Mike Jones: self-issued

OpenID Connect is a simple identity layer built on top of OAuth 2.0. It enables clients to verify the identity of and to obtain basic profile information about an end-user. It uses RESTful protocols and JSON data structures to provide a low barrier to entry. The design philosophy behind OpenID Connect is “make simple things simple and make complex things possible”.

OpenID Connect is designed to cover a range of scenarios and use cases including Internet, enterprise, cloud, and mobile, to span security & privacy requirements from non-sensitive information to highly secure, and to span sophistication of claims usage, from basic default claims to specific requested claims to aggregated and distributed claims. It maximizes the simplicity of implementations by reusing existing OAuth 2.0, JWT, and SWD specs and employing a modular structure, allowing deployments to utilize only the pieces they need.

OpenID Connect has a number of key differences from OpenID 2.0. Among them are: support for native client applications, identifiers using e-mail address format, standard UserInfo endpoint for retrieving basic claims about the end-user, being designed to work well on mobile phones, use of JSON/REST rather than XML, support for encryption and higher LoAs, and support for distributed and aggregated claims.

Today marks a milestone in the OpenID Connect specification development: the OpenID Foundation announced that the current set of drafts is being reviewed for approval as Implementer’s Drafts. An Implementer’s Draft is a stable version of a specification intended for implementation and deployment that provides intellectual property protections to implementers of the specification. These drafts are the product of incorporating months of feedback from implementers and reviewers of earlier specification drafts, including feedback resulting from interop testing. Thanks to all of you who contributed to the development of OpenID Connect!

1 Comment » Posted under Claims & Federation & JSON & OAuth & OpenID & Specifications

My submission to the W3C Workshop on Identity in the Browser discusses The Emerging JSON-Based Identity Protocol Suite. The abstract is:

A new set of open identity protocols is emerging that utilizes JSON data representations and simple REST-based communication patterns. These protocols and data formats are intentionally designed to be easy to use in browsers and modern web development environments.

I hope you’ll find it worthwhile reading. I’m looking forward to discussing it with many of you at the workshop!

No Comments » Posted under Claims & Cryptography & Documentation & Events & JSON & OAuth & OpenID & Specifications

My thanks to those of you who voted in the OpenID Board Election. I’m pleased to report that John Bradley, Nat Sakimura, Kick Willemse, and I were elected as community board members for 2011 and 2012 and that Axel Nennker and Chris Messina were elected for 2011.

I’m really excited about the set of people you chose, both because of their passion for user-centric identity, and because of the diverse communities that they represent. Out of the six of us, there are representatives from Chile, Germany, Japan, Netherlands, and two token Americans. :-) You can read more about the 2011 board at the OIDF blog post announcing the election results.

No Comments » Posted under OpenID & People

The election for community (individual) OpenID board members is under way at https://openid.net/foundation/members/elections/7. I encourage all of you to vote now. (Don’t wait until the morning of Wednesday, December 15th!) If you’re not already an OIDF member, you can join for USD $25 at https://openid.net/foundation/members/registration and participate in the election.

I’m running for the board this time, and would appreciate your vote. My candidate statement, which is also posted on the election site, follows.

OpenID has the potential to make people’s online interactions seamless, secure, and more valuable. I am already working to make that a reality.

First, a bit about my background with OpenID… I’ve been an active contributor to OpenID since early 2007, including both specification work and serving the foundation. My contributions to the specification work have included: an author and editor of the OpenID Provider Authentication Policy Extension (PAPE) specification, editor of the OAuth 2.0 bearer token specification, co-author of the emerging JSON Web Token (JWT) specification, which will be used by the OpenID Artifact Binding, and an active member of the Artifact Binding working group.

I’ve also made substantial contributions to the foundation and its mission, including: In 2007 I worked with the community to create a legal framework for the OpenID Foundation enabling both individuals and corporations to be full participants in developing OpenID specifications and ensuring that the specifications may be freely used by all; this led to the patent non-assertion covenants that now protect implementers of OpenID specifications. I served on the board representing Microsoft in 2008 and 2009, during which time I was chosen by my fellow board members to serve as secretary; you’ve probably read some of the meeting minutes that I’ve written. I helped organize the OpenID summits hosted by Microsoft in 2010: April in Mountain View and June in London. I chaired the election committee that developed the foundation’s election procedures and software, enabling you to vote with your OpenID. And I co-chaired the local chapters committee that developed the policies governing the relationships between local OpenID chapters around the world and the OpenID Foundation.

