headers
Don Thibeau | 25 Jan 17:17

[OpenID] 2012 NIST/NSTIC IDtrust Workshop


2012 NIST/NSTIC IDtrust Workshop:

“Technologies and Standards Enabling the Identity Ecosystem”

The 2012 NIST/NSTIC IDtrust Workshop will be held March 13-14, 2012 at NIST in Gaithersburg, Maryland.  The workshop will focus on how technologies and standards can help the framework of the identity ecosystem coalesce. 

The one and half day workshop will feature plenary presentations and panel discussions by leading identity management and standards experts addressing a broad swath of technology and standards issues that surround identifying and implementing the four NSTIC Guiding Principles in the Identity Ecosystem:

 

  • Identity Solutions will be Privacy-Enhancing and Voluntary

  • Identity Solutions will be Secure and Resilient

  • Identity Solutions will be Interoperable

  • Identity Solutions will be Cost-Effective and Easy To Use

 

Additional details will be available at:  http://www.nist.gov/itl/csd/ct/nstic_idtrust-2012.cfm

 


_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Permalink | Reply | 0 comments |
headers
Don Thibeau | 5 Jan 21:11

[OpenID] 2012 OpenID Foundation Director Election

This is a message regarding the upcoming OpenID Board of Directors election.

Chris Messina has decided not to run for re-election in 2012. I want to acknowledge the important contributions Chris has made from the beginning of the OpenID effort. As a community board representative and member of the Executive Committee, Chris has shared his considerable network, marketing expertise and strong views about user-centric identity. As Chris has said; "internet identity continues to be an unsolved problem for the mass of free (as in freedom) internet users."  

Chris's contributions act as model for others to step up to the important contributions that can be made as a community director on the OpenID Foundation Board. To be sure, leadership and collaboration with competitors on industry standards has built in challenges, especially for those representing a broad community interest. In this context the voice of the community is especially important. A concrete and recent lesson lies in the evolution to OpenID Connect and how collaboration of community contribution and among unlikely allies like Facebook, Google, and Microsoft is changing online identity.  2012 will be a pivotal year. OpenID Connect global adoption will begin, Google's transfer of its Account Chooser IPR to the foundation will be determined and work on new protocols is expected.  

On behalf of the Board and the OpenID community, we thank Chris for his service. We ask OpenID Foundation members to encourage your colleagues to step forward for election and most important participate in the upcoming vote. Contact me if you have any questions.

Don Thibeau
Executive Director
OpenID Foundation

_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Permalink | Reply | 2 comments |
headers
Nat Sakimura | 23 Dec 17:47
Picon
Gravatar

[OpenID] Review of Proposed OpenID Connect Implementer’s Drafts

The OpenID AB+Connect Working Group recommends approval of the
following specifications as OpenID Implementer’s Drafts:

•       Basic Client Profile – Simple self-contained specification for
a web-based Relying Party.  (This spec contains a subset of the
information in Messages and Standard.)
•       Discovery – Defines how user and provider endpoints can be
dynamically discovered.
•       Dynamic Registration – Defines how clients can dynamically
register with OpenID Providers.
•       Messages – Defines all the messages that are used in OpenID
Connect.  (These messages are used by the Standard binding.)
•       Standard – Complete HTTP binding of the Messages, for both
Relying Parties and OpenID Providers.
•       Multiple Response Type Encoding – Registers OAuth 2.0
response_type values used by OpenID Connect.
An Implementer’s Draft is a stable version of a specification
providing intellectual property protections to implementers of the
specification.  This note starts the 45 days public review period for
the specification drafts in accordance with the OpenID Foundation IPR
policies and procedures.  This review period will end on Monday,
February 6, 2012.Unless issues are identified during the review that
the working group believes must be addressed by revising the drafts,
this review period will be followed by a seven day voting period
during which OpenID Foundation members will vote on whether to approve
these drafts as OpenID Implementer’s Drafts. The specifications are
posted at these locations:•
http://openid.net/specs/openid-connect-basic-1_0-15.html
•       http://openid.net/specs/openid-connect-discovery-1_0-07.html
•       http://openid.net/specs/openid-connect-registration-1_0-08.html
•       http://openid.net/specs/openid-connect-messages-1_0-07.html
•       http://openid.net/specs/openid-connect-standard-1_0-07.html
•       http://openid.net/specs/oauth-v2-multiple-response-types-1_0-03.html
 A description of OpenID Connect can be found at
http://openid.net/connect/. The working group page is
http://openid.net/wg/connect/. Information on joining the OpenID
Foundation can be found at
https://openid.net/foundation/members/registration.  Foundation
members will be asked to vote on approving these specifications as
Implementer’s Drafts. You can send feedback on the specifications in a
way that enables the working group to act on your feedback by (1)
signing the contribution agreement at
http://openid.net/intellectual-property/ to join the AB+Connect
working group, (2) joining the working group mailing list at
http://lists.openid.net/mailman/listinfo/openid-specs-ab, and (3)
sending your feedback on that list.
--

-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
Permalink | Reply | 1 comment |
headers
Kick Willemse | 8 Dec 17:36
Picon
Favicon

[OpenID] Spontaneous Tech Meetup OpenID Connect in Utrecht NL at Eurocamp Terena

Due to the gathering of some identity people at Eurocamp Terena in Utrecht Netherlands next week,  we organize a tech session on OpenID connect with John Bradley.

