PayPal Access Uses OpenID 2.0
Posted at 9:57 am on October 19, 2011 by jfe
PayPal Access provides a way for users to log into your web site using interfaces based on the OpenID 2.0 protocol, an open specification produced by the OpenID community.
PayPal Access provides a way for users to log into your web site using interfaces based on the OpenID 2.0 protocol, an open specification produced by the OpenID community.
October is National Cybersecurity month so a shout out goes to our colleagues at The National Cyber Security Alliance NCSA’s mission is to educate and therefore empower a digital society to use the Internet safely and securely at home, work, and school, protecting the technology individuals use, the networks they connect to, and our shared digital assets. NCSA builds strong public/private partnerships to create and implement broad reaching education and awareness efforts to empower users at home, work and school with the information they need to keep themselves, their organizations, their systems, and their sensitive information safe and secure online and encourage a culture of cybersecurity.
OASIS launched the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee http://www.oasis-open.org/committees/trust-el/charter.php. The initial deliverable is a comprehensive list of current methods to authenticate identities online to the degree necessary for high value and sensitive transactions. This is expected to be a key input to new real world solutions that use a step-up approach to multi-factor authentication. The Technical Committee is Co Chaired by Abbie Barbir, Senior Vice President Bank of America and Don Thibeau of OIX and OpenID Foundation.
OIX Member AT&T has come out with Personal Levels of Assurance (PLOA), a white paper that introduces a new approach for determining transaction-based assurance.PLOA White Paper – v1. This fresh new thinking focuses on determining the lifecycle of LOA settings for an individual based on the current condition of all attribute declarations whether they are validated or not. One of the most significant suggestions in At&t’s approach to federated assurance is de-coupling enforcement points from decision points by adoption of a standard, open protocol. This is the kind of open identity protocol organizations like the OpenID Foundation consider as part of its mission. Even though the technology being implemented may resemble authorization, it is truly speaking to the assurance of the authentication and therefore should be considered a new element to the three A’s.The At&t team postulates that there should be a fourth A added to the typical security list of AAA – Authentication, Authorization, and Audit (AAA) shall be joined by their new sibling Assurance. OIX provides legal and best practices research in online identity particularly in the area of trust frameworks.
Content and contributors to work like this will be featured at the Open Identity Exchange Attribute Summit upcoming meetings in Washington DC on November 9 and 10OIX, Booz Allen Hamilton and Experian to present a panel noting OIX’s growing interaction with EU and UK initiatives like those in the UK Government Cabinet Office, iScheme, federatedbusiness.org, The OIX board will take up the question of how best to engage with tScheme in the UK and discuss the value of a ‘formal partnership’. tScheme was formed over ten years ago as an industry body but with UK Government observers on its board, which gave rise to the term co-regulatory body that is used when describing tScheme’s function. The Government observers are Cabinet Office, Business Information and Skills, department of Work and Pensions and the department for Education. tScheme has thus a long history working with and supporting the UK Government, hence is heavily involved in the current Cabinet Office Identity Assurance Program, as well as the role as the UK’s assurance regime for the Oil & Gas Trust Scheme; the Employee Authentication Scheme for access to Government data by local Authority employees; and the Identity & Access Management program supporting the access to databases relating to Police Intelligence by members of UK Police Forces.
We are entering the implementation phase for one of the most mature and value adding initiatives the Publish Trust Framework in the Open Identity Exchange. We have posted the project update at www.PublishTrust.org for your review.The Publish Trust Project examines the feasibility of adding trust values to online identities for authors of scholarly publications, thus enabling them to reliably aggregate previous and current works and connect with other experts in their field. The first experiment uses VIVO as a semantic identity platform with the OIX Trust Framework to produce two-factor assertions of authorship from scholarly publishers of peer-reviewed works and authors.
The OpenID Foundation and the Open Identity Exchange are sponsoring an Open Identity Summit in Tokyo Japan on December 1. The event is taking place as part of Japan’s Internet week and will feature technical discussions about OpenID Connect and Account Chooser as well as policy and rule making in Japan’s identity ecosystem. The Japanese and South Korean government has initiatives underway similar to the US NSTIC. Please note Howard Schmidt comments at
Advancing the National Strategy for Trusted Identities in …
The White House
The solution proposed by NSTIC is a user-centric “Identity Ecosystem” built on the foundation of private-sector identity providers.
The recent Sony incident was another wake up call for website owners about the problems with passwords as discussed in the recent OIDF blog post. One of the purposes of the OpenID Foundation blog is to help identify events that website owners can attend to learn more about alternatives to passwords.
There was one such event, called the Cloud Identity Summit, earlier this year that was so popular that a smaller version of the event is being run in four cities in the next few weeks.
• 10/24/11 New York, NY
• 10/25/11 Washington, DC
• 11/2/11 Chicago, IL
• 11/3/11 San Francisco, CA
You can learn more or register to attend at www.cloudidentitysummit.com
The event will cover a number of topics that the OpenID Foundation is involved with including:
• Emerging standards such as OpenID Connect and its relation to OAuth
• User friendly ways to eliminate passwords using the Account Chooser technique
• Adoption of cloud identity standards in enterprise and citizen-government scenarios
If you’re a security architect, IT manager, SaaS product manager, eBusiness leader, CSO, CTO, or CIO leveraging the Cloud to change your business, it’s a day of identity security best practices you don’t want to miss.
One of the topics discussed recently at Ping Identity’s OpenID Summit at its Cloud Identity Conference and again at last week’s Gartner Catalyst conference was a “consumerisation of the enterprise” . OpenID was at the center of those discussions as technology bulls and bears debated its value in both enterprise and consumer use cases.
Perhaps OpenID’s evolution from little corners of the internet to mainstream adoption tracks the changes in internet identity best understood in hindsight. One leading edge adopter’s review of how OpenID’s user centricity morphed to a provider centric architecture is seen in Salesforce.com‘s Chuck Mortimore’s blunt but bullish presentation on ‘Does OpenID work for the Enterprise?”
In deciding whether one is bearish or bullish on OpenID, it may be useful to “follow the money” and follow the leaders. OpenID Connect, like OAuth 2.0, is among the few standards that have real technical engagement from the likes of Google, Microsoft and Facebook.
While no one can predict what these companies, relying parties and small companies will do, we can see where they invest. Whether at industry conferences or launching pilots, industry leaders and developers like JanRain, Ping Identity and others are making multi-year /multi-million dollar bets on protocols like OpenID Connect as it tracks with OAuth in enabling new claims and data centric architectures.
Following the money supports a bullish view of the value beyond social/single sign-on in today’s web. As noted, companies like Ping Identity, JanRain and others have raised significant funding to pursue opportunities in this space as analysts note a strong demand for identity management solutions globally.
Bears among us may rightfully point to how OpenID has been quiet over the past year as it adjusted to the new market conditions like those Chuck Mortimore described. Making sausage and standards isn’t pretty and takes a maddening amount of time and money. Engineers, be they community volunteers or “volunteered” by large industry leaders, take care when re-architecting a core offering like OpenID.
Meanwhile, OpenID Foundation members like Symantec, PayPal, Google, and others continue to co-sponsor OpenID Summits and other events where the evolution of OpenID is discussed/planned and its adoption continues to increase around the world. Although OpenID may be more about ‘plumbing’ than the next big darling of the Silicon Valley tech press, its premise and technological underpinnings are proving to be solid and in tune with the future.
Finally, take a look at the work being done at the OpenID Foundation and Google on the Account Chooser, a scalable, user-friendly way to bring OpenID technologies to the masses, while still supporting a philosophy of decentralized, interoperable identity solutions.
Bears and Bulls can judge for themselves as OpenID Connect is tried, tested and toughened at an OpenID Summit hosted by Microsoft on September 12 and 13 in Mountain View CA at Microsoft’s offices where the OpenID Foundation will be hosting a technical interop and testing workshop for engineers and developers interested in OpenID Connect.
There will also be sessions for website operators who want to learn more about why they should get out of the password business and integrate with identity providers. Information on how to register for the event will be posted soon. In other words, whether bearish or bullish, don’t touch the remote and stay tuned for more in the evolution of OpenID.