I’d like to serve OpenID on the board again in 2011, this time as an individual, because while OpenID has had notable successes, its work is far from done. Taking it to the next level will involve both enhanced specifications and strategic initiatives by the foundation. As a community, we need to evolve OpenID to make it much easier to use and to enable it to be used in more kinds of applications on more kinds of devices. As a foundation, we need to build a broader base of supporters and deployers of OpenID, especially internationally. We need to form closer working relationships with organizations and communities doing related work. And we need continue to safeguarding OpenID’s intellectual property and trademarks so they are freely available for all to use.

I have a demonstrated track record of serving OpenID and producing results. I want to be part of making OpenID even more successful and ubiquitous. That’s why I’m running for a community board seat for 2011.

Mike Jones
mbj@microsoft.com
http://self-issued.info/

1 Comment » Posted under OpenID & People

Medtronic, PayPal, Southworks, and Microsoft recently worked together to demonstrate the ability for people to use their PayPal identities for participating in a Medtronic medical device trial, rather than having to create yet another username and password. Furthermore, the demo showed the use of verified claims, where the name, address, birth date, and gender claims provided by PayPal are relied upon by Medtronic and its partners as being sufficiently authoritative to sign people up for the trial and ship them the equipment. I showed this to many of you at the most recent Internet Identity Workshop.

From a technology point of view, this was a multi-protocol federation using OpenID and WS-Federation – OpenID for the PayPal identities and WS-Federation between Medtronic and two relying parties (one for ordering the equipment and one for anonymously recording opinions about the trial). It was also multi-platform, with the Medtronic STS running on Windows and using the Windows Identity Foundation (WIF) and DotNetOpenAuth, the equipment ordering site running on Linux and using simpleSAMLphp, and the opinions site running on Windows and also using WIF. A diagram of the scenario flows is as follows:

We called the demo an “identity mash-up” because Medtronic constructed a identity for the user containing both claims that came from the original PayPal identity and claims it added (“mashed-up”) to form a new, composite identity. And yet, access to this new identity was always through the PayPal identity. You can read more about the demo on the Interoperability @ Microsoft blog, including viewing a video of the demo. Southworks also made the documentation and code for the multi-protocol STS available.

I’ll close by thanking the teams at PayPal, Medtronic, and Southworks for coming together to produce this demo. They were all enthusiastic about using consumer identities for Medtronic’s business scenario and pitched in together to quickly make it happen.

Update: Also see related posts by Kim Cameron and Matias Woloski.

4 Comments » Posted under Claims & Federation & OpenID & Software

I’ll be participating in an Open Identity for Business Interop being held by OSIS at Catalyst in San Diego this month. This multi-protocol interop event includes exercising the US Government identity profiles developed as part of the Open Identity Solutions for Open Government initiative. Microsoft is hosting testing endpoints using AD FS 2.0 and the Card Issuance CTP. The public interop demonstration is on Wednesday, July 28th. Hope to see you there!

No Comments » Posted under Federation & Information Cards & Interoperability & OpenID & Software

A European OpenID summit will be held in London on Tuesday, June 8th at the Microsoft Offices at Cardinal Place, 100 Victoria Street, London SW1E 5JL, UK. This is the same location as the European e-Identity Management Conference, which follows it June 9th and 10th. Topics are expected to include: use cases, issues and problems encountered, solutions proposed, the OpenID v.Next effort, and EU trust profile topics.

Register at http://openid-eu-summit-2010.eventbrite.com/. If you’re interested in presenting, please include your proposed topic in your registration.

This summit builds upon the recent 2010 OpenID User Experience (UX) Summit and the 2010 OpenID Technology Summit West. I’m looking forward to seeing many of you there!

No Comments » Posted under Events & OpenID

The OpenID v.Next session at IIW run by David Recordon and Dick Hardt reached some important conclusions about the future of OpenID. The motivation for the v.Next discussion was the sense that we’ve learned enough since the OpenID 2.0 specification was finalized that it’s time to revise the spec to incorporate what we’ve learned. This session attempted to reach a consensus on the priorities for the next version of OpenID, with a large number of the important players participating. I haven’t seen the decisions made published elsewhere, so I’m recording them here.

David organized the session around a stated goal of producing an evolved OpenID specification within the next six months. The consensus goals reached were as follows. The numbers represent the number of participants who said that they would work on that feature in the next six months.