 

http://www.terena.org/activities/eurocamp/dec11/programme1.html

 

Thank you Terena/ Surfnet for your hospitality and opening this session for the OpenID crowd.

 

Start session: 13.00 PM

Where: Surf Utrecht Netherlands (50 min train from Schiphol Amsterdam)

 

If you want to know more about the new OpenID connect spec and implementation this will be an interesting session. Just send me a mail with your details so I can reserve a seat and get you more details.

 

Kick

_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Permalink | Reply | 0 comments |
headers
Don Thibeau | 7 Dec 17:21

[OpenID] The OpenID Tokyo Summit


Last week's Tokyo OpenID Summit was an exciting event. It featured 300+ people, simultaneous
translation, multiple technical and policy tracks, all advancing understanding of OpenID Connect,
trust frameworks, attribute exchange, etc.  We followed it with a deep dive into the "Tao of Attributes" at
the University of Kyoto. 

Many thanks to our Japanese colleagues for their gracious hospitality and to our hosts at OpenID
Foundation Japan and the University of Kyoto's NII. The preparation, professionalism and
contributions of the OpenID Foundation Japan and University of Kyoto was outstanding.

The meetings in Japan were a fitting conclusion to the seven OpenID Summits in 2011. Each Summit helped
improve OpenID Connect by expanding the breath of contributors and the depth of how OpenID Connect
optimization.  The Summit in Japan, like those before in California, Colorado, Washington DC and Munich
enabled the Working Group to build the momentum for consideration of the OpenID Connect implementers
draft we will share soon. 

The resurgence of OpenID and the importance to user centric online identity OpenID Connect promises would
not have been possible without the painstaking work of its Working Group and the and the support of Summit
sponsors; Google, Ping Identity, Symantec, PayPal, Microsoft and community representatives. We look
forward to the important next steps, involving the OpenID Community at large to review the implementer's
draft specification, vote for its acceptance and further improvement and adoption of OpenID Connect in 2012.

Don Thibeau
Executive Director 
OpenID Foundation
Permalink | Reply | 0 comments |
headers
SitG Admin | 3 Dec 23:54
Favicon

[OpenID] DSig with (server-generated) dynamic content

There was a discussion some time back about the dangers of parsing an 
*entire* web page for OpenID headers, since a guestbook (or comments 
by visiting users) might be embedded further down the page, 
statically, instead of left for inclusion with JScript by a browser.

One of the challenges I keep expecting to hear that DSig has solved 
somehow is normalizing XML files so that they always produce the same 
hash for the same data despite different collections of that data 
each having their own whitespace outside the tags, and those tags 
being in no particular order.

I'm thinking of HTML as XML, signable - and wondering whether anyone 
working with DSig has looked at signing webpages in this way, before?

-Shade
Permalink | Reply | 0 comments |
headers
Peter Williams | 2 Dec 18:42
Picon
Favicon
Gravatar

[OpenID] putting myopenid clients certs together with openid foundation enrollment, with webid profiles


several years ago, someone helped me in my first ever openid experience. They told me how to add link metadata to a blogger website, that would use myopenid as the IDP. My name to the world of relying parties would be that of my blogsite, however. I think it was the first blogging service I ever used.
 
I repeated that experiment today with a new blogspot site, using the foundation's member enrollment page as the relying party. It all still works fine.
 
http://yorkporc.blogspot.com/ is registered with the relying party as the openid, and myopenid duly challenged me for user credentials.
 
There is a nice opportunity to cooperate with the W3C's (incubating) webid project - since it ties in SO CLOSELY with openid ideas.And, it can be done practically, using infrastrcture that exists.  Either the foundation's site (as relying party) or the myopenid site (as identity provider) could be ask for https client auth certificates. The RP site could just be interested in the user's card for public claims, and the IDP COULD be interested in said card for claims and/or user authentication. In either case, the card augments whatever public claims and cards the particular OP pointed to by delegation is maintaining. Obviously, the latter goes away, once the user/IDP relationship goes sour.
 
The myopenid site already gives me the option to use SSL and client certs (that works for some users, apparently). It thereby avoids passwords on the wire - the bane of much of the worlds users. Now, these days, that cert can usefully contain upto 3 webid URIs - the user's openid(s) with some #tag appended, that humans hopefully never see. In my case, the working openid http://yorkporc.blogspot.com/ becomes my webid URI in the cert as http://yorkporc.blogspot.com/#me. When I use the webid URI at the foundations site, it even works as my openid URI (since technical folks were clever, long ago). 
 
