Last year four community board members were elected to 2-year terms and so are not standing for election:
• Nat Sakimura
• Mike Jones
• John Bradley
• Kick Willemse

Other current community board members may seek re-election. They are:
• Allen Tom
• Axel Nennker
• Chris Messina

Brian Kissel has indicated he will likely not be a candidate. This is a good time to thank Brian, and all the current board members, for their time, attention and leadership over the last year.

For the purposes of the 2012 election, there are 5 confirmed sustaining members: Google, Microsoft, PayPal, Ping Identity, and Symantec. Thus, we will be electing 2 community members to the Board of Directors for 2-year terms. In order to be eligible for election, your candidacy must have been seconded by at least three other members.

The election will be conducted on the following schedule:
Nominations open: Monday, January 9
Nominations close: Monday, January 23
Election begins: Wednesday, January 25
Election ends: Wednesday, February 8
Results announced by: Wednesday, February 15
New board terms start: Thursday, March 1

Times for all dates are Noon, U.S. Pacific Time.

All members of the OpenID Foundation are eligible to nominate themselves, second the nominations of others who self-nominated, and vote for candidates. If you’re not already a member of the OpenID Foundation, we encourage you to join now at https://openid.net/foundation/members/registration.

Voting and nominations are conducted using the OpenID you registered when you joined the Foundation. Log in at https://openid.net/foundation/members/ with your OpenID to participate in the nomination and voting. If you are already a member, you will receive an email advising you the election is open and how to participate. If you experience problems participating in the election or joining the foundation, please send an email to help@oidf.org.

Board participation requires a substantial ongoing investment of time and energy. It is a volunteer effort that should not be undertaken lightly. Should you be elected, expect to be called upon to serve both on the board and on its committees where the work of the foundation is conducted. If you’re committed to OpenID and advancing open digital identity and are a person who works well with others, we encourage your candidacy. The OIDF’s Executive Committee has suggested a few questions candidates may want to publicly address in their candidate statements:

1. What is you view of the opportunity of the OpenID Foundation?
2. What are the key opportunities you see for the OpenID Foundation in 2012?
3. How will you demonstrate your commitment to the work of the foundation in terms of resources, focus and leadership?
4. What would you like to see accomplished over the next year, and how do you personally plan to make these things happen?
5. What resources can you bring to the foundation to help the foundation attain its goals?
6. What current or past experiences, skills, or interests will inform your contributions and views?

Candidates can address these questions in their election statements on various community mailing lists and at http://openid.net – especially openid-general@lists.openid.net, and via blog@oidf.org. Please forward questions, comments and suggestions to me.

Don Thibeau
Executive Director
The OpenID Foundation

• Basic Client Profile – Simple self-contained specification for a web-based Relying Party.  (This spec contains a subset of the information in Messages and Standard.)
• Discovery – Defines how user and provider endpoints can be dynamically discovered.
• Dynamic Registration – Defines how clients can dynamically register with OpenID Providers.
• Messages – Defines all the messages that are used in OpenID Connect.  (These messages are used by the Standard binding.)
• Standard – Complete HTTP binding of the Messages, for both Relying Parties and OpenID Providers.
• Multiple Response Type Encoding – Registers OAuth 2.0 response_type values used by OpenID Connect.

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification.  This note starts the 45 days public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures.  This review period will end on Monday, February 6, 2012.

Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve these drafts as OpenID Implementer’s Drafts.

The specifications are posted at these locations:

• http://openid.net/specs/openid-connect-basic-1_0-15.html
• http://openid.net/specs/openid-connect-discovery-1_0-07.html
• http://openid.net/specs/openid-connect-registration-1_0-08.html
• http://openid.net/specs/openid-connect-messages-1_0-07.html
• http://openid.net/specs/openid-connect-standard-1_0-07.html
• http://openid.net/specs/oauth-v2-multiple-response-types-1_0-03.html

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.

Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration.  Foundation members will be asked to vote on approving these specifications as Implementer’s Drafts.

