According to Dave Kearns of KuppingerCole, OpenID Connect’s design philosophy to “make simple things simple and make complicated things possible” can play a critical role in creating the technical specifications (“tools”) necessary for advancing Internet identity across both traditional and evolving digital platforms.

“What’s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors. I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices.”

As Dave sees it, OpenID Connect is to OpenID 2.0 as Gigabit Ethernet is to Bob Metcalfe’s original Ethernet. First, where integration of OpenID 2.0 requires an extension, OpenID Connect, which performs many of the same functions as OpenID 2.0, is built into the protocol and is API-friendly. Second, OpenID Connect provides a secure, flexible and interoperable identity layer on top of OAuth 2.0 specifications, enabling participants to exchange any claims relevant to their application. It doesn’t define ways to authenticate users or communicate information about them. Instead, OpenID Connect uses a default set of common claims about a user (e.g., name, email address, user identifier enabling SSO) to allow digital identities to be used across websites and applications.

In an indirect but important way, OpenID Connect supports the mission of the Open Identity Exchange (OIX), which similarly suggests open source for Internet identities. The relationships, dependencies and synergies between OpenID Connect and the OIX can play an integral role in the advancement of digital identities.

OpenID Connect’s modular design “tools” give relying parties the flexibility to deploy the attributes they need to improve operational efficiency and security while remaining interoperable. From a policy standpoint, OIX helps set the stage for industry stakeholders and policymakers to create and publish the policy “rules” for open identity trust frameworks that improve the user experience and protect identity and privacy..

Together, this new open approach for creating custom “tools and rules” can play a useful role in establishing the levels of assurance and elevating trust in internet identities across multiple jurisdictions and improving the way public and private industry interacts with users over the Internet.

Dave Kearns of Kuppinger Cole said this about the award:

“I’m pleased that Kuppinger Cole has granted OpenID Connect the award for Best Innovation/New Standard this year.  What’s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors.  I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices.  My congratulations to the OpenID Foundation!”

The application presented by the OpenID Foundation that resulted in the award follows.

European Identity & Cloud Awards 2012

1) Name of the Standard

OpenID Connect

2) Brief description of the Standard

OpenID Connect is a simple JSON/REST-based interoperable identity protocol built on top of the OAuth 2.0 family of specifications.  Its design philosophy is “make simple things simple and make complicated things possible”.

While OAuth 2.0 is a generic access authorization delegation protocol, thus enabling the transfer of arbitrary data, it does not define ways to authenticate users or communicate information about them. OpenID Connect provides a secure, flexible, and interoperable identity layer on top of OAuth 2.0 so that digital identities can be easily used across sites and applications. While enabling a default set of common claims about the user (such as name, e-mail address, and a user identifier enabling SSO) to be easily employed, OpenID Connect also enables participants to exchange any claims relevant to their application using simple JSON-based data structures.

As it is based in OAuth 2.0, OpenID Connect reaches beyond the Web. OpenID Connect brings identity interactions to “apps” and “native applications” on both smart phones and traditional computing devices, in addition to Web sites.

From a security perspective, OpenID Connect was built to be able to gracefully range from the low security levels typically employed for social networks to medium security levels needed for business applications to high security requirements needed for many government applications.  OpenID Connect spans this wide range of applications by using JSON-based digital signature and encryption standards.

From a privacy perspective, OpenID Connect allows the selective sharing of attributes with user consent. It also enables the use of pairwise pseudonymous identifiers, thereby avoiding correlations as appropriate.

From a business perspective, OpenID Connect meets business needs for the use of claims from multiple Claims Providers in a single context (rather than a single Identity Provider being the source of all claims for any given interaction).  It enables the use of Aggregated Claims, where signed claim values can be collected and passed on by OpenID Providers and the use of Distributed Claims, where claims are passed by reference, rather than by value, and dynamically retrieved by Relying Parties.

From a design perspective, OpenID Connect’s modular design enables flexible deployments. Implementations can use only the components they need, while still remaining interoperable.  For instance, “Discovery” and “Dynamic Client Registration” can used in deployments where OpenID Providers can be chosen dynamically, whereas they aren’t needed if the site or application uses only a fixed set of OpenID Providers.

Unlike the previous version of OpenID, user identities can be e-mail addresses that people already have and know, rather than being URLs that most people have difficulty using.

3) Who is contributing to the standard?

OpenID Connect was developed in an OpenID Foundation working group.  OpenID working groups are open to all free of charge who sign the IPR Contribution agreement. Contributors include a diverse international representation of industry and independent technology leaders:  AOL, Deutsche Telecom, Facebook, Google, Microsoft, Mitre Corporation, mixi, Nomura Research Institute, PayPal, Salesforce, Yahoo! Japan, and others.

4) When is it expected to be finalized?

