioneers in building the trust frameworks, Verizon’s leadership as an identity provider is at the heart of building this new identity ecosystem. Verizon was one of the founding members of the Open Identity Exchange (OIX) an organization that now includes the leaders in internet, telco and data aggregation industries.
Today’s password-focused website login process is unsafe and risky and has led to personal information and data being compromised through phishing and hacking attacks on weak systems. The potentially devastating consequences associated with the hijacking and theft of digital identities highlights the need for a trusted and certified framework that relying parties can depend on for identity authentication.
OIX, its member companies and Verizon aim to provide an open framework that standardizes the security, privacy, and operation policies of identity service providers that people, businesses and governments can trust.
The Internet identity ecosystem is quickly evolving with companies playing many different roles. The OIX is focused on the roles of attribute providers, identity providers, and relying parties. Verizon is playing an important role as a leader and advocate for OpenID. We congratulate Verizon on this significant achievement.
This entry was posted
on Wednesday, December 7th, 2011 at 2:37 pm and is filed under Foundation, News.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 9:03 am on October 13, 2011 by Don Thibeau
Sony announced today that a large number of accounts were hijacked using an attack based on the fact that people reuse passwords across websites. These “weakest link hijackings” are an evolution of the phishing attacks that have become so well known over the last few years.
These attacks are referred to as “weakest link hijackings” because the hackers attack websites with the weakest security, and then collect user passwords. Since it is common for users to reuse passwords across websites, hackers can then try those collected passwords against other websites like Sony as well as social network accounts, email accounts, work accounts, etc. When hackers take over the user’s social network or email account, they frequently change the user’s password on the account to lock the real user out, then use it to try to trick the user’s friends into sending money. One scam claims the person was stuck while travelling and needs money wired to them. Imagine losing access to all your contacts, email, photos, etc. and then having your friends lose thousands of dollars.
Unfortunately it is extremely difficult for websites to protect themselves against the weaker security of these other websites. Only some of the largest websites with the most sophisticated security tools can detect these types of attacks and try to automatically reduce their impact on their own accounts as Sony has done. Some of those websites offer users the option to add an additional layer of security to their account, for example by sending a code to their phone number each time they want to login. However if every website took that approach, users would revolt because of the pain it would create for them.
It’s time for website owners to wake up and realize they are probably the “weakest link.” Most websites need to stop trying to run their own login system and instead rely on third-party tools and websites that provide users with highly secure login systems. This type of login approach has become popular with websites that want to integrate with social networks, but it can also be used by any website by simply letting users choose an identity provider that runs a secure login system. It also has the advantage of making it easier for users to register for a new website on a mobile device and we all know what a hassle that can be.
Consortiums of companies such as the OpenID Foundation are working together to solve the problem of passwords and weak login systems, and are making great strides on security, usability, and privacy. With so much of our digital identities and information at stake, it’s critical that we create a better, more secure system before we see more victims of the “weakest link”.
This entry was posted
on Thursday, October 13th, 2011 at 9:03 am and is filed under News.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.