You can send feedback on the specifications in a way that enables the working group to act on your feedback by

1. signing the contribution agreement at http://openid.net/intellectual-property/ to join the AB+Connect working group,
2. joining the working group mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-ab, and
3. sending your feedback on that list.

Verizon announced that it is the first ever identity provider to achieve a Level 3 US Government certification in providing identity credentials and access management to relying parties. The importance of building a standardized framework that protects valuable personal data from Internet security risks is being recognized and addressed on a global scale and national level.

Verizon has established itself as a leader that is building a foundation for an open and secure Internet-identity ecosystem that people and business can trust. Beyond providing a safeguard for digital identities, certified identity providers will help speed conversations, interactions and transactions for people, businesses and relying parties now and in the future.

As one of the pioneers in building the trust frameworks, Verizon’s leadership as an identity provider is at the heart of building this new identity ecosystem. Verizon was one of the founding members of the Open Identity Exchange (OIX) an organization that now includes the leaders in internet, telco and data aggregation industries.

Today’s password-focused website login process is unsafe and risky and has led to personal information and data being compromised through phishing and hacking attacks on weak systems. The potentially devastating consequences associated with the hijacking and theft of digital identities highlights the need for a trusted and certified framework that relying parties can depend on for identity authentication.

OIX, its member companies and Verizon aim to provide an open framework that standardizes the security, privacy, and operation policies of identity service providers that people, businesses and governments can trust.

The Internet identity ecosystem is quickly evolving with companies playing many different roles. The OIX is focused on the roles of attribute providers, identity providers, and relying parties. Verizon is playing an important role as a leader and advocate for OpenID. We congratulate Verizon on this significant achievement.

More information

View a video replay of a recent PayPal Access presentation

OASIS launched the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee http://www.oasis-open.org/committees/trust-el/charter.php. The initial deliverable is a comprehensive list of current methods to authenticate identities online to the degree necessary for high value and sensitive transactions. This is expected to be a key input to new real world solutions that use a step-up approach to multi-factor authentication. The Technical Committee is Co Chaired by Abbie Barbir, Senior Vice President Bank of America and Don Thibeau of OIX and OpenID Foundation.

OIX Member AT&T has come out with Personal Levels of Assurance (PLOA), a white paper that introduces a new approach for determining transaction-based assurance.PLOA White Paper – v1. This fresh new thinking focuses on determining the lifecycle of LOA settings for an individual based on the current condition of all attribute declarations whether they are validated or not. One of the most significant suggestions in At&t’s approach to federated assurance is de-coupling enforcement points from decision points by adoption of a standard, open protocol. This is the kind of open identity protocol organizations like the OpenID Foundation consider as part of its mission. Even though the technology being implemented may resemble authorization, it is truly speaking to the assurance of the authentication and therefore should be considered a new element to the three A’s.The At&t team postulates that there should be a fourth A added to the typical security list of AAA – Authentication, Authorization, and Audit (AAA) shall be joined by their new sibling Assurance. OIX provides legal and best practices research in online identity particularly in the area of trust frameworks.

Content and contributors to work like this will be featured at the Open Identity Exchange Attribute Summit upcoming meetings in Washington DC on November 9 and 10OIX, Booz Allen Hamilton and Experian to present a panel noting OIX’s growing interaction with EU and UK initiatives like those in the UK Government Cabinet Office, iScheme, federatedbusiness.org, The OIX board will take up the question of how best to engage with tScheme in the UK and discuss the value of a ‘formal partnership’. tScheme was formed over ten years ago as an industry body but with UK Government observers on its board, which gave rise to the term co-regulatory body that is used when describing tScheme’s function. The Government observers are Cabinet Office, Business Information and Skills, department of Work and Pensions and the department for Education. tScheme has thus a long history working with and supporting the UK Government, hence is heavily involved in the current Cabinet Office Identity Assurance Program, as well as the role as the UK’s assurance regime for the Oil & Gas Trust Scheme; the Employee Authentication Scheme for access to Government data by local Authority employees; and the Identity & Access Management program supporting the access to databases relating to Police Intelligence by members of UK Police Forces.

