In October, Microsoft announced that Windows Live IDs would also be OpenIDs. Today the Live ID team published an analysis of what we have learned in operating the Community Technology Preview (CTP) release of our OpenID provider. The post is well worth read and covers, among other things, lessons learned about aliasing and namespaces, having multiple ways to reach the same functionality, and explaining things to users. Enjoy!
Category: OpenID Page 9 of 10
As I just announced on openid.net, OpenID Provider Authentication Policy Extension 1.0 (PAPE) has just been just been approved as an OpenID specification. Deployment of PAPE will go a long way towards mitigating the phishing vulnerabilities of password-based OpenIDs by enabling OpenID Relying Parties to request that OpenID Providers employ phishing-resistant authentication methods when authenticating users and for OpenID Providers to inform Relying Parties whether this (and other) authentication policies were satisfied.
It’s tempting to say that the approval of the specification is the fulfillment of the promise of the OpenID/CardSpace collaboration for phishing-resistant authentication introduced by Bill Gates and Craig Mundie the RSA Security Conference last year, but it’s really just an enabling step. The true value of PAPE will come when it is widely deployed by security-conscious OpenID Relying Parties, and the use of phishing-resistant authentication methods, such as Information Cards and others, is widespread and commonplace. Let the deployments begin!
The OpenID Foundation just completed its first election for community board seats. 17 candidates ran for 7 seats and 175 out of 217 eligible members voted in the election. My congratulations to Snorri Giorgetti, Nat Sakimura, Chris Messina, David Recordon, Eric Sachs, Scott Kveton, and Brian Kissel for their election as community board members. I look forward to serving on the board with them in January, along with my fellow corporate board members DeWitt Clinton, Tony Nadalin, Gary Krall, and Raj Mata. It looks like a great board!
Today at the Microsoft Professional Developer Conference (PDC), the Windows LiveID team announced that anyone with a LiveID will soon be able to establish an OpenID for their LiveID. Furthermore, they have established a testing environment where you can try out LiveID’s OpenID support and an e-mail address for you to provide feedback to the team.
One feature of the OpenID 2.0 implementation that I’d like to call your attention to is that they give users a choice, on a per-relying party basis, whether to use a site-specific OpenID URL at the site for privacy reasons, or whether to use a public identifier for yourself — explicitly enabling correlation of your identity interactions on different sites. Here’s what that experience looks like in the preview release:
Read more about the preview release here.
The OpenID Provider Authentication Policy Extension (PAPE) specification enables an OpenID Relying Party to request that the OpenID Provider satisfy a set of policies specified by the RP when the OP logs the user in. And it likewise enables the OP to reply to the RP saying which of the policies it satisfied.
One of these policies lets the RP request that the OP perform phishing-resistant authentication, the need for which has been discussed here and elsewhere. Another capability I’m a fan of is the ability for the RP to “freshness date” the login, requiring that the OP actively authenticate the user if the current authentication was performed longer ago than an RP-specified number of seconds.
The PAPE Working Group just recommended that the OpenID Foundation members approve the current draft (Draft 7) as an OpenID specification. Today starts a 60 day review period required as part of the OpenID specification process, which occurs prior to an approval vote by the members. PAPE is the first new specification to be produced under this process, and I’m pleased as an OpenID board member to report we now have an existence proof that the process works (or more precisely, we will once this specification is approved).
There are already four implementations of this spec in existence and even better, there are public testing endpoints for these implementations where you can kick the tires. You can try the DotNetOpenId and JanRain implementations at these sites:
- http://nerdbank.org/pape.demo/
- http://openidenabled.com/php-openid/trunk/examples/consumer/ and http://openidenabled.com/php-openid/trunk/examples/server/server.php
- http://openidenabled.com/python-openid/trunk/examples/consumer/ and http://openidenabled.com/python-openid/trunk/examples/server/
- http://openidenabled.com/ruby-openid/trunk/examples/consumer/ and http://openidenabled.com/ruby-openid/trunk/examples/
You should also be able to test the relying parties with signon.com and myopenid.com, which currently implement earlier drafts, since the authentication policy syntax didn’t change.