• Integrating the UX extension (in which the user interacts with the OP in a pop-up window) into the core specification: 12
• Evolving the discovery specification for OpenID, including adding OpenIDs using e-mail address syntax: 10
• Integrating attributes (claims) into the core specification: 9
• Integrating the OAuth Hybrid specification into the core specification: 8
• Supporting an optional active client (identity selector) and non-browser applications: 8
• Improve security, including investigating enabling use at levels of assurance above NIST level 1: 8
• Better support for mobile devices: 8
• Addressing the problem of long URLs (where browsers limit URL length to 2048 or sometimes 256 characters): 6

And in case it isn’t obvious from reading the above, there was also an explicit consensus in the room that OpenID v.Next would not be backwards compatible with OpenID 2.0. (It will be related to, but not compatible with OpenID 2.0, analogously to how SAML 2.0 is related to, but not compatible with SAML 1.1.) I believe we have interesting and exciting times ahead!

Thanks to Hannes Tschofenig for publishing photos of the whiteboard and some of the votes.

6 Comments » Posted under Claims & Events & OpenID & Specifications

The OpenID community has been talking about the value that an optional active client could bring to OpenID for well over a year. To concretely explore this possibility, as many of you know by now, a team at Microsoft built a prototype multi-protocol identity selector supporting OpenID, starting with CardSpace 2, which I and others demonstrated at the OpenID Summit and the Internet Identity Workshop. We did this to stimulate discussion and engage the community about the value of adding active client support to OpenID. And I’ll say up front that enormous thanks go to Joseph Smarr at Plaxo, the team at JanRain, and Andrew Arnott for building demonstration relying parties that worked with the prototype, which made the demonstrations possible.

While you may have read about it on Kim’s blog and many of you were there in person, I wanted to capture screen shots from the demos to make them available, so those who weren’t there can join the discussion as well. Plus, I’ve posted the presentation that accompanied the demos, rather than reproducing that content here. Now, on to the demo, which closely follows the one actually given at the Summit…

I start by demonstrating the user experience for a first-time selector user at a a selector-enabled OpenID relying party.

The first screen shot shows a standard Plaxo login screen, but augmented behind the covers to enable it to pass its OpenID authentication request parameters to an active client, if present. I will click on the “Sign in with OpenID” button on the Plaxo signin page, invoking the selector.

In the prototype, selector-enabled relying parties use a variant of the Information Card object tag to communicate their request parameters to the selector. The object tag parameters used on Plaxo’s RP page are:
<object type="application/x-informationCard" id=infoCardObjectTag>
<param name=protocol value="http://specs.openid.net/auth/2.0"/>
<param name=tokenType value="http://specs.openid.net/auth/2.0"/>
<param name=issuer value="Google.com/accounts/o8/id Yahoo.com myOpenID.com"/>
<param name=issuerExclusive value=false/>
<param name=OpenIDAuthParameters value=
"openid.ns:http://specs.openid.net/auth/2.0
openid.return_to:http://www.plaxo.com/openid?actionType=complete
openid.realm:http://*.plaxo.com/
openid.ns.sreg:http://openid.net/extensions/sreg/1.1
openid.sreg.required:email
openid.sreg.optional:fullname,nickname,dob,gender,postcode,country,language,timezone
openid.sreg.policy_url:http://www.plaxo.com/about/privacy_policy
"/>
</object>


Here I’ve clicked on the “Sign in with OpenID” button, invoking the selector. (The “Google” and “Yahoo” buttons would have invoked the selector too.) This shows the first-time selector user experience, where it isn’t yet remembering any OpenIDs for me. The three OPs suggested by Plaxo – Google, Yahoo, and MyOpenID, are shown, as well as the option to type in a different OpenID. I click on the Yahoo suggestion.

Clicking on Plaxo’s Yahoo suggestion resulted in a Yahoo OpenID card being made available for use. Note that, by default, the selector will remember this card for me. (Those of you who know OpenID well are probably thinking “Where did the selector get the Yahoo logo and friendly name string”? For this prototype, they are baked into the selector. Longer term, the right way is for the selector to retrieve these from the OP’s discovery document. The OpenID UX working group is considering defining discovery syntax for doing just that.)

Once I’ve clicked “OK” to select the identity to use, the selector (not the RP) redirects the browser to the OP – in this case, to the Yahoo login page. The selector’s work is done at this point. The remainder of the protocol flow is standard OpenID 2.0.

This is the standard Yahoo OpenID signin page, which the selector redirected the browser to after I choose to use the suggested Yahoo OpenID. I sign into Yahoo.

The signin page is followed by the standard Yahoo permissions page. I click “Agree”.

After logging with Yahoo, I’m redirected back to Plaxo. Because I’d previously associated my Yahoo OpenID with my Plaxo account, I’m now logged into Plaxo. My status “Michael is demonstrating an OpenID selector at the OpenID Summit”, which I updated live during the demo at the OpenID Summit, is shown.