We are entering the implementation phase for one of the most mature and value adding initiatives the Publish Trust Framework in the Open Identity Exchange. We have posted the project update at www.PublishTrust.org for your review.The Publish Trust Project examines the feasibility of adding trust values to online identities for authors of scholarly publications, thus enabling them to reliably aggregate previous and current works and connect with other experts in their field. The first experiment uses VIVO as a semantic identity platform with the OIX Trust Framework to produce two-factor assertions of authorship from scholarly publishers of peer-reviewed works and authors.

The OpenID Foundation and the Open Identity Exchange are sponsoring an Open Identity Summit in Tokyo Japan on December 1. The event is taking place as part of Japan’s Internet week and will feature technical discussions about OpenID Connect and Account Chooser as well as policy and rule making in Japan’s identity ecosystem. The Japanese and South Korean government has initiatives underway similar to the US NSTIC. Please note Howard Schmidt comments at

Advancing the National Strategy for Trusted Identities in …
The White House
The solution proposed by NSTIC is a user-centric “Identity Ecosystem” built on the foundation of private-sector identity providers.

There was one such event, called the Cloud Identity Summit, earlier this year that was so popular that a smaller version of the event is being run in four cities in the next few weeks.
• 10/24/11 New York, NY
• 10/25/11 Washington, DC
• 11/2/11 Chicago, IL
• 11/3/11 San Francisco, CA

You can learn more or register to attend at www.cloudidentitysummit.com

The event will cover a number of topics that the OpenID Foundation is involved with including:
• Emerging standards such as OpenID Connect and its relation to OAuth
• User friendly ways to eliminate passwords using the Account Chooser technique
• Adoption of cloud identity standards in enterprise and citizen-government scenarios

If you’re a security architect, IT manager, SaaS product manager, eBusiness leader, CSO, CTO, or CIO leveraging the Cloud to change your business, it’s a day of identity security best practices you don’t want to miss.

These attacks are referred to as “weakest link hijackings” because the hackers attack websites with the weakest security, and then collect user passwords. Since it is common for users to reuse passwords across websites, hackers can then try those collected passwords against other websites like Sony as well as social network accounts, email accounts, work accounts, etc. When hackers take over the user’s social network or email account, they frequently change the user’s password on the account to lock the real user out, then use it to try to trick the user’s friends into sending money. One scam claims the person was stuck while travelling and needs money wired to them. Imagine losing access to all your contacts, email, photos, etc. and then having your friends lose thousands of dollars.

Unfortunately it is extremely difficult for websites to protect themselves against the weaker security of these other websites. Only some of the largest websites with the most sophisticated security tools can detect these types of attacks and try to automatically reduce their impact on their own accounts as Sony has done. Some of those websites offer users the option to add an additional layer of security to their account, for example by sending a code to their phone number each time they want to login. However if every website took that approach, users would revolt because of the pain it would create for them.

It’s time for website owners to wake up and realize they are probably the “weakest link.” Most websites need to stop trying to run their own login system and instead rely on third-party tools and websites that provide users with highly secure login systems. This type of login approach has become popular with websites that want to integrate with social networks, but it can also be used by any website by simply letting users choose an identity provider that runs a secure login system. It also has the advantage of making it easier for users to register for a new website on a mobile device and we all know what a hassle that can be.

Consortiums of companies such as the OpenID Foundation are working together to solve the problem of passwords and weak login systems, and are making great strides on security, usability, and privacy. With so much of our digital identities and information at stake, it’s critical that we create a better, more secure system before we see more victims of the “weakest link”.

The biggest difference you’ll notice is that there is now only one spec to implement for “Minimal” clients (rather than previously three).  A number of people had asked that there be a single, simple, self-contained spec that basic relying parties could implement.  That spec is the OpenID Connect Basic Client Profile.  That’s all you need for a web-based relying party utilizing a pre-configured set of OpenID Providers.

For “Dynamic” configurations, where the set of OpenID Providers is not pre-configured, Discovery and Dynamic Client Registration capabilities are added to enable RPs to discover OP endpoints and to connect with the OP selected.  This functionality is needed for “open” OpenID Connect interactions.

