Archive for the 'Events' Category

June 29, 2022
OAuth DPoP Presentation at Identiverse 2022

OAuth logoHere’s the DPoP presentation that Pieter Kasselman and I gave at the 2022 Identiverse conference:

  • Bad actors are stealing your OAuth tokens, giving them control over your information – OAuth DPoP (Demonstration of Proof of Possession) is what we’re doing about it (PowerPoint) (PDF)

A few photographs that workation photographer Brian Campbell took during the presentation follow.

Mike Presenting:

Mike Presenting

Who is that masked man???

Who is that masked man???

Pieter Presenting:

Pieter Presenting

May 4, 2022
OAuth DPoP Specification Addressing WGLC Comments

OAuth logoBrian Campbell has published an updated OAuth DPoP draft addressing the Working Group Last Call (WGLC) comments received. All changes were editorial in nature. The most substantive change was further clarifying that either iat or nonce can be used alone in validating the timeliness of the proof, somewhat deemphasizing jti tracking.

As Brian reminded us during the OAuth Security Workshop today, the name DPoP was inspired by a Deutsche POP poster he saw on the S-Bahn during the March 2019 OAuth Security Workshop in Stuttgart:

Deutsche POP in Stuttgart

He considered it an auspicious sign seeing another Deutsche PoP sign in the Vienna U-Bahn during IETF 113 the same day WGLC was requested!

Deutsche POP in Vienna

The specification is available at:

April 26, 2022
OpenID Presentations at April 2022 OpenID Workshop and IIW

OpenID logoI gave the following presentations at the Monday, April 25, 2022 OpenID Workshop at Google:

I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 1, 2019:

December 19, 2021
Stories of Kim Cameron

Kim Cameron LaughingSince Kim’s passing, I’ve been reflecting on his impact on my life and remembering some of the things that made him special. Here’s a few stories I’d like to tell in his honor.

Kim was more important to my career and life than most people know. Conversations with him in early 2005 led me to leave Microsoft Research and join his quest to “Build the Internet’s missing identity layer” – a passion that still motivates me to this day.

Within days of me joining the identity quest, Kim asked me to go with him to the first gathering of the Identity Gang at PC Forum in Scottsdale, Arizona. Many of the people that I met there remain important in my professional and personal life! The first Internet Identity Workshop soon followed.

Kim taught me a lot about building positive working relationships with others. Early on, he told me to always try to find something nice to say to others. Showing his devious sense of humor, he said “Even if you are sure that their efforts are doomed to fail because of fatal assumptions on their part, you can at least say to them ‘You’re working on solving a really important problem!’ :-)” He modelled by example that consensus is much easier to achieve when you make allies rather than enemies. And besides, it’s a lot more fun for everyone that way!

Kim was always generous with his time and hospitality and lots of fun to be around. I remember he and Adele inviting visitors from Deutsche Telekom to their home overlooking the water in Bellevue. He organized a night at the opera for identity friends in Munich. He took my wife Becky and I and Tony Nadalin out to dinner at his favorite restaurant in Paris, La Coupole. He and Adele were the instigators behind many a fun evening. He had a love of life beyond compare!

At one point in my career, I was hoping to switch to a manager more supportive of my passion for standards work, and asked Kim if I could work for him. I’ll always remember his response: “Having you work for me would be great, because I wouldn’t have to manage you. But the problem is that then they’d make me have others work for me too. Managing people would be the death of me!”

This blog exists because Kim encouraged me to blog.

I once asked Kim why there were so many Canadians working in digital identity. He replied: “Every day as a Canadian, you think ‘What is it that makes me uniquely Canadian, as opposed to being American? Whereas Americans never give it a thought. Canadians are always thinking about identity.'”

Kim was a visionary and a person of uncommon common sense. His Information Card paradigm was ahead of its time. For instance, the “selecting cards within a wallet” metaphor that Windows CardSpace introduced is now widespread – appearing in platform and Web account selectors, as well as emerging “self-sovereign identity” wallets, containing digital identities that you control. The demos people are giving now sure look a lot like InfoCard demos from back in the day!

Kim was a big believer in privacy and giving people control over their own data (see the Laws of Identity). He championed the effort for Microsoft to acquire and use the U-Prove selective disclosure technology, and to make it freely available for others to use.

Kim was hands-on. To get practical experience with OpenID Connect, he wrote a complete OpenID Provider in 2018 and even got it certified! You can see the certification entry at https://openid.net/certification/ for the “IEF Experimental Claimer V0.9” that he wrote.

Kim was highly valued by Microsoft’s leaders (and many others!). He briefly retired from Microsoft most of a decade ago, only to have the then-Executive Vice President of the Server and Tools division, Satya Nadella, immediately seek him out and ask him what it would take to convince him to return. Kim made his asks, the company agreed to them, and he was back within about a week. One of his asks resulted in the AAD business-to-customer (B2C) identity service in production use today. He also used to have regular one-on-ones with Bill Gates.