At this point in the demo, I’ve signed out of Plaxo and returned to the selector-enabled sign-in page. After clicking “Sign in with OpenID” again, the selector reappears.

This time, the selector has remembered the OpenID I last used at the site and tells me when I last used it there. (This is one of the ways that a selector can help protect people from phishing.) By default, the OpenID last used at a relying party is automatically selected – in this case, Yahoo. I click “OK” to select it, with the rest of the flow again being the standard OpenID 2.0 flow.

JanRain selector-enabled several production sites, including interscope.com, uservoice.com, and pibb.com, which use JanRain’s hosted RPX service. This could be done with no impact on users without a selector by using JavaScript to detect whether a selector is present or not, and customizing the page accordingly. The page above is the production Interscope Records page. I click the OpenID button on the right under the “Join The Community” banner.

The OpenID button invokes the RPX “NASCAR” experience. (Arguably, this page could be omitted from the experience if a selector is detected.) I click the OpenID button on the “NASCAR” page.

The selector is invoked by Interscope (really, by RPX) to let me choose an OpenID. My Yahoo OpenID is shown and the “Never used here” tells me that I haven’t used it at this site before. I could choose it by clicking OK or hitting Enter. Instead, I click the “Other OpenIDs” button to explore other options.

The “Other OpenIDs” tile shows me the OpenID providers suggested by Interscope – in this case, Flickr, Yahoo, and Google. I click on the Google suggestion.

The selector has created a Google OpenID card for me to use. It is marked “Verified” because it (like Yahoo) was on a whitelist in the selector and considered “safe” to use. Of course, in production use, such a whitelist would have to be maintained by a neutral third party or parties and dynamically updated. In the prototype, we hard-coded a few common providers so we could show a user experience that relies on a whitelist of OPs, to start the discussion about that possibility. I hit Enter to use the new Google card at Interscope.

Once I chose to use my Google card, the selector redirected me to Google’s signin page, with the actual RP for Interscope being signup.universalmusic.com. I sign into Google.

Following signin, Google asks me permission to release information to signup.universalmusic.com. I allow it.

I’m redirected back to Interscope, which asked me to complete a sign-up process by supplying more information via a web form.

When visiting Interscope again after having signed out, signing in with OpenID shows me that I last used my Google OpenID here. For that reason, it’s selected as the default. I can also see that I haven’t used my Yahoo OpenID here.

Andrew Arnott created the first selector-enabled relying party site for us, which is shown above. I click “Log in using your OpenID Selector”.

Now I have both Yahoo and Google cards, but neither have been used at test-id.org. I notice that I can get more details about my cards, and click “More details” on the Google card.

“More details” tells me where and when I used the card (signup.universalmusic.com), the discovered OpenID endpoint, and that this OpenID was on the selector’s whitelist. I could now use either of these OpenIDs, but I select “Other OpenIDs” instead.

The “Other OpenIDs” panel shows me OPs suggested by the site, as well as a dialog box to enter another OpenID. I decide to enter my blog URL self-issued.info, which is also an OpenID.

Here I’m entering my blog URL self-issued.info into the selector. I then click Verify or OK to have the selector perform discovery on the OpenID to add it as one of my choices.

Discovery has succeeded, but the OP my blog is delegated to, signon.com, is not on the selector’s whitelist. Because it’s not, a warning shield is shown, rather than the OP logo. I’ll also have to make an explicit decision to trust this OpenID provider before the selector will let me use it. The same would have happened if I chose an OP suggested by the RP if the OP was not on the whitelist. This is another aspect of the selector’s phishing protection. I check the “Continue, I trust this provider” box.

After checking the “Continue, I trust this provider” box, the warning shield is replaced by either the OP logo, if it can be discovered, or a generic OpenID logo, as in this case. I click OK to use this OpenID.

The selector follows my delegation link from self-issued.info and redirects me to signon.com. (Ping, are you going to fix the signon.com UX issue above someday?) I sign into signon.com.

Having signed into my OpenID at signon.com, I’m redirected back to the test site, which received an authentication response from the OP. I click “Reset test” to sign out, in preparation for another test.

Upon a second visit to test-id.org, the selector has remembered that I last used the OpenID self-issued.info, which is actually delegated to mbj.signon.com. I click “More details” to learn more about this OpenID.

“More details” tells me where and when I last used the OpenID and that the OpenID has been verified. But unlike my Google OpenID, which was verified via the whitelist, I told the selector to trust this OpenID myself.