OpenID Providers, native client applications, and clients needing more functionality than that provided by the Basic Client Profile implement the OpenID Connect Standard binding for the OpenID Connect Messages.  Finally, OPs and RPs needing session management capabilities, including logout, also implement OpenID Connect Session Management.

As you can see, the current organization remains highly modular, where implementations can build and deploy only what they need.  Now that modularity is even better reflected in the way that the specs are written – particularly that there is a single, self-contained basic client specification.

In closing, we’d like to thank developers for the valuable feedback provided to date.  Your input has both improved the technical content of OpenID Connect, and possibly even more importantly, made the specs simpler and easier to understand.

This OpenID summit gives web site developers and technologists a closer look at the OpenID Connect protocol, its use cases and adoption plans by leading companies. We will introduce “Account Chooser” its implementation and user experience and provide interop testing and feedback for next generation OpenID adoption.

 Please join us on Monday, September 12, 2011 from 12:00 Noon until 5:00pm PDT and Tuesday, September 13, 2011 from 10:00am to 5:00pm PDT.

 Registration is now open at the following link: REGISTER NOW!

 Location:
Microsoft Research Silicon Valley Campus – 1288 Pear Avenue, Mountain View, CA  94043

OpenID Connect Tech  Summit 

AGENDA: Monday,
September 12, 2011 – 12:00pm-5:00pm

Noon: Lunch will be provided for attendees

12:00-12:20 – Welcome
Don Thibeau, Executive Director, The OpenID Foundation

Technical Sessions

12:20-1:00 – Overview and Update of OpenID Connect and OAuth 2.0, Mike Jones, Microsoft,
Director of Identity Partnerships

1:00-3:00 – OpenID Connect Spec development (Working Group Review led by Allen Tom and Mike Jones)
[2 hours]

• Timing goals for ratification
• Core protocol
• Dynamic RP registration and IDP discovery
• Claims
• Session Management
• Artifact Binding
• US Government OpenID Connect profile

3:20-4:00 – Open time for Technical Interop,  Allen Tom & Mike Jones [60 min]

4:00-4:40 – OpenID Connect: Building Test Infrastructure, Roland Hedberg

4:40-5:00 – Wrap-up, Don Thibeau, Executive Director, The OpenID Foundation

AGENDA: Tuesday, September 13, 2011 – 10:00am-5:00pm

Business Session

10:00-10:20 - Welcome Don Thibeau, Executive Director, The OpenID Foundation

10:20-11:00 - Feedback Review OpenID Connect Mike Jones, Microsoft
and Allen Tom, Directors, The OpenID Foundation

11:00-11:40 - Overview and Update of Account Chooser,  A presentation on a new sign in experience for the web, how to get involved, and an update on the legal status of related IP. Scott David, K&L Gates,  Basheer Tome,  Independent & Eric Sachs, Google

11:40-12:20 – Migrating Users to Identity Providers From Email/Password Logins”,  A Summary of the experience of websites, including Google, that have started to migrate users from traditional logins to identity providers.  Eric Sachs,  Google, Product Manager

12:20-1:00 – Lunch

1:00-1:40 – Microsoft as an RP and IDP, Speaker (TBD)

1:40-2:20 – Way Beyond Single Sign On, Greg Keegstra, Janrain

2:20-3:00 – The Value Proposition for OpenID Connect & Account Chooser in the Enterprise, Pam Dingle, Ping Identity

3:00-3:20 – Break

3:20-4:00 – Open Identity and Online Adoption, A discussion on trends in the adoption of social login among online businesses. Patrick Salyer, Gigya

4:00-4:40 – OpenID Connect & UMA Synergies, OpenID Connect and User-Managed Access (UMA) solve interestingly complementary problems.  This session will explore use cases and proposals for combining them.  Macie Machulak

4:40-5:00 - Wrap up Don Thibeau, Executive Director, The OpenID Foundation

Best regards,

Don Thibeau, Executive  Director
OpenID Foundation

Additional information is available at:

http://openid.net/connect/

http://accountchooser.com/

Hosted by: