Archive for the ‘Uncategorized’ Category
Posted at 9:11 am on April 4, 2012 by Eric Sachs
For those who missed the recent workshop in London, there are now videos of the sessions available as well as slides.
The event itself was a big success with so much interest that we had to move it to a larger location at Microsoft’s office. We also had a live video broadcast of the event which many people watched.
The OIDF Youtube channel also has many other videos available from past OpenID summits as well as working group meetings like the recent account chooser WG meeting.
This entry was posted
on Wednesday, April 4th, 2012 at 9:11 am and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 4:17 pm on March 14, 2012 by Eric Sachs
In May of last year a group of security researchers identified a flaw in some OpenID implementations. They have recently identified a related flaw in some OpenID implementations. See data-confusion-bugreport (1) for their report.
The researchers contacted the main websites impacted, and those sites have deployed a fix. OpenID Foundation board members have worked to identify other websites that were impacted and similarly have them deploy a fix. There are no known examples of attacks using this technique. If your website does not use an OpenID RP implementation from one of the OpenID Foundation vendors, we suggest reading the report.
The OpenID Foundation would like to thank security researchers Rui Wang, Shuo Chen and XiaoFeng Wang for reporting their findings. You can also read their related report.
This entry was posted
on Wednesday, March 14th, 2012 at 4:17 pm and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 12:54 pm on March 8, 2012 by Eric Sachs
This project has evolved in an unusual manner for the OIDF because it is primarily a service, not just a specification and open source code. So we are very interested in feedback from the community either at that event, on the ODIF general list, or on the
working group list.
The service is also protocol agnostic, meaning it works with OpenID, OpenIDConnect, SAML, and just about any login protocol. It even works for websites that still authenticate users with passwords.
This entry was posted
on Thursday, March 8th, 2012 at 12:54 pm and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 9:28 am on March 7, 2012 by Eric Sachs
The OpenID Foundation is hosting an OpenID workshop on March 28th. It will be held at Microsoft’s office in London. The event was originally going to be held at Google’s offices, but due to the high demand it has been moved to a location with more room. The OpenID Foundation runs a series of workshops like this one for business decision makers, as well as running other OpenID summits that are more technical.
The event is for the owners of consumer websites, citizen oriented government sites, and enterprise SaaS services to discuss how to improve login systems by using techniques such as OAuth, OpenID and an Account Chooser.
Please join us on Wednesday, March 28th, 2012 from 10:00 until 17:30 GMT.
Registration is now open at the following link: REGISTER NOW!
Location:
Microsoft London Office, Cardinal Place, 80-100 Victoria Street, United Kingdom, SW1E 5JL
AGENDA:
10-11am: OAuth as the core Internet identity protocol
- Don Thibeau (Executive Director of the OpenID Foundation and Open Identity Exchange)
- Kick Willemse (OpenID Foundation Board Member and CEO of Prooflink)
- Description: A high level overview of the protocol, and an explanation of why major technology companies have standardized on it including Google, Microsoft, Facebook, Yahoo, etc. We will also discuss how the functionality of the OpenID v2 protocol has been reimplemented on top of OAuth to create OpenID Connect. The session will also discuss the security problems of websites that run their own password based login systems.
11am-Noon: Bridging Internet Identity protocols
- Patrick Harding (CTO, Ping Identity)
- Description: While OAuth is the main protocol for new Internet identity systems, most companies still need to deal with a mix of other protocols, including their own internal sign on system across the different parts of their website, as well as for employee signing sign on. Learn about how to use a token management service to bridge between those different protocols.
Noon-1pm: Lunch
1pm-2pm: Using Social Login to get more out of logins then just an email
- Patrick Salyer (CEO, Gigya)
- Vidya Shivkumar (Director of Products, Janrain)
- Description: While logins used to just be about email and password, there is now the potential to do much more using popular consumer identity providers such as Twitter, Yahoo, Facebook, Google, Microsoft Live, etc. This session will discuss the success many websites have already had with this model.
2pm-3pm: Improving the user experience of sign-in using an Account Chooser
- Eric Sachs (Senior Product Manager, Identity, Google)
- Description: Google and other sites have started to roll out a new login experience called an Account Chooser. Get an overview of how it works, and learn why companies like Google are making this change. The session will also explain why it is so much easier for a website to add support for identity providers (both consumer and enterprise) after first deploying an account chooser.