At the OpenID Summit, people wanted to see the untrusted user experience again, so I entered an OpenID that I was sure wasn’t on our built-in whitelist – davidrecordon.com. However, verifying the OpenID actually brought me and those in attendance a surprise…

Because davidrecordon.com is delegated to myopenid.com, which is on the whitelist, it turns out that the prototype considered davidrecordon.com to be trusted as well. Upon reflection, this is probably the right behavior, but I’d never seen it until giving the demo live. (Great job, Oren!) I tried factoryjoe.com next and got the same result. Finally Will Norris helped me out by saying that willnorris.com isn’t delegated, so we got to see the untrusted user experience again.

I’d like to thank Chuck Reeves and Oren Melzer for quickly building a killer prototype and to thank Ariel Gordon and Arun Nanda for helping design it, as well as others, both from Microsoft and other companies, who provided feedback that helped us fine-tune it as we built it. See the presentation for a much more comprehensive list of thank-yous.

I’ll close by saying that in the OpenID v.Next planning meeting at IIW, there was an unopposed consensus that optional active client support should be included as a feature of v.Next. Hopefully our demo, as well as those by others, including Markus Sabadello of Higgins, helped the community decide that this is a good idea by enabling people to concretely experience the benefits that an active client can bring to OpenID. If so, I’d call the experiment a success!

8 Comments » Posted under Events & Information Cards & JanRain & OpenID & Phishing Resistance & Software & Windows CardSpace

It’s been an open secret in the identity community for the past several months that the US Government has embarked on an initiative to enable people to sign into US Government web sites using commercial identities. The public announcements of the first steps were made last week during the Gov 2.0 Summit. Now that we can write about the initiative, here’s a personal recap of some of the steps that have gotten us here, and thoughts about what comes next.

• Then-candidate Barack Obama made a commitment to increase people’s access to government services; President Obama issued his Transparency and Open Government memo reinforcing this commitment on his first day in office.
• The federal CIO, Vivek Kundra, requested that the GSA do the ground work to enable people to log into US government web sites using commercially-issued identities using open protocols.
• In parallel to this, the Information Card Foundation, and especially Mary Ruddy, had been working with the GSA on a demo of using Information Cards to sign into government sites. The GSA demonstrated using the Equifax card to sign into a mockup of recovery.gov in April at RSA.
• In April, the GSA, and in particular, the Identity, Credential, and Access Management (ICAM) committee, communicated the need for certification frameworks for identity technologies and identity providers to be used to access government sites. The OpenID Foundation and Information Card Foundation agreed to develop certification programs for their respective technologies and to work with the GSA on profiles for use of the technologies.
• Not long thereafter, the OpenID Foundation and Information Card Foundation made a key decision to work together on aspects of the profiles and certification programs that can be common between the two technologies. Don Thibeau, the OIDF executive director, and Drummond Reed, the ICF executive director, get enormous credit for this decision, which I believe has served both communities well.
• The foundations jointly hired John Bradley to develop profiles for the two technologies. They also hired the same lawyer to look at liability issues.
• The foundations decided to base their profiles as much as possible on the SAML government profile developed by InCommon, so as not to re-invent the wheel.
• ICAM published its Identity Scheme Adoption Process and Trust Framework Provider Adoption Process documents in July. These established criteria for identity technologies and trust framework providers to be accredited for use at US Government sites.
• Based on their work together and with the government, the two foundations published the joint whitepaper “Open Trust Frameworks for Open Government”, with its release timed to coincide with the Open Government Identity Management Solutions Privacy Workshop in August. The whitepaper is available on both OIDF site and the ICF site.
• The privacy characteristics of the draft profiles when used at ICAM Assurance Level 1 (a.k.a. NIST Assurance Level 1) were subjected to public review at the Open Government Identity Management Solutions Privacy Workshop.
• On September 9th, the two foundations jointly announced the Open Identity for Open Government initiative, with Yahoo!, PayPal, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo and Wave Systems participating as identity providers. See the press release on the ICF site or the OIDF site.
• On September 9th, US federal CIO Vivek Kundra met with the boards of the OpenID Foundation and Information Card Foundation to discuss progress on the initiative to accept commercial identities at government web sites. He endorsed the idea of starting with three pilot projects that would enable privacy, security, and usability issues to be identified and addressed before a broader rollout. He agreed that two of these pilots should be at ICAM Assurance Level 1 and one at Level 2 or 3.
• The ICAM OpenID 2.0 Profile was published on September 9th.
• At the Gov 2.0 Summit on September 10th, Vivek Kundra described the identity initiative to attendees. His remarks were in the context of things he is doing to make government’s IT investments more efficient. He gave the example of making campground reservations at recreation.gov, which currently requires you to create an account that you’re unlikely to use again soon. He said that since you already have identities from Google or Yahoo or Microsoft, wouldn’t it be better to let you use those identities at the government site?
• ICAM updated the Open Identity Solutions for Open Government page on September 10th. This page should continue to reflect the current state of the initiative.

