Archive for February, 2008

February 21, 2008
Congratulations on the Higgins 1.0 Release

Higgins logoI’d like to extend congratulations to my colleagues from the Higgins Project for their Higgins 1.0 release today. This is a significant milestone in the development and deployment of interoperable identity software that lets people use their Information Cards on any platform or system.

This release includes a broad range of implementations, including Identity Selectors for Linux, FreeBSD, and Mac OS X, support for rich client applications, and a browser-based selector for Firefox on Windows, Linux, and Mac OS X, plus Identity Provider and Relying Party software. They’re even shipping a prototype “Selector Selector”, letting people choose between different Identity Selectors. See their Solutions page for more details.

From a personal perspective, I’ll say that it’s been a pleasure watching Higgins evolve from the vision statements discussed at the Berkman Center Workshops starting in early 2005 to today’s dynamic multi-faceted identity software project. Congratulations to the long-tailed mouse for today’s achievements! I know there’s lots more to come…

February 19, 2008
Re: OpenID kills Windows CardSpace?!

The thing that immediately came to mind when I read the subject of Christian’s post was Mark Twain’s famous remark, upon learning about rumors of his own demise: “The report of my death is an exaggeration”.

Apparently the German press hasn’t been following my blog (I’m hurt but not totally shocked :-)) or Kim’s or JanRain’s or VeriSign’s or Ping Identity’s or Andy’s or Dick’s or David’s or Drummond’s or Scott’s or Paul’s or so many others where we’re all talking about the valuable ways that Information Cards and OpenID work well together. And there’s more than just talk. For instance, the OpenID providers,,, and all enable account creation and login with Information Cards. Is this good for OpenID? Yes! Is it good for CardSpace (and other Identity Selectors)? Yes!

But lest anyone has the perception that Microsoft’s participation in OpenID somehow lessened our commitment to CardSpace, I’ll respond plainly: That is simply not true. I work in the corridors where the CardSpace team is actively building the next version (which incorporates lots of the great feedback we’ve received from users and partners on our present versions) and down the hall from where our server product is being built that will make it easy to issue and accept Information Cards. I can honestly report that both teams are excited, executing on their mission, and moving full speed ahead!

In answer to Christian’s question “Why didn’t Microsoft explain the whole picture in the moment of releasing such news?”, I’ll respond pointing out that the news of February 7th was about Microsoft and others joining the OpenID Foundation board – not about CardSpace, and we were comfortable with that. We are confident enough of the value that CardSpace brings to the table to also openly embrace other identity technologies where they make sense, without feeling that the existence of one diminishes the other. We are confident that others (including many of the leaders in the OpenID community) share this view.

So to our great partners like Christian who are out there rocking, building innovative identity solutions that are part of the “Identity Big Bang” with Information Cards and CardSpace I say this: Congratulations on your fantastic work! We’re fully behind you!

And to our great partners who are also helping create the “Identity Big Bang” by employing OpenID where it makes sense: We salute you too!

The Internet Identity Layer is still very much a work in progress. I’m thrilled to be part of making it happen and to be in a community that is collaborating and building upon one another’s work. And if I were on the outside watching, I certainly wouldn’t be holding my breath wondering if one of these identity technologies is going to “kill” the other one – especially when the truth is that they’re both stronger because of the other.

February 17, 2008
Information Cards, i-names, OpenID, Ruby, and Interop!

ooTao logoMy congratulations to ooTao and LinkSafe for enabling account creation and login at LinkSafe’s i-broker using Information Cards. Building on what I wrote earlier about I-names without Passwords at LinkSafe, Andy Dale recently wrote:

Working together Microsoft, LinkSafe and ooTao have developed the first Info-Card enabled i-broker. You can register for an i-name at LinkSafe and subsequently log in to any OpenID 2.0 relying party without ever entering a password. All of the security can be Info-Card driven.

We have made the Ruby RP Module deployed at LinkSafe available under BSD license along with a simple ‘hello world’ app that demonstrates driving the module.

inames logoSee Andy’s post for instructions on where to get the software and for a demo site where you can try it out.