This spec was a collaborative effort among a number of people. David Recordon wrote the initial drafts last year, with input from the people thanked in Draft 2. Since then, Nat Sakimura was responsible for the generalization of the authentication levels to enable levels other than just those defined by NIST be used. Ben Laurie was an ardent and practical security advocate (as always). Allen Tom was a proponent of the strong “level 0” description. Andrew Arnott of the DotNetOpenId project shared his experiences building an independent implementation with the working group, helping improve the specification. And John Bradley was a never-ending source of common sense, although he would deny it to your face if asked.
Congratulations and thanks to Pamela Dingle for publishing a detailed analysis of what that the industry accomplished together during the Third OSIS User-Centric Identity Interop (I3). As Nulli Secundus writes about the paper:
The OSIS I3 Interop was a five-month event in which organizations, individuals, and projects working in the solution spaces of Information Cards and OpenID collaborated to define and demonstrate their ability to transact successfully regardless of differences in hardware or software platform. Participants worked within each solution space to define and test acceptable behaviors for various situations that crop up when loosely coupled solutions communicate with each other via open protocols. Interop participants created results within two different matrices: feature test results which recorded adherence to acceptable behavior when explicitly tested, and cross-solution results which recorded overall interoperability between solutions with complimentary roles. Combined, the participants recorded over 1200 mostly successful results.
As new solutions enter this space and existing solutions add to their feature sets, the OSIS Interop process and results serve as a metric to inform developers what features will contribute to a consistent experience for users and administrators. OSIS Interops have served as a focal point for discussion and feature concentration and a forcing function to solidify the protocols. Overall, much was accomplished but there is still work to be done. By examining participation, contribution to best practices, process and collaboration, discoveries, and obstacles, the Interop process can be refined and improved to give even more value to those involved; by doing so, diversity in product offerings will not result in difficulty for end users.
Many of the learnings and conclusions that Pamela has captured in the paper have informed the Fourth OSIS User-Centric Identity Interop (I4), which is under way and builds on the accomplishments of I3 and the previous interops. Check out the paper and if you have an implementation of Information Card or OpenID software, the time is now to participate in I4!
Kim Cameron and I recorded a podcast on digital identity for MySuccessGateway this week at the invitation of Jim Peake of SpeechRep Consulting. Jim was a gracious, informed, and enthusiastic host during our conversation, which covered a wide range of digital identity topics including identity theft, shared secrets, privacy, Information Cards and the Information Card Foundation, the value of verified claims, business models for identity providers, password fatigue, defeating phishing attacks, OpenID, why interoperability is essential and the interoperability testing the industry is doing together to make it a reality, some of the identity products that are shipping and forthcoming, and the Laws of Identity. He even asked us how we felt about Bill Gates’ retirement, as a kicker.
If that sounds interesting to you, give it a listen…
Sean Nolan, chief architect of Microsoft’s HealthVault service, posted an article about giving their users choice for the identities they use to access their information. He announced that in addition to accepting LiveIDs, HealthVault is about to start accepting OpenIDs from two OpenID Providers and is also building native Information Card support. As Sean wrote:
As we’ve always said, HealthVault is about consumer control — empowering individuals with tools that let them choose how to share and safeguard their personal health information. OpenID support is a natural fit for this approach, because it allows users to choose the “locksmith” that they are most comfortable with.
You can certainly expect to see more such options in the future. For example, we are in the process of building in native support for Information Cards, which provide some unique advantages, in particular around foiling phishing attempts.
Talking about OpenID, Sean also wrote:
As we learn more, and as OpenID continues to mature, we fully expect to broaden the set of providers that work with HealthVault. We believe that a critical part of that expansion is the formalization and adoption of PAPE, which gives relying parties a richer set of tools to determine if they are comfortable with the policies of an identity provider.