Of course, despite all the activity above, this is really just the beginning. No government relying parties are yet live, the identity provider certification programs are still being developed, and the Information Card profile is not yet final. Only once sites go live will data start to come in about whether people are able to successfully use commercially-issued identities at the sites, and whether they find this capability useful.

Finally, I’ll note that while government sites will always be only a small fraction of the sites that people use on the Internet, and will typically not be on the cutting edge of innovation, I believe that that this is one of the relatively rare moments where a government initiative is serving as a useful focal point for action within private enterprise. A diverse set of companies and organizations have come together to meet this challenge in a way that would be hard to imagine happening without the government initiative to serve as a catalyst. That’s all good.

We still have a lot to learn and a lot to do. I’m glad we’re getting started.

1 Comment » Posted under Events & Federation & Information Cards & OpenID

In October, Microsoft announced that Windows Live IDs would also be OpenIDs. Today the Live ID team published an analysis of what we have learned in operating the Community Technology Preview (CTP) release of our OpenID provider. The post is well worth read and covers, among other things, lessons learned about aliasing and namespaces, having multiple ways to reach the same functionality, and explaining things to users. Enjoy!

No Comments » Posted under LiveID & OpenID

As I just announced on openid.net, OpenID Provider Authentication Policy Extension 1.0 (PAPE) has just been just been approved as an OpenID specification. Deployment of PAPE will go a long way towards mitigating the phishing vulnerabilities of password-based OpenIDs by enabling OpenID Relying Parties to request that OpenID Providers employ phishing-resistant authentication methods when authenticating users and for OpenID Providers to inform Relying Parties whether this (and other) authentication policies were satisfied.

It’s tempting to say that the approval of the specification is the fulfillment of the promise of the OpenID/CardSpace collaboration for phishing-resistant authentication introduced by Bill Gates and Craig Mundie the RSA Security Conference last year, but it’s really just an enabling step. The true value of PAPE will come when it is widely deployed by security-conscious OpenID Relying Parties, and the use of phishing-resistant authentication methods, such as Information Cards and others, is widespread and commonplace. Let the deployments begin!

1 Comment » Posted under OpenID & Phishing Resistance & Safety & Specifications

The OpenID Foundation just completed its first election for community board seats. 17 candidates ran for 7 seats and 175 out of 217 eligible members voted in the election. My congratulations to Snorri Giorgetti, Nat Sakimura, Chris Messina, David Recordon, Eric Sachs, Scott Kveton, and Brian Kissel for their election as community board members. I look forward to serving on the board with them in January, along with my fellow corporate board members DeWitt Clinton, Tony Nadalin, Gary Krall, and Raj Mata. It looks like a great board!

No Comments » Posted under OpenID & People

Today at the Microsoft Professional Developer Conference (PDC), the Windows LiveID team announced that anyone with a LiveID will soon be able to establish an OpenID for their LiveID. Furthermore, they have established a testing environment where you can try out LiveID’s OpenID support and an e-mail address for you to provide feedback to the team.

One feature of the OpenID 2.0 implementation that I’d like to call your attention to is that they give users a choice, on a per-relying party basis, whether to use a site-specific OpenID URL at the site for privacy reasons, or whether to use a public identifier for yourself – explicitly enabling correlation of your identity interactions on different sites. Here’s what that experience looks like in the preview release:

Read more about the preview release here.

7 Comments » Posted under Events & LiveID & OpenID

The OpenID Provider Authentication Policy Extension (PAPE) specification enables an OpenID Relying Party to request that the OpenID Provider satisfy a set of policies specified by the RP when the OP logs the user in. And it likewise enables the OP to reply to the RP saying which of the policies it satisfied.

One of these policies lets the RP request that the OP perform phishing-resistant authentication, the need for which has been discussed here and elsewhere. Another capability I’m a fan of is the ability for the RP to “freshness date” the login, requiring that the OP actively authenticate the user if the current authentication was performed longer ago than an RP-specified number of seconds.

The PAPE Working Group just recommended that the OpenID Foundation members approve the current draft (Draft 7) as an OpenID specification. Today starts a 60 day review period required as part of the OpenID specification process, which occurs prior to an approval vote by the members. PAPE is the first new specification to be produced under this process, and I’m pleased as an OpenID board member to report we now have an existence proof that the process works (or more precisely, we will once this specification is approved).