And as long as I’m on the topic of trying out software, I thought I’d mention that the latest OSIS User-Centric Identity Interop is under way! Visit the new OSIS page and browse through the Interop Participants, the Software Solutions, and the Cross Solution Results. There’s more to come, including more participants (contact me if you’re interested!) and feature-specific tests, but I wanted to let people know that we’re out there testing our software together now, including both Information Card and OpenID implementations, with Interop demonstrations to occur at the RSA Conference in April. And of course, ooTao and LinkSafe are participating!

February 7, 2008
Microsoft Joins the OpenID Foundation and its Board of Directors

OpenID logoToday the OpenID Foundation announced that five leading technology companies, Google, IBM, Microsoft, VeriSign, and Yahoo! have joined the OpenID board of directors as its first corporate board members. This news comes a year and a day after the JanRain/Sxip Identity/Microsoft/VeriSign OpenID/CardSpace collaboration announcement introduced by Bill Gates and Craig Mundie at the RSA Security Conference.

How are these events related, you might ask? As I see it, they’re both great examples of the industry working together to solve the digital identity problems that all Internet users presently face – in these cases, both in the context of OpenID.

A lot’s happened over that year-and-a-day that’s worth celebrating:

From a personal perspective, I’ve enjoyed working with colleagues from numerous companies (including from my own!) to help get us to today’s announcement, as well as working to bring safer, easier-to-user login and account creation to OpenIDs via Information Cards. Thus, I’m both pleased and honored to now be representing Microsoft on the OpenID Foundation board of directors.

Of course, today’s announcement is really only the end of the beginning. The real fun and value is still ahead of us, in the work we’ll do together. The draft PAPE specification needs to be completed. We need to drive relying party adoption of phishing-resistant authentication. And talk of an OpenID 3.0 that’s both easier and safer to use is already percolating on the mailing lists.

The Internet is still missing a much-needed ubiquitous identity layer. The good news is that the broad industry collaboration that has emerged around OpenID is a key enabler for building it together!

February 7, 2008
Information Card Relying Party Software for Python

While you’ve seen posts about Information Card Relying Party code for lots of programming languages and environments here (ASP.Net, Ruby, Java, PHP, C) one language I haven’t posted about before is Python. To make up for that, here’s information about two Python implementations.

Bandit Code logoTurns out that the Bandits, in their inimitable style, have been quietly churning out useful code. In this case, Duane Buss built Python relying party code to use at the Bandit Project’s Code pages (Bandit Trac) and also released it for general use. After only minimal cajoling, he also created a demo Python relying party.

JanRain logoMeanwhile JanRain, another group well-known for producing high-quality identity code, also built a Python relying party implementation, in their case to use at As Brian Ellin just wrote, JanRain has released their Python code for accepting self-issued Information Cards for all to use. Have at it, Python hackers!

February 7, 2008
ANSI-BBB Identity Theft Prevention and Identity Management Standards Panel Final Report

ANSI-BBB Identity Theft Prevention and Identity Management Standards PanelThe ANSI-BBB Identity Theft Prevention and Identity Management Standards Panel recently issued its final report. Quoting from the report announcement:

Launched in September 2006, the IDSP was established by the American National Standards Institute (ANSI) and Better Business Bureau (BBB) to identify and catalog existing standards, guidelines, and best practices related to identity theft prevention.
Panel members considered the entire life cycle of identity management: from the issuance of identity documents by government and commercial entities, to the acceptance and exchange of identity data, and to the ongoing maintenance and management of identity information. Hundreds of documents – including the applicable laws, regulations, proposed legislation, white papers, and research studies and reports – are identified in the catalog.
The report also includes recommendations for business and government agencies to:

  • enhance the security of identity issuance processes to facilitate greater interoperability between the government and commercial sectors;
  • improve the integrity of identity credentials;
  • strengthen best practices for authentication;
  • augment data security management best practices such as the use and storage of Social Security numbers;
  • create uniform guidance for organizations on data breach notification and remediation;
  • increase consumer understanding of ID theft preventative strategies, including the benefits and limitations of security freezes.

This report provides one of the most comprehensive looks to date at the problem of identity theft and the fraud that accompanies it. It both surveys the current identity landscape and makes recommendations for business, government, and consumers to mitigate these threats both in the offline and online environments.