OpenID Connect is in the Implementer’s Draft review period. That stage is similar to the DIS (Draft International Standard) phase of the ISO process. The approval vote will complete on February 15, 2012. The OpenID Connect specifications are expected to be competed in the second half of 2012.

5) What are the key Identity management objectives?

• Interoperability
• Security
• Ease of deployment
• Flexibility
• Wide support of devices
• Enabling Claims Providers to be distinct from Identity Providers

6) Does the standard exceed key objectives?

Yes.

7) Are there live deployments?

Yes. e.g., Google, Gakunin (Japanese Universities Network), Nikkei Newspaper, etc.

Mature deployments are under way by working group participants.

8) Does the deployment touch customers/consumers/citizens?  If so, what benefit(s) is the application delivering to customers/consumers/citizens?

• More secure and familiar online interactions
• Easier to use authentication and attribute sharing

9) Does the deployment successfully address one of more of the following identity issues? If so, please provide brief examples.

• Help prevent/reduce identity theft?  Yes.
• Help address ease of use issues? Yes.
• Help meet regulatory requirement? Yes.
• Meet unique vertical market objectives? Yes.

10) Why should this standard win the European Identity/Cloud Award?

 OpenID Connect is a significant advance in digital identity that:

1. is simple to build and deploy, being based upon existing JSON/REST standards,
2. spans both Web and native applications, including mobile “apps”,
3. has wide support from major cloud service providers, enterprise companies, and social networking companies,
4. helps combat identity theft by reducing the number of passwords in use,
5. enables new Web based services and expands existing online markets,
6. spurs global economic growth by enabling simple and secure exchange of verified attributes from multiple sources at Internet scale.

OpenID Connect is an important contribution to a safer, privacy protecting, and easy to use computing environment that spans the cloud, the Web, enterprises, and mobile applications and has broad industry backing. For these reasons, OpenID Connect merits the 2012 European Identity/Cloud Award.

The event itself was a big success with so much interest that we had to move it to a larger location at Microsoft’s office.  We also had a live video broadcast of the event which many people watched.

The OIDF Youtube channel also has many other videos available from past OpenID summits as well as working group meetings like the recent account chooser WG meeting.

The researchers contacted the main websites impacted, and those sites have deployed a fix. OpenID Foundation board members have worked to identify other websites that were impacted and similarly have them deploy a fix. There are no known examples of attacks using this technique.  If your website does not use an OpenID RP implementation from one of the OpenID Foundation vendors, we suggest reading the report.

The OpenID Foundation would like to thank security researchers Rui Wang, Shuo Chen and XiaoFeng Wang for reporting their findings.  You can also read their related report.

The event is for the owners of consumer websites, citizen oriented government sites, and enterprise SaaS services to discuss how to improve login systems by using techniques such as OAuth, OpenID and an Account Chooser.

Please join us on Wednesday, March 28th, 2012 from 10:00 until 17:30 GMT.

Registration is now open at the following link: REGISTER NOW!

Location:
Microsoft London Office, Cardinal Place, 80-100 Victoria Street, United Kingdom, SW1E 5JL

AGENDA:
10-11am: OAuth as the core Internet identity protocol

• Don Thibeau (Executive Director of the OpenID Foundation and Open Identity Exchange)
• Kick Willemse (OpenID Foundation Board Member and CEO of Prooflink)
• Description: A high level overview of the protocol, and an explanation of why major technology companies have standardized on it including Google, Microsoft, Facebook, Yahoo, etc.  We will also discuss how the functionality of the OpenID v2 protocol has been reimplemented on top of OAuth to create OpenID Connect.  The session will also discuss the security problems of websites that run their own password based login systems.

11am-Noon: Bridging Internet Identity protocols

• Patrick Harding (CTO, Ping Identity)
• Description: While OAuth is the main protocol for new Internet identity systems, most companies still need to deal with a mix of other protocols, including their own internal sign on system across the different parts of their website, as well as for employee signing sign on.  Learn about how to use a token management service to bridge between those different protocols.

Noon-1pm: Lunch

1pm-2pm: Using Social Login to get more out of logins then just an email

• Patrick Salyer (CEO, Gigya)
• Vidya Shivkumar (Director of Products, Janrain)
• Description: While logins used to just be about email and password, there is now the potential to do much more using popular consumer identity providers such as Twitter, Yahoo, Facebook, Google, Microsoft Live, etc.  This session will discuss the success many websites have already had with this model.

2pm-3pm: Improving the user experience of sign-in using an Account Chooser

• Eric Sachs (Senior Product Manager, Identity, Google)
• Description: Google and other sites have started to roll out a new login experience called an Account Chooser.  Get an overview of how it works, and learn why companies like Google are making this change.  The session will also explain why it is so much easier for a website to add support for identity providers (both consumer and enterprise) after first deploying an account chooser.