There are already four implementations of this spec in existence and even better, there are public testing endpoints for these implementations where you can kick the tires. You can try the DotNetOpenId and JanRain implementations at these sites:

• http://nerdbank.org/pape.demo/
• http://openidenabled.com/php-openid/trunk/examples/consumer/ and http://openidenabled.com/php-openid/trunk/examples/server/server.php
• http://openidenabled.com/python-openid/trunk/examples/consumer/ and http://openidenabled.com/python-openid/trunk/examples/server/
• http://openidenabled.com/ruby-openid/trunk/examples/consumer/ and http://openidenabled.com/ruby-openid/trunk/examples/

You should also be able to test the relying parties with signon.com and myopenid.com, which currently implement earlier drafts, since the authentication policy syntax didn’t change.

This spec was a collaborative effort among a number of people. David Recordon wrote the initial drafts last year, with input from the people thanked in Draft 2. Since then, Nat Sakimura was responsible for the generalization of the authentication levels to enable levels other than just those defined by NIST be used. Ben Laurie was an ardent and practical security advocate (as always). Allen Tom was a proponent of the strong “level 0” description. Andrew Arnott of the DotNetOpenId project shared his experiences building an independent implementation with the working group, helping improve the specification. And John Bradley was a never-ending source of common sense, although he would deny it to your face if asked.

No Comments » Posted under OpenID & Phishing Resistance & Specifications

Congratulations and thanks to Pamela Dingle for publishing a detailed analysis of what that the industry accomplished together during the Third OSIS User-Centric Identity Interop (I3). As Nulli Secundus writes about the paper:

The OSIS I3 Interop was a five-month event in which organizations, individuals, and projects working in the solution spaces of Information Cards and OpenID collaborated to define and demonstrate their ability to transact successfully regardless of differences in hardware or software platform. Participants worked within each solution space to define and test acceptable behaviors for various situations that crop up when loosely coupled solutions communicate with each other via open protocols. Interop participants created results within two different matrices: feature test results which recorded adherence to acceptable behavior when explicitly tested, and cross-solution results which recorded overall interoperability between solutions with complimentary roles. Combined, the participants recorded over 1200 mostly successful results.

As new solutions enter this space and existing solutions add to their feature sets, the OSIS Interop process and results serve as a metric to inform developers what features will contribute to a consistent experience for users and administrators. OSIS Interops have served as a focal point for discussion and feature concentration and a forcing function to solidify the protocols. Overall, much was accomplished but there is still work to be done. By examining participation, contribution to best practices, process and collaboration, discoveries, and obstacles, the Interop process can be refined and improved to give even more value to those involved; by doing so, diversity in product offerings will not result in difficulty for end users.

Many of the learnings and conclusions that Pamela has captured in the paper have informed the Fourth OSIS User-Centric Identity Interop (I4), which is under way and builds on the accomplishments of I3 and the previous interops. Check out the paper and if you have an implementation of Information Card or OpenID software, the time is now to participate in I4!

No Comments » Posted under Information Cards & Interoperability & OpenID

Kim Cameron and I recorded a podcast on digital identity for MySuccessGateway this week at the invitation of Jim Peake of SpeechRep Consulting. Jim was a gracious, informed, and enthusiastic host during our conversation, which covered a wide range of digital identity topics including identity theft, shared secrets, privacy, Information Cards and the Information Card Foundation, the value of verified claims, business models for identity providers, password fatigue, defeating phishing attacks, OpenID, why interoperability is essential and the interoperability testing the industry is doing together to make it a reality, some of the identity products that are shipping and forthcoming, and the Laws of Identity. He even asked us how we felt about Bill Gates’ retirement, as a kicker.

If that sounds interesting to you, give it a listen…

2 Comments » Posted under Claims & Information Cards & Interoperability & OpenID & Phishing Resistance & Privacy & Windows CardSpace

Sean Nolan, chief architect of Microsoft’s HealthVault service, posted an article about giving their users choice for the identities they use to access their information. He announced that in addition to accepting LiveIDs, HealthVault is about to start accepting OpenIDs from two OpenID Providers and is also building native Information Card support. As Sean wrote:

As we’ve always said, HealthVault is about consumer control — empowering individuals with tools that let them choose how to share and safeguard their personal health information. OpenID support is a natural fit for this approach, because it allows users to choose the “locksmith” that they are most comfortable with.

You can certainly expect to see more such options in the future. For example, we are in the process of building in native support for Information Cards, which provide some unique advantages, in particular around foiling phishing attempts.

Talking about OpenID, Sean also wrote:

As we learn more, and as OpenID continues to mature, we fully expect to broaden the set of providers that work with HealthVault. We believe that a critical part of that expansion is the formalization and adoption of PAPE, which gives relying parties a richer set of tools to determine if they are comfortable with the policies of an identity provider.