Under the semantic web idea set that could now be EASILY and OPTIONALLY augmenting openid culture, of course, that webid URI can be deferenced, and even be used as a identity check by IDPs. But MOST importantly it can simply be a set of public claims that are managed by users (out of the control of IDPs). This are claims SIMILAR to, but distinct from, the "identity page" of (public) claims tied to the openid as managed by an IDP, nicely demonstrated by myopenid's services. The webid claims are managed by the user, on the same blogger site as that which was faciliating the name delegation and exist even if I lose myopenid subscription rights tomorrow. They have the same authoritiveness as my delegation metadata, that is.
 
Its a very user centric OVERLAY on otherwise commercial-centric identity management - merging points of control (for good cryptopolitical karma). It merges only what already exists in the wild at 99%: client certs with URIs, openid URIs, webid URI variants with #tags, and the use of sich as blogspot as glueware to pull some of the infrastructure together.
 
Wouldnt it make sense for OPs on recognizing a webid URI in a client cert, when used to authenticate the user instead of a password, to at least PASS the webid URI to relying party sites in the openid Assertion? Could not the extended sreg URI (website) claim be used for this, PERHAPS?
 
Speaking as an RP site that talks to 100 million folks (occasionally), this kind of "infrastructure integration" makes all the difference to adoption when the relying party sites are themselves mini-cloud providers - and ever tenant (of such as the realty "mini-cloud" service provider) demand their own variant of the web login experience, their choice of IDPs, their choice of blog provider vendor, their choice of certs over passwords, their choice of CA for minting certs, etc etc.
 
now, it was REALLY nice that - in PRACTICE -I could use my Google Apps openid2.0 provider to get a blogspot account, create a delegate openid, bind my webid profile to the home page of the site, use my favorite CA to mint client certs with webids that a minor variant of my delegated openid URI, and then cooperate with myopenid for validting user credentials, all done when talking to a relying party site. it was even nicer that I can see how to add on the Micosoft's Azure ACS gateway service , which can hook up all that TODAY to our own production realty web apps , desperately wanting websso for occasional consumers.
 
If there is a will to cooperate, I think we can complete the project folks started years ago, in the UCI flavor of openid. The story I just told is SO much better than it was when I did the same experiment 4+ years ago, with the same blogger service. Now the cloud is multi-vendor, multi-protocol, multi player, and still user centric (by option).
 
 
 
 
 
 
 
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Permalink | Reply | 2 comments |
headers
Don Thibeau | 22 Nov 22:32

[OpenID] OIDF ED Update: Website Overhaul

OpenID Foundation Community and Members:

 

The OpenID Marketing Committee has begun a long overdue overhaul of the OIDF website.  Your input is welcome and needed. The OpenID Foundation currently has a number of Working Groups (WGs) listed on the Foundation’s website that do not appear to have been active for some time.   We plan to close down and remove all inactive WG’s by years end.


This email is an “open call” to all those who seek to keep any OIDF WG active.  Please refer to the OIDF Working Group webpage for a  list of all current WG’s  http://wiki.openid.net/w/page/12995249/Working%20Groups

Contact me (don <at> oidf.org) or John Ehrig (jehrig <at> inventures.com)  no later than December 15, 2011 to notify the Foundation if you believe the Foundation should keep one of the listed WG’s active. John or I will contact you for further information. 

 

The OIDF Marketing committee's sees the new site's focus to include connecting website owners with vendors of relying party (RP) software/services as well as other features to make the site a valuable tool for communities in the US and oversees.

Regards,

Don Thibeau
Executive Director 
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Permalink | Reply | 0 comments |
headers
Nika Ramos | 20 Nov 17:56
Picon

[OpenID] (no subject)

_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Permalink | Reply | 0 comments |
headers
Nika Ramos | 20 Nov 17:44
Picon

[OpenID] (no subject)



--
Nika Ramos XOXO

_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Permalink | Reply | 0 comments |
headers
Peter Williams | 12 Nov 01:02
Picon
Favicon
Gravatar

[OpenID] very very nice ... google APP -> MSFT ACS -> realty site

ok it was worth the wait.
 
The Google Apps to Microsoft Azure gateway to Realty cloud application works beautifully, adding 100 google apps the users web experience. Users have all the applications they are used to (in realty), and now all the google tools, including a file store that ties into the windows desktop as a virtual drive. Its now trivial and seemless to logon using ones google apps id, land on realty (after linking accounts), and mashup realty tools and more general tools. The realty site even does SSO to 10 other places of interest, specific to profesionals in real estate, who need special paid accounts linked to their license, etc
 
So, its Google's multi-tenant openid to an Azure ACS tenant, which does ws-fedp to a multi-tenant webapp in Realty, and then SAML2 to the other realty sites offered by other vendors. All seemless, and focussed on user value (and just one login, with network access gated by one's realty license). This is the way it should be.
 
I dont often  compliment (as a security cynic). But, its good. No, its Very, Very good. Well done. Its national infrastructure grade.
 
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Permalink | Reply | 0 comments |

Gmane