3pm-3:30pm: Snack break

• The second part of the session only has room for 100 people. We will check badges at this point and you will only be able to join the second session if you registered for it online. However everyone is welcome to join the snack break

3:30pm-4:30pm: Verifying real world identity on the Internet

• Philip Stradling (Senior Program Manager, Identity, Microsoft)
• Andrew Nash (Director of Product Management, Identity, Google)
• Don Thibeau (Executive Director of the OpenID Foundation and Open Identity Exchange)
• Description: How do websites know which identity providers to trust, and visa versa? Also learn how governments are using the same techniques discussed at this conference to engage with citizens online.

4:30pm-5:30pm: Strong authentication and identity verification

• Ingo Friese (R&D project manager, Deutsche Telekom AG; Telekom Innovation Laboratories)
• Andrew Nash (Director of Product Management, Identity, Google)
• Description: Hear how large consumer websites like Google are using mobile phones today in addition to passwords.  Learn how you can confirm attributes about a user on your website such as name, address, etc. This session will describe the working groups in the Open Identity Exchange that are focused on this topic, and will include demonstrations of live systems.

In addition to the presentations above, Ping Identity is also hosting a similar event the previous day.  If you’re a security architect, IT manager, SaaS product manager, eBusiness leader, CSO, CTO, or CIO leveraging the Cloud to change your business, it’s a day of identity security best practices you don’t want to miss.

Best regards,

Don Thibeau, Executive  Director
OpenID Foundation

Hosted by:

OpenID   Microsoft   Google

Kick and Eric’s work with Nat will help guide important technical and adoption processes for the proposals and protocols in the OIDF pipeline; OpenID Connect – in the Implementer’s draft stage, Account Chooser – ramping up for community input in 2012 and the nascent proposal around the “Backplane Exchange” Greg Keegstra is advocating. All these efforts point toward vibrant technical and marketing initiatives for the Foundation in 2012.

John Bradley and Mike Jones were reelected as Treasurer and Secretary respectively. They make things happen. Mike and John have for many years gone to great lengths to be stewards of the OpenID protocol and the Foundation required to make it open to all. On behalf of the companies and community around open and user centric internet identity, we thank Nat, Eric, Kick, John and Mike in advance for their leadership.

Don Thibeau

Telekom Innovation Laboratories (T‑Labs), the innovation and research branch of Deutsche Telekom, played a key role in the Group becoming a member. Axel Nennker, Identity Expert at T-Labs, has recently been reelected to the Board of Directors of the OpenID Foundation. At the upcoming OpenID workshop in London, Ingo Friese from T-Labs will give a presentation on their Cross-Operator Identity Services project.

• Basic Client Profile – Simple self-contained specification for a web-based Relying Party. (This spec contains a subset of the information in Messages and Standard.)
• Discovery – Defines how user and provider endpoints can be dynamically discovered.
• Dynamic Registration – Defines how clients can dynamically register with OpenID Providers.
• Messages – Defines all the messages that are used in OpenID Connect. (These messages are used by the Standard binding.)
• Standard – Complete HTTP binding of the Messages, for both Relying Parties and OpenID Providers.
• Multiple Response Type Encoding – Registers OAuth 2.0 response_type values used by OpenID Connect.

The voting results were:

• Approve (86 votes)
• Disapprove (1 vote)
• Abstain (2 votes)

Total Votes: 89 (out of 363 members = 25% > 20% quorum requirement)

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification.

The specifications are posted at these locations:

• http://openid.net/specs/openid-connect-basic-1_0-15.html
• http://openid.net/specs/openid-connect-discovery-1_0-07.html
• http://openid.net/specs/openid-connect-registration-1_0-08.html
• http://openid.net/specs/openid-connect-messages-1_0-07.html
• http://openid.net/specs/openid-connect-standard-1_0-07.html
• http://openid.net/specs/oauth-v2-multiple-response-types-1_0-03.html

A description of OpenID Connect can be found at http://openid.net/connect/.

The working group page is http://openid.net/wg/connect/.

Last year, Dave Recordon and I often talked about how the OpenID Foundation should evolve.  My view was that OpenID does indeed have a “second act” and that the Foundation’s leadership of open identity standards development is important in a rapidly changing internet identity ecosystem. The sponsorship and attendance at the OpenID Summits, the hard work of the OpenID Connect WG and the promise of “Account Chooser” all indicate there is much to do and look forward to in 2012. It will be a pivotal year for OpenID and digital identity.

The new board’s first meeting on March 1 will consider long term operational and strategic issues. Feel free to make your thoughts known on this list, by contacting community representatives or me.

106 members voted in this election, casting a total of 151 votes.  The results (in order of votes received) were:

• Greg Keegstra                   66
• Axel Nennker                    33
• George Fletcher                28
• Sébastien Brault                12
• Patrice Vuillard                 6
• Yosef Vuillard                    6
• David Marceau                   0

Don Thibeau
Executive Director
The OpenID Foundation