Please join me in congratulating the HealthVault team on being the first Microsoft service to employ OpenID and for their commitment to providing their users convenient, secure access to their healthcare data.

2 Comments » Posted under Information Cards & LiveID & OpenID & Phishing Resistance

While gone phishing, I discovered that the use of JavaScript puts one barrier up that phishers have to overcome to impersonate a legitimate site. In a characteristically hilarious post, Paul Madsen points out that, besides having to overcome active defenses like Sxipper (“Down girl!”), phishers may also inadvertently present pages localized for their locale, rather than the victim’s.

Intrepid identity adventurer though Paul may be, this stopped him dead in his tracks:

Of course, maybe Paul’s German was better than he thought, as the page was urging him to “Gehen Sie auf Nummer sicher! Schützen Sie sich von Phishing und Identitätsdiebstahl.” – “Go safe! Protect yourself from phishing and identity theft.” :-)

No Comments » Posted under OpenID & Phishing Resistance

Fun Communications’ site idtheft.fun.de lets you mount your very own man-in-the-middle based phishing attack against the OpenID provider of your choosing. Rather than redirecting you to the OpenID provider you specify, it instead redirects you to a page impersonating the OpenID provider, created using content scraped from the real site behind the scenes.

This is the same kind of attack shown in Kim’s phishing video. idtheft.fun.de lets you have the fun of doing it yourself!

I tried it myself with several OpenID providers I use. Predictably, I was typically able to “steal” the passwords for OpenIDs when logging into them with passwords and hijack the resulting logged-in sessions. “Protecting” an account with a one-time-password (OTP) device did nothing to stop this; my “attack” still succeeded in hijacking the session established using a password in combination with an OTP value.

Two things did defeat these attacks. Because Information Cards generate site-specific sign-in information and the attacker’s site is different than the authentic site, even when I was “tricked” into submitting an Information Card to the imposter site, it didn’t give the imposter the ability to log into the real site. No shared secret was present to steal and no session was established to hijack.

The other thing that defeated this specific attack was the use of JavaScript in the sign-in process by the OpenID provider. While a slightly more sophisticated attack could almost certainly get past this obstacle, idtheft.fun.de apparently doesn’t correctly mimic JavaScript site features like “Sign In” buttons invoking an onclick method.

This ability to both phish passwords and hijack the resulting logged-in sessions is exactly why I and others are working on finishing the OpenID Provider Authentication Policy Extension (PAPE) extension. As I wrote when the first draft was published, PAPE enables “OpenID relying parties to request that a phishing-resistant authentication method be used by the OpenID provider and for providers to inform relying parties whether a phishing-resistant authentication method, such as Windows CardSpace, was used.” It’s time for PAPE to become an OpenID standard.

What follows are screen shots from a successful phishing attack and a thwarted one – both against the same OP. The difference is whether passwords or Information Cards were used to log in.

Figure 1: About to mount my attack against my OpenID at myopenid.com. I’ve typed the URL of my OpenID into the relying party.

Figure 2: Next, I’m logging in with a password. An observant user could notice several things wrong: the address bar shows the imposter’s URL, the imposter’s URL is present in the “You must sign in to authenticate to …” message, and the “Your Personal Icon” space is blank. Unfortunately, there is strong evidence that users are not observant.

Figure 3: Phishing already accomplished. Same cues are present that something’s amiss. Of course, a more sophisticated attack could replace the imposter’s URL in the page with the “real one” in both of these screens, eliminating the most obvious cue. I scroll down and click “Allow Once”.

Figure 4: Result after being redirected back to the “relying party”. Yes, that was my real password.

Next, I tried to attack my account again but was surprised that I wasn’t asked to log in this time. Of course – the attacker’s session was already logged in! So I signed out as the man-in-the-middle (that was weird), enabling me to try again.

My next steps looked just like Figures 1 and 2, except instead of typing a password I clicked the purple Information Card button. This brought me to:

Figure 5: CardSpace informs me that I’ve never sent a card to this site before. An observant user would realize that they don’t normally see this screen and might decline. But then, we’ve already discussed how observant users aren’t. I click “Yes”, choose the card I normally use to log into myopenid.com, and send it.

Figure 6: Phishing prevented. “Error processing Information Card token” isn’t the most informative error message I’ve ever seen but behind it is great news: the phishing attack failed because the token constructed for the imposter site wasn’t usable at the real site.

And thanks to idtheft.fun.de, you can try this at home!

16 Comments » Posted under Information Cards & OpenID & Phishing Resistance & Windows CardSpace