The OpenID Foundation’s 2011 series of OpenID Summits focus is on use cases and topics of interest to key developers, executives and analysts in the identity industry. The OpenID Summit in Munich will focus on global adoption dynamics and the evolution of OpenID technologies. It is a free event co-sponsored by Google and Microsoft and will take place Tuesday morning May 10th preceding the European Identity Conference. Click here to register for the OIDF Summit http://www.kuppingercole.com/events/openid2011
The EIC is pleased to offer OpenID members a 15% discount on the standard registration fee. Click here to register for EIC http://www.kuppingercole.com/book/eic2011 and enter openid15 into the booking code field.
Please join us on Tuesday, May 10, 2011 from 9:00am until 1:00pm CDT (pre-conference track)
Location: Dolce Ballhaus-Forum Germany
Andreas-Danzer-Weg 1
85716 Unterschleissheim, Germany
Room: Ammersee I
Agenda:
09:00-09:30 Morning Refreshment & Introductions – Led by Don Thibeau and John Bradley, Director, OpenID Foundation and Eric Sachs, Google and Tony Nadalin, Microsoft Hosts
09:30-12:00 Presentations focused on global adoption dynamics and the evolution of OpenID technologies
12:00-13:00 Lunch with open discussion and feedback
Background:
Early this year The Open Identity Exchange (OIX) and the Center for Democracy and Technology (CDT) co- sponsored an OpenID Policy Summit with invited experts from the American Bar Association’s Committee on Identity and Harvard’s Berkman Center for Law and the Internet. The Social Media and Retail Summit at PayPal and the OpenID Security Summit at Symantec in Silicon Valley formed the marketing and technology counterpoints to the policy work done in Washington DC with the advocacy, academic and legal communities. The earlier Policy, Retail and Security Summits lead to an important consultation with our European colleagues on how open identity technologies are evolving, an update on OpenID technology and a sharing of perspectives of US and EU-based identity providers and relying parties. The OpenID Summit agenda follows:
• Mike Jones, Co-chair of the OpenID: AB/Connect working group, will update the collaboration of Facebook, Google, Microsoft and others on the next evolution of the OpenID protocol.
• David Recordon of Facebook, Eric Sachs of Google and Tony Nadalin of Microsoft will discuss OpenID adoption and evolution in a global context and engage audience questions.
• Axel Nennker of Deutsche Telekom AG will outline DT’s OpenID plans and review mobile platform initiatives and other emerging secure identity strategies
Sign up now for the OpenID Summit “Balancing Security and the User Experience” on May 2
The OpenID Foundation’s 2011 series of OpenID Summits focus on use cases and topics of interest to developers, executives and analysts in the identity industry. The next summit explores security and the user experience in open identity technologies. It is co sponsored by Google and Symantec and will take place at 350 Ellis Street Mountain View, CA on the afternoon of May 2nd starting with a lunch at 12:30. We hope you will register for the event go to http://openidsummit2011.eventbrite.com/
Agenda:
12:00-13:00
Lunch & Introductions – Led by Don Thibeau Executive Director OpenID Foundation, Eric Sachs, Google and Nico Popp, Symantec Host
13:00-16:00
Session One Panel Discussion: “Whither Secure Identity?”
Nico Popp of Symantec will moderate a CTO roundtable discussion with Paul Agbabian CTO Norton, Brent Williams CTO Equifax, Tim Brown SVP Distinguished Engineer CA Technologies. Identity management has gone through a number of transitions and continues to evolve. Access to identity data is a component to any information security program. Multi factor Identity authentication, in particular, is a moving target as relying parties and identity providers need to comply with industry and federal regulations, as well as new identity standards and technology initiatives. In this panel discussion, you’ll hear about the changing authentication including knowledge-based, device-based, and out-of-band authentication options.
Session Two Presentation: “What’s Up with OpenID?
Mike Jones of Microsoft and OpenID Foundation AB/Connect Working Group Co-chairs will update the collaboration of Facebook, Google, Microsoft and others on the next stage of evolution of the OpenID protocol. Mike will be joined by the working group co chairs John Bradley and Nat Sakimura and will take questions from the audience on the OpenID, OAuth 2 and other open identity protocols and standards.
Session Three Panel Discussion: “The Latest in IdP and RP Best Practices”
Eric Sachs of Google will moderate a roundtable with Andy Wu of Yahoo!, Dave Hebert Microsoft, George Fletcher Aol, and others on identity provider and relying party best practices in online identity authentication.
Web 2.0 applications are one of the most rapidly adopted technologies today and are now considered critical tools by most organizations. These sites provide valuable communication and collaboration benefits, but how do businesses enable access without impacting productivity, risking data loss or increasing vulnerability to threats?
Session Four Panel Discussion: “Monetizing Identity Without Traumatizing Customers”
Don Thibeau of the OpenID Foundation will moderate a panel discussion with investment leaders; David Walrod Bridgescale Partners, Enrique Godreau Voyager Capital and identity industry leaders; David Recordon Facebook, Tony Nadalin Microsoft, and Eric Sachs Google. The goal is to share thoughts on how the identity market place is evolving from investment and technology perspectives. This session will feature investors interviewing technology leaders about investing company money in identity and technology leaders interviewing investors about venture investing in identity companies.
16:00-17:00
Discussion and feedback
Thanks for Google and Symantec for Co Sponsoring this event.
We hope you will register for the event go to http://openidsummit2011.eventbrite.com/
I can die now that I’ve been a talking head on NPR!
Allow me to rewind for a minute.
On Tuesday, March 15 I had the privilege of appearing on Washington D.C.’s NPR radio station, WAMU, and the Kojo Nnamdi Show on “Cyber Security and Your Internet Identity”. Replay
My mother was excited to hear her son being interviewed, thankful that I seemed lucid, but remains clueless about the National Strategy for Trusted Identity in Cyberspace (NSTIC). A great video explaining NSTIC can be found here.
Mom did relate to the discussion of government as an identity provider because both she and social security numbers have been around for more than 75 years and because systems to identify citizens of the US have been around since the first passport was issued.
But only she could be proud of her son, the Washington DC pundit, when I pointed out the obvious “this internet stuff is different”.
Because we increasingly interact with people in internet settings where we will never meet in person, yet trust them to act according to our expectations. It’s a problem shared by everyone and across public and private sectors since we rely on multiple identities and networked technologies at home and at work.
If data is the “oil” of the internet and knowledge is power in the information age, then trust is the key! Everyone wants and needs to “trust” their email like they do the postal mail.
Trust comes with a repeatability and reliability. Just like when Mom steps on the brakes she “trusts” that it will stop the car or looks in her mailbox and “trusts” the senders.
A basic OpenID technology standard for a “mechanistic” kind of trust for identity systems was the first step. It started with a reliable single sign on function for data/identity systems at a low level of assurance, protection and control.
By adding trust frameworks to OpenID building blocks, we can create solutions that can be used in the US and by citizens worldwide to navigate with the same kind of trust that comes with stepping on the brakes or going to the post office.
The challenges are unprecedented. Many are the result of the lack of a trustworthy mechanism in the online identity technologies we use every day.
We can’t let trust fall further behind the technology. The benefits of identity technology standards are many, but they should be deployed in a framework designed to maximize benefits to all stakeholders.
In the US and in many other jurisdictions there are strong traditions of individualism and concerns about the aggregation of commercial and governmental power. But our best chance at getting things right is to work together when opportunities like NSTIC present themselves… and mom steps on the brakes.
The OpenID Foundation’s 2011 series of OpenID Summits focus on use cases and topics of interest to key developers, executives and analysts in the identity industry.
The next summit explores security and the user experience in open identity technologies. It is co sponsored by Google and Symantec and will take place at 350 Ellis Street Mountain View, CA on the afternoon of May 2nd preceding the Internet Identity Workshop. We anticipate up to 70 attendees to include a variety of technical teams from Symantec and other Silicon Valley companies. The OIDF and co sponsors are reaching out for fresh perspectives from opinion leaders in the mobile platform, risk management and high assurance/multi factor identity space. We will post an Eventbrite notice soon. Send your suggestions for speakers, panels and topics to director@oidf.org
While much attention has been directed at identity providers, we want to frame the OpenID security/user experience issues in a bucket we call relying parties best practices (RPBP)
In December, The Open Identity Exchange (OIX) and the Center for Democracy and Technology (CDT) co sponsored a OpenID Policy Summit with invited experts from the American Bar Association’s Committee on Identity and Harvard’s Berkman Center for Law and the Internet. The May 2nd OpenID Security Summit is the technology counterpoint to the policy work done in Washington DC with the advocacy, academic and legal communities. The focus of both Policy and Security Summits are on RPBP (relying party best practices) a linchpin of any deployment or trust framework especially those involving government agencies. The user experience / security issues of RPBP are a key common denominator as they impact all stakeholders in the ecosystem and relies on OpenID for interoperability across a diverse set of use cases.
We plan to publish a briefing paper providing summaries of the presentations with feedback from the audience, links for more information, etc. The Security Summit paper will report on the Summit’s discussion of RPBP (relying party best practices) and provide an overview of the security concerns of relying parties. In this way we hope to further the understanding of OpenID as it is today and how security concerns will impact OpenID as it evolves.
Don Thibeau
OIDF Executive Director
by Don Thibeau
I was a close reader of the commentary from Scott Gilbertson of Wired’s WebMonkey and some other posts of late. I appreciated the historical context the Forester Analysts provided; noting that when OpenID appeared on the scene, more robust solutions based on SAML under way in scenarios involving limited circles of trust — typically point-to-point enterprise scenarios — rather than consumer use cases.
History belongs to those that tell it, but I subscribe to the narratives that identity providers adopting OpenID opened the door for users to click on a button that identifies their preferred identity service for logging in at a relying-party site and are continuing to influence the development of new solutions and best practices for federated identity, trust frameworks and the like. It’s natural at this stage in its evolution that many are unpacking OpenID’s value proposition in light of the meteoric rise of Facebook Connect. Forester’s commentary “identifying the U.S. government’s support of OpenID as an important marker and noting OpenID Connect as an important way forward” and notes that “OpenID may well be that it was ahead of its time, but that hardly makes it a failure.”
The most recent blog reports of OpenID as deficient or dying assume an ever upward trajectory of adoption. The real world is different. My rear view mirror reflects an inevitable ebb and flow to any standard adoption process. While Facebook Connect’s adoption is phenomenal, it can overshadow the natural back and forth of standards development seen in recent experience in both OAuth and OpenID. All this is to say the OpenID Foundation’s role in driving a broader understanding of and improvements to the product is a critical success factor. The OIDF’s AB/Connect Working Group’s work can be pivotal in addressing the newer use-cases posed by users like Facebook and Government.
Certainly, international expansion is a key to that broader understanding and the product’s path forward. As a community we look to new leadership from Kick Willemse and Axel Nennker to bring a EU perspective to our work. We will be co-hosting our first OpenID Summit in Tokyo later this year. The Google team is considering the same for China. The 2011 OpenID Summits are both pacing items and forcing functions. Pairing OpenID Summits with other industry gatherings and collaborating with organizations like Kantara and the ITU mobilizes the resources of a global community and corporate participation. The leading by doing commitments of Google, Microsoft and Facebook and the example of PayPal’s hosting the upcoming OpenID Retail Summit gives us early positive indications of progress. Guessing the trajectory of any internet standard is both science and art. I tend to delete my responses to the ‘OpenID is a nightmare’, ‘fails to cure cancer’ commentary.
For my part, the question is not “What does OpenID mean?” It is rather, “How is OpenID influencing internet identity around you?”
Don Thibeau
Executive Director, OpenID Foundation
Tags: adoption
There has been much discussion lately about the US National Strategy on Trusted Identity in Cyberspace, NSTIC. This is a summary of some key developments. Last week in Washington DC, a series of workshops addressed various aspects of the evolving US NIST. The first focused on use cases that fall under the NSTIC umbrella. The discussion of identity authentication, privacy and security in G2C applications engaged a wide range of viewpoints from the technologists, policy makers, lawyers and advocates present. The event was co-sponsored by the OpenID Foundation, the Open Identity Exchange and the Center for Democracy and Technology, New Urban Myth: The Internet ID Scare. Another workshop ”How Open Identity Frameworks Address Privacy, Security and Global Market Needs” discussed how user needs can be integrated with those of relying parties, identity providers and other data handlers. This was co Hosted by the American Bar Association’s Federated Identity Management Legal Task Force, Harvard’s Berkman Center for Law and the Internet, and the Open Identity Exchange.
It is important to be clear, the OpenID Foundation has no position with respect to the NSTIC. The OIDF’s focus is on technology “tools.”
As a technical standards development organization, the OIDF’s develops technology and promotes adoption of open identity protocols. As a practical matter, the US CIO, the GSA, the White House and many government agencies reach out to the OIDF because it is a neutral, non-profit organization with a membership of the leaders in search, enterprise and social media. Many in government and the OIDF share an interest in solving internet identity related issues increasingly important to government operations, outreach and standards. For example, the US GSA FICAM program requires the use of OpenID 2.0 for technical interoperability compliance with NIST level 1 assurance see: http://www.idmanagement. Last year at this time, the OpenID Foundation Board voted to respond to the US CIO’s “Open Identity for Open Government” initiative by providing a start up grant to a legally separate organization: the OIX. The OIDF Board made sure companies could opt into participation in OIX at a time and manner of their choosing. The goals of the OIDF grant were to; 1) meet industry needs for open identity interoperability along the lines of the public private partnership suggested by the US government with extensibility to other governments and organizations, 2) fill critical infrastructure gaps in open identity certification at internet scale, 3) develop policies and promote the adoption of open identity trust frameworks.
The Open Identity Exchange has been closely collaborating with the White House NSTIC team. The OIX’s focus is policy “rules.”
The Open Identity Exchange (OIX) is a non-profit, technology-agnostic, multi-tenant certification listing service for open trust frameworks in internet and telecommunications applications. While the OIX has been collaborating with TechAmerica, the CDT, the AMA, and the World Economic Forum, it is neither a lobbying organization, advocacy group nor a “think tank.” It’s focus is on building interoperability of trust frameworks for industry self regulation and market expansion. The openidentityexchange.org, was the first US GSA FICAM authorized trust framework provider. It is developing two products; a web based, meta data certification listing service to facilitate technical interoperability at internet scale. Second, it is developing the OIX “Risk Wiki” a open source legal reference tool to facilitate policy interoperability across multiple jurisdictions. OIX’s “Risk Wiki” helps resolve key identity authentication issues like liability and privacy by an ongoing aggregation of policy and best practices. The OIX now hosts a growing number of working groups developing interoperability certification requirements for telco and internet identity authentication at higher levels of data assurance, protection and control. OIX is collaborating with international legal, financial and standards organizations and plans to help launch a series of B2B and B2G trust frameworks in 2011.
Last week’s workshops helped shape the views of many attendees from industry, academic, public interest groups as well as NSTIC and other government participants and touched on several themes:
• Broad-based, clear and compelling G2C identity authentication or trusted transaction use cases have yet to be developed at higher levels of assurance.
- To be sure positive pilot projects like the NIH iTrust and the Online Constituent Identity project are underway.
• The “business case” for LoA 1 certification and drivers of cross government adoption have not yet been fully realized.
- This is resulting in a slower than hoped development of the FICAM public private partnership.
• Many in industry prefer a more integrated approach to fully consider recent technical and policy guidance from a variety of government agencies.
- These cross government applications and notably include the FTC, NIST, NSTIC and others.
• Many leading companies in the identity space find the current state of the NIST Levels of Assurance not yet fully actionable and need to be updated.
- Many believe the participation, interests and duties of relying parties have yet to be adequately considered and adequately articulated.
• Specifically there is an absence of relying party best practices and guidance for the assessors and has inhibited industry expectations and requirements.
- The coincidence of the pending finalization of the NSTIC, the announcement of the DOC program office and the accelerating development of B2B trust frameworks is an indicator of a rapidly evolving identity ecosystem.
• The media reaction to the preliminary announcement of NSTIC is mixed.
- This shows a need for more discussion and outreach. As a result, OIX is also now planning a series of follow up activities with Kantara, TechAmerica, the Center for Democracy and Technology and others.
Tags: government, NSTIC