3pm-3:30pm: Snack break
- The second part of the session only has room for 100 people. We will check badges at this point and you will only be able to join the second session if you registered for it online. However everyone is welcome to join the snack break
3:30pm-4:30pm: Verifying real world identity on the Internet
- Philip Stradling (Senior Program Manager, Identity, Microsoft)
- Andrew Nash (Director of Product Management, Identity, Google)
- Don Thibeau (Executive Director of the OpenID Foundation and Open Identity Exchange)
- Description: How do websites know which identity providers to trust, and visa versa? Also learn how governments are using the same techniques discussed at this conference to engage with citizens online.
4:30pm-5:30pm: Strong authentication and identity verification
- Ingo Friese (R&D project manager, Deutsche Telekom AG; Telekom Innovation Laboratories)
- Andrew Nash (Director of Product Management, Identity, Google)
- Description: Hear how large consumer websites like Google are using mobile phones today in addition to passwords. Learn how you can confirm attributes about a user on your website such as name, address, etc. This session will describe the working groups in the Open Identity Exchange that are focused on this topic, and will include demonstrations of live systems.
In addition to the presentations above, Ping Identity is also hosting a similar event the previous day. If you’re a security architect, IT manager, SaaS product manager, eBusiness leader, CSO, CTO, or CIO leveraging the Cloud to change your business, it’s a day of identity security best practices you don’t want to miss.
Best regards,
Don Thibeau, Executive Director
OpenID Foundation
Hosted by:
OpenID Microsoft Google
Tags: developers, events, openid, summit
This entry was posted
on Wednesday, March 7th, 2012 at 9:28 am and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 9:09 am on March 6, 2012 by jfe
Last week, Nat Sakimura was reelected as Chairman of the Board. Nat continues to provide an invaluable continuity of leadership and representation for the OpenID Foundation in a wide variety of international standards organizations. Eric Sachs, Google’s representative on the Board, was elected Vice Chairman. In addition to his Executive Committee responsibilities, Eric will continue to lead both the OIDF Marketing Committee and Account Chooser Work Group. Kick Willemse, was elected as Community Liaison. Kick will be providing the Foundation increased global awareness and much needed voice in the European marketplace.
Kick and Eric’s work with Nat will help guide important technical and adoption processes for the proposals and protocols in the OIDF pipeline; OpenID Connect – in the Implementer’s draft stage, Account Chooser – ramping up for community input in 2012 and the nascent proposal around the “Backplane Exchange” Greg Keegstra is advocating. All these efforts point toward vibrant technical and marketing initiatives for the Foundation in 2012.
John Bradley and Mike Jones were reelected as Treasurer and Secretary respectively. They make things happen. Mike and John have for many years gone to great lengths to be stewards of the OpenID protocol and the Foundation required to make it open to all. On behalf of the companies and community around open and user centric internet identity, we thank Nat, Eric, Kick, John and Mike in advance for their leadership.
Don Thibeau
This entry was posted
on Tuesday, March 6th, 2012 at 9:09 am and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 9:18 am on February 24, 2012 by jfe
In 2011 the OpenID Foundation welcomed Deutsche Telekom as a new member. By joining the Foundation and other industry leaders such as Microsoft, Ping Identity, Google, PayPal, & Symantec, Europe’s largest telecommunications company is supporting decentralized authentication systems for easy online login, such as OpenID. In the development of consumer products, the Deutsche Telekom Group has supported OpenID for some time. Using the OpenID protocol facilitates the integration of centrally developed products into the portfolios of the individual subsidiaries (NatCos). In turn, their customers gain easy and secure access to centrally provided services such as address book and media services.
Telekom Innovation Laboratories (T‑Labs), the innovation and research branch of Deutsche Telekom, played a key role in the Group becoming a member. Axel Nennker, Identity Expert at T-Labs, has recently been reelected to the Board of Directors of the OpenID Foundation. At the upcoming OpenID workshop in London, Ingo Friese from T-Labs will give a presentation on their Cross-Operator Identity Services project.
This entry was posted
on Friday, February 24th, 2012 at 9:18 am and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 9:57 am on October 19, 2011 by jfe
PayPal Access provides a way for users to log into your web site using interfaces based on the OpenID 2.0 protocol, an open specification produced by the OpenID community.
More information
View a video replay of a recent PayPal Access presentation
This entry was posted
on Wednesday, October 19th, 2011 at 9:57 am and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 12:05 pm on October 17, 2011 by jfe
October is National Cybersecurity month so a shout out goes to our colleagues at The National Cyber Security Alliance NCSA’s mission is to educate and therefore empower a digital society to use the Internet safely and securely at home, work, and school, protecting the technology individuals use, the networks they connect to, and our shared digital assets. NCSA builds strong public/private partnerships to create and implement broad reaching education and awareness efforts to empower users at home, work and school with the information they need to keep themselves, their organizations, their systems, and their sensitive information safe and secure online and encourage a culture of cybersecurity.
OASIS launched the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee http://www.oasis-open.org/committees/trust-el/charter.php. The initial deliverable is a comprehensive list of current methods to authenticate identities online to the degree necessary for high value and sensitive transactions. This is expected to be a key input to new real world solutions that use a step-up approach to multi-factor authentication. The Technical Committee is Co Chaired by Abbie Barbir, Senior Vice President Bank of America and Don Thibeau of OIX and OpenID Foundation.
OIX Member AT&T has come out with Personal Levels of Assurance (PLOA), a white paper that introduces a new approach for determining transaction-based assurance.PLOA White Paper – v1. This fresh new thinking focuses on determining the lifecycle of LOA settings for an individual based on the current condition of all attribute declarations whether they are validated or not. One of the most significant suggestions in At&t’s approach to federated assurance is de-coupling enforcement points from decision points by adoption of a standard, open protocol. This is the kind of open identity protocol organizations like the OpenID Foundation consider as part of its mission. Even though the technology being implemented may resemble authorization, it is truly speaking to the assurance of the authentication and therefore should be considered a new element to the three A’s.The At&t team postulates that there should be a fourth A added to the typical security list of AAA – Authentication, Authorization, and Audit (AAA) shall be joined by their new sibling Assurance. OIX provides legal and best practices research in online identity particularly in the area of trust frameworks.
Content and contributors to work like this will be featured at the Open Identity Exchange Attribute Summit upcoming meetings in Washington DC on November 9 and 10OIX, Booz Allen Hamilton and Experian to present a panel noting OIX’s growing interaction with EU and UK initiatives like those in the UK Government Cabinet Office, iScheme, federatedbusiness.org, The OIX board will take up the question of how best to engage with tScheme in the UK and discuss the value of a ‘formal partnership’. tScheme was formed over ten years ago as an industry body but with UK Government observers on its board, which gave rise to the term co-regulatory body that is used when describing tScheme’s function. The Government observers are Cabinet Office, Business Information and Skills, department of Work and Pensions and the department for Education. tScheme has thus a long history working with and supporting the UK Government, hence is heavily involved in the current Cabinet Office Identity Assurance Program, as well as the role as the UK’s assurance regime for the Oil & Gas Trust Scheme; the Employee Authentication Scheme for access to Government data by local Authority employees; and the Identity & Access Management program supporting the access to databases relating to Police Intelligence by members of UK Police Forces.
We are entering the implementation phase for one of the most mature and value adding initiatives the Publish Trust Framework in the Open Identity Exchange. We have posted the project update at www.PublishTrust.org for your review.The Publish Trust Project examines the feasibility of adding trust values to online identities for authors of scholarly publications, thus enabling them to reliably aggregate previous and current works and connect with other experts in their field. The first experiment uses VIVO as a semantic identity platform with the OIX Trust Framework to produce two-factor assertions of authorship from scholarly publishers of peer-reviewed works and authors.
The OpenID Foundation and the Open Identity Exchange are sponsoring an Open Identity Summit in Tokyo Japan on December 1. The event is taking place as part of Japan’s Internet week and will feature technical discussions about OpenID Connect and Account Chooser as well as policy and rule making in Japan’s identity ecosystem. The Japanese and South Korean government has initiatives underway similar to the US NSTIC. Please note Howard Schmidt comments at
Advancing the National Strategy for Trusted Identities in …
The White House
The solution proposed by NSTIC is a user-centric “Identity Ecosystem” built on the foundation of private-sector identity providers.
This entry was posted
on Monday, October 17th, 2011 at 12:05 pm and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 12:02 pm on by jfe
The recent Sony incident was another wake up call for website owners about the problems with passwords as discussed in the recent OIDF blog post. One of the purposes of the OpenID Foundation blog is to help identify events that website owners can attend to learn more about alternatives to passwords.
There was one such event, called the Cloud Identity Summit, earlier this year that was so popular that a smaller version of the event is being run in four cities in the next few weeks.
• 10/24/11 New York, NY
• 10/25/11 Washington, DC
• 11/2/11 Chicago, IL
• 11/3/11 San Francisco, CA
You can learn more or register to attend at www.cloudidentitysummit.com
The event will cover a number of topics that the OpenID Foundation is involved with including:
• Emerging standards such as OpenID Connect and its relation to OAuth
• User friendly ways to eliminate passwords using the Account Chooser technique
• Adoption of cloud identity standards in enterprise and citizen-government scenarios
If you’re a security architect, IT manager, SaaS product manager, eBusiness leader, CSO, CTO, or CIO leveraging the Cloud to change your business, it’s a day of identity security best practices you don’t want to miss.
This entry was posted
on Monday, October 17th, 2011 at 12:02 pm and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Posted at 1:51 pm on August 4, 2011 by jfe
One of the topics discussed recently at Ping Identity’s OpenID Summit at its Cloud Identity Conference and again at last week’s Gartner Catalyst conference was a “consumerisation of the enterprise” . OpenID was at the center of those discussions as technology bulls and bears debated its value in both enterprise and consumer use cases.
Perhaps OpenID’s evolution from little corners of the internet to mainstream adoption tracks the changes in internet identity best understood in hindsight. One leading edge adopter’s review of how OpenID’s user centricity morphed to a provider centric architecture is seen in Salesforce.com‘s Chuck Mortimore’s blunt but bullish presentation on ‘Does OpenID work for the Enterprise?”
In deciding whether one is bearish or bullish on OpenID, it may be useful to “follow the money” and follow the leaders. OpenID Connect, like OAuth 2.0, is among the few standards that have real technical engagement from the likes of Google, Microsoft and Facebook.
While no one can predict what these companies, relying parties and small companies will do, we can see where they invest. Whether at industry conferences or launching pilots, industry leaders and developers like JanRain, Ping Identity and others are making multi-year /multi-million dollar bets on protocols like OpenID Connect as it tracks with OAuth in enabling new claims and data centric architectures.
Following the money supports a bullish view of the value beyond social/single sign-on in today’s web. As noted, companies like Ping Identity, JanRain and others have raised significant funding to pursue opportunities in this space as analysts note a strong demand for identity management solutions globally.
Bears among us may rightfully point to how OpenID has been quiet over the past year as it adjusted to the new market conditions like those Chuck Mortimore described. Making sausage and standards isn’t pretty and takes a maddening amount of time and money. Engineers, be they community volunteers or “volunteered” by large industry leaders, take care when re-architecting a core offering like OpenID.
Meanwhile, OpenID Foundation members like Symantec, PayPal, Google, and others continue to co-sponsor OpenID Summits and other events where the evolution of OpenID is discussed/planned and its adoption continues to increase around the world. Although OpenID may be more about ‘plumbing’ than the next big darling of the Silicon Valley tech press, its premise and technological underpinnings are proving to be solid and in tune with the future.
Finally, take a look at the work being done at the OpenID Foundation and Google on the Account Chooser, a scalable, user-friendly way to bring OpenID technologies to the masses, while still supporting a philosophy of decentralized, interoperable identity solutions.
Bears and Bulls can judge for themselves as OpenID Connect is tried, tested and toughened at an OpenID Summit hosted by Microsoft on September 12 and 13 in Mountain View CA at Microsoft’s offices where the OpenID Foundation will be hosting a technical interop and testing workshop for engineers and developers interested in OpenID Connect.
There will also be sessions for website operators who want to learn more about why they should get out of the password business and integrate with identity providers. Information on how to register for the event will be posted soon. In other words, whether bearish or bullish, don’t touch the remote and stay tuned for more in the evolution of OpenID.
This entry was posted
on Thursday, August 4th, 2011 at 1:51 pm and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.