Please join me in congratulating the HealthVault team on being the first Microsoft service to employ OpenID and for their commitment to providing their users convenient, secure access to their healthcare data.
While gone phishing, I discovered that the use of JavaScript puts one barrier up that phishers have to overcome to impersonate a legitimate site. In a characteristically hilarious post, Paul Madsen points out that, besides having to overcome active defenses like Sxipper (“Down girl!”), phishers may also inadvertently present pages localized for their locale, rather than the victim’s.
Intrepid identity adventurer though Paul may be, this stopped him dead in his tracks:
Of course, maybe Paul’s German was better than he thought, as the page was urging him to “Gehen Sie auf Nummer sicher! Schützen Sie sich von Phishing und Identitätsdiebstahl.” — “Go safe! Protect yourself from phishing and identity theft.” :-)
Fun Communications‘ site idtheft.fun.de lets you mount your very own man-in-the-middle based phishing attack against the OpenID provider of your choosing. Rather than redirecting you to the OpenID provider you specify, it instead redirects you to a page impersonating the OpenID provider, created using content scraped from the real site behind the scenes.
This is the same kind of attack shown in Kim’s phishing video. idtheft.fun.de lets you have the fun of doing it yourself!
I tried it myself with several OpenID providers I use. Predictably, I was typically able to “steal” the passwords for OpenIDs when logging into them with passwords and hijack the resulting logged-in sessions. “Protecting” an account with a one-time-password (OTP) device did nothing to stop this; my “attack” still succeeded in hijacking the session established using a password in combination with an OTP value.
Two things did defeat these attacks. Because Information Cards generate site-specific sign-in information and the attacker’s site is different than the authentic site, even when I was “tricked” into submitting an Information Card to the imposter site, it didn’t give the imposter the ability to log into the real site. No shared secret was present to steal and no session was established to hijack.
The other thing that defeated this specific attack was the use of JavaScript in the sign-in process by the OpenID provider. While a slightly more sophisticated attack could almost certainly get past this obstacle, idtheft.fun.de apparently doesn’t correctly mimic JavaScript site features like “Sign In” buttons invoking an onclick method.
This ability to both phish passwords and hijack the resulting logged-in sessions is exactly why I and others are working on finishing the OpenID Provider Authentication Policy Extension (PAPE) extension. As I wrote when the first draft was published, PAPE enables “OpenID relying parties to request that a phishing-resistant authentication method be used by the OpenID provider and for providers to inform relying parties whether a phishing-resistant authentication method, such as Windows CardSpace, was used.” It’s time for PAPE to become an OpenID standard.
What follows are screen shots from a successful phishing attack and a thwarted one — both against the same OP. The difference is whether passwords or Information Cards were used to log in.
Figure 1: About to mount my attack against my OpenID at myopenid.com. I’ve typed the URL of my OpenID into the relying party.
Figure 2: Next, I’m logging in with a password. An observant user could notice several things wrong: the address bar shows the imposter’s URL, the imposter’s URL is present in the “You must sign in to authenticate to …” message, and the “Your Personal Icon” space is blank. Unfortunately, there is strong evidence that users are not observant.
Figure 3: Phishing already accomplished. Same cues are present that something’s amiss. Of course, a more sophisticated attack could replace the imposter’s URL in the page with the “real one” in both of these screens, eliminating the most obvious cue. I scroll down and click “Allow Once”.
Figure 4: Result after being redirected back to the “relying party”. Yes, that was my real password.
Next, I tried to attack my account again but was surprised that I wasn’t asked to log in this time. Of course — the attacker’s session was already logged in! So I signed out as the man-in-the-middle (that was weird), enabling me to try again.
My next steps looked just like Figures 1 and 2, except instead of typing a password I clicked the purple Information Card button. This brought me to:
Figure 5: CardSpace informs me that I’ve never sent a card to this site before. An observant user would realize that they don’t normally see this screen and might decline. But then, we’ve already discussed how observant users aren’t. I click “Yes”, choose the card I normally use to log into myopenid.com, and send it.
Figure 6: Phishing prevented. “Error processing Information Card token” isn’t the most informative error message I’ve ever seen but behind it is great news: the phishing attack failed because the token constructed for the imposter site wasn’t usable at the real site.
And thanks to idtheft.fun.de, you can try this at home!
Johannes Feulner of Fun Communications recently showed me three different identity sites they’ve created, each fun and valuable in its own way. The first, www.webcard-loyalty.com, lets companies create online loyalty cards for their customers. These loyalty Information Cards enable merchants to offer bonuses and discounts when the cards are used, similarly to how physical loyalty cards such as frequent flyer cards and frequent shopper cards are used to provide these benefits in the offline world. You can read more about “virtual loyalty cards” and about the innovation prize they won.
The second, openidbycard.com, dynamically creates a site-specific OpenID to use at an OpenID relying party from any Information Card offering the privatepersonalidentifier (PPID) claim. Type “openidbycard.com” as your OpenID identifier into any OpenID login form and an OpenID will be created for the site based on the site identity and the PPID returned by the card. While I understand value of using public identifiers (such as self-issued.info) in some contexts, it’s great to also have the choice of using unidirectional identifiers at OpenID sites.
Finally, idtheft.fun.de demonstrates the ability of attackers to mount man-in-the-middle attacks against OpenID sites (and lets you try it yourself!). The site phishes OpenID passwords and other information sent through the browser, all via web pages that look authentic, but that are actually under control of the attacker. This will be the subject of my next post.
As reported in InternetNews (and brought to my attention by Tony Nadalin), IBM has expanded the scope of its Tivoli Federated Identity Manager product to include support for Information Cards and OpenID. This is a fantastic development, as it puts software enabling use of these user-centric identity technologies into the hands of IBM’s numerous important customers, ranging from enterprises to Internet businesses. Congratulations to IBM and the Tivoli team for this significant achievement!
33 Companies…
24 Projects…
57 Participants working together to build an interoperable user-centric identity layer for the Internet!
Tuesday and Wednesday, April 8 and 9 at RSA 2008, Moscone Center, San Francisco, California
Location: Mezzanine Level Room 220
Interactive Working Sessions: Tuesday and Wednesday, 11am – 4pm
Demonstrations: Tuesday and Wednesday, 4pm – 6pm
Reception: Wednesday, 4pm – 6pm
Two important identity interoperability demonstrations will occur at RSA two weeks from now: the OSIS User-Centric Identity Interop and the Concordia Multi-Protocol Federation Interop. During both you’ll see different projects and vendors publicly showing their identity software working together. But what you won’t see at the conference is what’s happening right now — the engineers behind these implementations working together to refine their deployments and their software to ensure that solutions that should work together in theory actually do in practice.
Like the previous OSIS Interop, the current one is testing both Information Card and OpenID implementations — sometimes in combination. I’m especially excited about this Interop for three reasons. First, the set of participants has expanded again by over 50% and includes many commercial deployments of these relatively new technologies. Second, much deeper testing is occurring than ever before. Thanks, in part, to significant efforts by Pamela Dingle and the Microsoft Identity Lab team, during this Interop not only are people trying their implementations with one another’s — they’re also systematically testing their support for an important range of protocol features using interop endpoints designed and deployed for this very purpose. Third, this Interop won’t end when the conference ends. Most of the participants plan to leave their endpoints up after the conference is over, enabling new participants to join and test later and for existing participants to re-test their implementations against the others when they deploy new versions. Visit the OSIS Interop demonstrations in person if you can, especially between 4:00-6:00 on both Tuesday and Wednesday during the conference.
The Concordia Interop is showing the use of Information Cards to sign into both SAML 2.0 and WS-Federation based federations. Both these federations are using SAML 2.0 tokens carrying consistent authentication context information. (I believe that this is the first public demonstration of WS-Federation implementations using SAML 2.0 tokens.) Furthermore, the Concordia Interop demonstrates the ability to bridge between WS-Federation and SAML federations, allowing identities originating in one to be used to authenticate to services in the other. Visit the Concordia workshop during the conference on Monday from 9:00-12:30.
Finally, I’m not the only one excited by these Interops. Axel Nennker, Francis Shanahan, Gerald Beuchelt, Prabath Siriwardena, Scott Kveton, Vittorio Bertocci, and Will Norris have all written about the upcoming OSIS Interop. There’s also a press release from the Concordia project. Hope to see many of you at RSA!
The thing that immediately came to mind when I read the subject of Christian’s post was Mark Twain’s famous remark, upon learning about rumors of his own demise: “The report of my death is an exaggeration”.
Apparently the German press hasn’t been following my blog (I’m hurt but not totally shocked :-)) or Kim’s or JanRain’s or VeriSign’s or Ping Identity’s or Andy’s or Dick’s or David’s or Drummond’s or Scott’s or Paul’s or so many others where we’re all talking about the valuable ways that Information Cards and OpenID work well together. And there’s more than just talk. For instance, the OpenID providers LinkSafe.name, MyOpenID.com, PIP.VeriSignLabs.com, and SignOn.com all enable account creation and login with Information Cards. Is this good for OpenID? Yes! Is it good for CardSpace (and other Identity Selectors)? Yes!
But lest anyone has the perception that Microsoft’s participation in OpenID somehow lessened our commitment to CardSpace, I’ll respond plainly: That is simply not true. I work in the corridors where the CardSpace team is actively building the next version (which incorporates lots of the great feedback we’ve received from users and partners on our present versions) and down the hall from where our server product is being built that will make it easy to issue and accept Information Cards. I can honestly report that both teams are excited, executing on their mission, and moving full speed ahead!
In answer to Christian’s question “Why didn’t Microsoft explain the whole picture in the moment of releasing such news?”, I’ll respond pointing out that the news of February 7th was about Microsoft and others joining the OpenID Foundation board — not about CardSpace, and we were comfortable with that. We are confident enough of the value that CardSpace brings to the table to also openly embrace other identity technologies where they make sense, without feeling that the existence of one diminishes the other. We are confident that others (including many of the leaders in the OpenID community) share this view.
So to our great partners like Christian who are out there rocking, building innovative identity solutions that are part of the “Identity Big Bang” with Information Cards and CardSpace I say this: Congratulations on your fantastic work! We’re fully behind you!
And to our great partners who are also helping create the “Identity Big Bang” by employing OpenID where it makes sense: We salute you too!
The Internet Identity Layer is still very much a work in progress. I’m thrilled to be part of making it happen and to be in a community that is collaborating and building upon one another’s work. And if I were on the outside watching, I certainly wouldn’t be holding my breath wondering if one of these identity technologies is going to “kill” the other one — especially when the truth is that they’re both stronger because of the other.
My congratulations to ooTao and LinkSafe for enabling account creation and login at LinkSafe’s i-broker using Information Cards. Building on what I wrote earlier about I-names without Passwords at LinkSafe, Andy Dale recently wrote:
Working together Microsoft, LinkSafe and ooTao have developed the first Info-Card enabled i-broker. You can register for an i-name at LinkSafe and subsequently log in to any OpenID 2.0 relying party without ever entering a password. All of the security can be Info-Card driven.
We have made the Ruby RP Module deployed at LinkSafe available under BSD license along with a simple ‘hello world’ app that demonstrates driving the module.
See Andy’s post for instructions on where to get the software and for a demo site where you can try it out.
And as long as I’m on the topic of trying out software, I thought I’d mention that the latest OSIS User-Centric Identity Interop is under way! Visit the new OSIS page and browse through the Interop Participants, the Software Solutions, and the Cross Solution Results. There’s more to come, including more participants (contact me if you’re interested!) and feature-specific tests, but I wanted to let people know that we’re out there testing our software together now, including both Information Card and OpenID implementations, with Interop demonstrations to occur at the RSA Conference in April. And of course, ooTao and LinkSafe are participating!
Today the OpenID Foundation announced that five leading technology companies, Google, IBM, Microsoft, VeriSign, and Yahoo! have joined the OpenID board of directors as its first corporate board members. This news comes a year and a day after the JanRain/Sxip Identity/Microsoft/VeriSign OpenID/CardSpace collaboration announcement introduced by Bill Gates and Craig Mundie at the RSA Security Conference.
How are these events related, you might ask? As I see it, they’re both great examples of the industry working together to solve the digital identity problems that all Internet users presently face — in these cases, both in the context of OpenID.
A lot’s happened over that year-and-a-day that’s worth celebrating:
- The OpenID Foundation was formed in June “to help promote, protect and enable the OpenID technologies and community“.
- The OpenID Phishing-Resistant Authentication Specification was developed and published in June.
- VeriSign and Ping Identity both enabled phishing-resistant login to their OpenID providers using Information Cards in July, soon followed by JanRain and LinkSafe.
- The OpenID 2.0 Specifications were declared complete in December and were accompanied by intellectual property contribution agreements from all of the inventors.
- The OpenID Foundation’s intellectual property policy and procedures, which had been under development from March through December through a collaborative effort between many companies and individuals, were completed, enabling all to be able to participate in developing and using OpenID specifications.
- And of course, OpenID adoption and usage continued to increase.
From a personal perspective, I’ve enjoyed working with colleagues from numerous companies (including from my own!) to help get us to today’s announcement, as well as working to bring safer, easier-to-user login and account creation to OpenIDs via Information Cards. Thus, I’m both pleased and honored to now be representing Microsoft on the OpenID Foundation board of directors.
Of course, today’s announcement is really only the end of the beginning. The real fun and value is still ahead of us, in the work we’ll do together. The draft PAPE specification needs to be completed. We need to drive relying party adoption of phishing-resistant authentication. And talk of an OpenID 3.0 that’s both easier and safer to use is already percolating on the mailing lists.
The Internet is still missing a much-needed ubiquitous identity layer. The good news is that the broad industry collaboration that has emerged around OpenID is a key enabler for building it together!
As Scott Kveton just posted, earlier this month the OpenID Foundation board approved OpenID Intellectual Property Policy and Procedures documents. These are designed to achieve two goals:
- Ensuring that contributors to OpenID specifications make intellectual property declarations for relevant inventions that they own so that everyone can freely use those specifications.
- Defining procedures for working groups to use when developing future OpenID specifications that enable all to participate.
In addition to those Scott thanked, I’d also like to extend sincere thanks to Ron Moore of Microsoft and David Daggett of K&L Gates, both of whose legal expertise was essential to this accomplishment.
This is a significant digital identity accomplishment to finish 2007 with. Happy New Years everyone!
I’m pleased to report that ooTao and LinkSafe have recently collaborated to enable you to create and use i-names with Information Cards rather than passwords. They’ve achieved for LinkSafe.name what JanRain did for MyOpenID.com. Below is a screen shot of me signing up for an i-name using an Information Card, rather than a password. Now when you see someone signed in to a site with the OpenID =me, you’ll know who it actually is!
This morning at the Internet Identity Workshop, the OpenID Foundation announced that the OpenID 2.0 Specification and a set of related specifications are now complete. Furthermore, Intellectual Property Contribution Agreements have been executed by all the contributors to these specifications.
Here’s a camera-phone photo of Dick Hardt of Sxip Identity, Josh Hoyt of JanRain, and David Recordon of Six Apart making the announcement. Congratulations to the OpenID community on this significant accomplishment!