Kim wasn’t my mentor in any official capacity, but he was indeed my mentor in fact. I believe he saw potential in me and chose to take me under his wing and help me develop in oh so many ways. I’ll always be grateful for that, and most of all, for his friendship.

In September 2021 at the European Identity and Cloud (EIC) conference in Munich, Jackson Shaw and I remarked to each other that neither of us had heard from Kim in a while. I reached out to him, and he responded that his health was failing, without elaborating. Kim and I talked for a while on the phone after that. He encouraged me that the work we are doing now is really important, and to press forward quickly.

On October 25, 2021, Vittorio Bertocci organized an informal CardSpace team reunion in Redmond. Kim wished he could come but his health wasn’t up to travelling. Determined to include him in a meaningful way, I called him on my phone during the reunion and Kim spent about a half hour talking to most of the ~20 attendees in turn. They shared stories and laughed! As Vittorio said to me when we learned of his passing, we didn’t know then that we were saying goodbye.


P.S. Here’s a few of my favorite photos from the first event that Kim included me in:

Kim and Craig Burton Gesticulating Mike Jones, Drummond Reed, and Kim Dick Hardt Mike Jones Kim with Coffee

All images are courtesy of Doc Searls. Each photo links to the original.

December 12, 2021
OpenID Presentations at December 2021 OpenID Virtual Workshop

OpenID logoI gave the following presentations at the Thursday, December 9, 2021 OpenID Virtual Workshop:

October 21, 2021
OpenID and FIDO Presentation at October 2021 FIDO Plenary

OpenID logoFIDO logoI described the relationship between OpenID and FIDO during the October 21, 2021 FIDO Alliance plenary meeting, including how OpenID Connect and FIDO are complementary. In particular, I explained that using WebAuthn/FIDO authenticators to sign into OpenID Providers brings phishing resistance to millions of OpenID Relying Parties without them having to do anything!

The presentation was:

October 12, 2021
OpenID Connect Presentation at IIW XXXIII

OpenID logoI gave the following invited “101” session presentation at the 33rd Internet Identity Workshop (IIW) on Tuesday, October 12, 2021:

The session was well attended. There was a good discussion about the use of passwordless authentication with OpenID Connect.

September 14, 2021
OpenID Connect Presentation at 2021 European Identity and Cloud (EIC) Conference

OpenID logoI gave the following presentation on the OpenID Connect Working Group during the September 13, 2021 OpenID Workshop at the 2021 European Identity and Cloud (EIC) conference. As I noted during the talk, this is an exciting time for OpenID Connect; there’s more happening now than at any time since the original OpenID Connect specs were created!

April 29, 2021
OpenID Connect Working Group Presentation at the Third Virtual OpenID Workshop

OpenID logoI gave the following presentation on the OpenID Connect Working Group at the Third Virtual OpenID Workshop on Thursday, April 29, 2021:

April 28, 2021
Passing the Torch at the OpenID Foundation

OpenID logoToday marks an important milestone in the life of the OpenID Foundation and the worldwide digital identity community. Following Don Thibeau’s decade of exemplary service to the OpenID Foundation as its Executive Director, today we welcomed Gail Hodges as our new Executive Director.

Don was instrumental in the creation of OpenID Connect, the Open Identity Exchange, the OpenID Certification program, the Financial-grade API (FAPI), and its ongoing worldwide adoption. He’s created and nurtured numerous liaison relationships with organizations and initiatives advancing digital identity and user empowerment worldwide. And thankfully, Don intends to stay active in digital identity and the OpenID Foundation, including supporting Gail in her new role.

Gail’s Twitter motto is “Reinventing identity as a public good”, which I believe will be indicative of the directions in which she’ll help lead the OpenID Foundation. She has extensive leadership experience in both digital identity and international finance, as described in her LinkedIn profile. The board is thrilled to have her on board and looks forward to what we’ll accomplish together in this next exciting chapter of the OpenID Foundation!

I encourage all of you to come meet Gail at the OpenID Foundation Workshop tomorrow, where she’ll introduce herself to the OpenID community.

April 21, 2021
OpenID Connect Presentation at IIW XXXII

OpenID logoI gave the following invited “101” session presentation at the 32nd Internet Identity Workshop (IIW) on Tuesday, April 20, 2021:

The session was well attended. There was a good discussion about uses of Self-Issued OpenID Providers.

January 29, 2021
Be part of the Spring 2021 IIW!

IIW logoAre you registered for the Internet Identity Workshop (IIW) yet? As I wrote a decade, a year, and a day ago, “It’s where Internet identity work gets done.” That remains as true now is it was then!

As a personal testimonial, I wrote this to the IIW organizers after the 2020 IIWs:

“Thanks again for running the most engaging and successful virtual meetings of the year (by far!). While I’ve come to dread most of the large virtual meetings, IIW online remains true to the spirit of the last 15 years of useful workshops. Yes, I miss talking to Rich and the attendees in the coffee line and having impromptu discussions throughout, and we’ll get back to that in time, but the sessions remain useful and engaging.”

I’m also proud that Microsoft is continuing its 15-year tradition of sponsoring the workshop. Rather than buying dinner for the attendees (the conversations at the dinners were always fun!), we’re sponsoring scholarships for those that might otherwise not be able to attend, fostering an even more interesting and diverse set of viewpoints at the workshop.

I hope to see you there!

October 28, 2020
Second OpenID Foundation Virtual Workshop

OpenID logoLike the First OpenID Foundation Virtual Workshop, I was once again pleased by the usefulness of the discussions at the Second OpenID Foundation Virtual Workshop held today. Many leading identity engineers and businesspeople participated, with valuable conversations happening both via the voice channel and in the chat. Topics included current work in the working groups, such as eKYC-IDA, FAPI, MODRNA, FastFed, EAP, Shared Signals and Events, and OpenID Connect, plus OpenID Certification, OpenID Connect Federation, and Self-Issued OpenID Provider (SIOP) extensions.

Identity Standards team colleagues Kristina Yasuda and Tim Cappalli presented respectively on Self-Issued OpenID Provider (SIOP) extensions and Continuous Access Evaluation Protocol (CAEP) work. Here’s my presentation on the OpenID Connect working group (PowerPoint) (PDF) and the Enhanced Authentication Profile (EAP) (PowerPoint) (PDF) working group. I’ll add links to the other presentations when they’re posted.

October 20, 2020
OpenID Presentation at IIW XXXI

OpenID logoI gave the following invited “101” session presentation at the 31st Internet Identity Workshop (IIW) on Tuesday, October 20, 2020:

I appreciated learning about how the participants are using or considering using OpenID Connect. The session was recorded and will be available in the IIW proceedings.

July 7, 2020
Identiverse 2020 Talk: Enabling Scalable Multi-lateral Federations with OpenID Connect

OpenID logoMy Identiverse 2020 talk Enabling Scalable Multi-lateral Federations with OpenID Connect was just broadcast and is available for viewing. The talk abstract is:

Numerous large-scale multi-lateral identity federations are in production use today, primarily in the Research and Education sector. These include national federations, such as SWAMID in Sweden and InCommon in the US, some with thousands of sites, and inter-federations among dozens of federations, such as eduGAIN. Yet these existing federations are based on SAML 2 and require the federation operator to poll the participants for their metadata, concatenating it into a huge file that is distributed to all federation participants nightly – a brittle process with significant scalability problems.

Responding to demand from the Research and Education community to migrate from SAML 2 to the simpler OpenID Connect protocol, the OpenID Connect working group has created the OpenID Connect Federation specification to enable this. The new approach incorporates lessons learned from existing SAML 2 federations – especially using a new, scalable approach to federation metadata, in which organizations host their own signed metadata and federation operators in turn sign statements about the organizations that are participants in the federation. As Shibboleth author Scott Cantor publicly said at a federation conference, “Given all my experience, if I were to redo the metadata handling today, I would do it along the lines in the OpenID Connect Federation specification”.

This presentation will describe progress implementing and deploying OpenID Connect Federation, upcoming interop events and results, and next steps to complete the specification and foster production deployments. The resulting feedback from Identiverse participants on the approach will be highly valuable.

As a late-breaking addition, data from the June 2020 Federation interop event organized by Roland Hedberg was included in the presentation.

You can also view the presentation slides as PowerPoint or PDF.

May 21, 2020
Successful OpenID Foundation Virtual Workshop

OpenID logoI was pleased by the quality of the discussions and participation at the first OpenID Foundation Virtual Workshop. There were over 50 participants, with useful conversations happening both on the audio channel and in the chat. Topics included current work in the working groups, such as eKYC-IDA, FAPI, MODRNA, FastFed, Shared Signals and Events, and OpenID Connect), OpenID Certification, and a discussion on interactions between browser privacy developments and federated login. Thanks to all who participated!

Here’s my presentation on the OpenID Connect working group and OpenID Certification: (PowerPoint) (PDF).

Update: The presentations from the workshop are available at OIDF Virtual Workshop – May 21, 2020.

April 28, 2020
OpenID Presentation at IIW XXX

OpenID logoI gave the following invited “101” session presentation at the 30th Internet Identity Workshop (IIW) on Tuesday, April 28, 2020:

I missed being able to gauge audience reactions by looking around the room but the virtualized session was still well attended by a good group of people, who let me know how OpenID Connect is relevant to what they’re doing.

February 18, 2020
OpenID Connect Federation Keynote at January 2020 OpenID Japan Summit

OpenID logoI gave this keynote presentation at the January 2020 OpenID Japan Summit: Enabling Large-Scale Multi-Party Federations with OpenID Connect. View it in PowerPoint or PDF.

Thanks to Roland Hedberg for collaborating on the presentation with me and for being primary author of the OpenID Connect Federation specification.

And as a preview of coming attractions, I’ll also be presenting on OpenID Connect Federation at Identiverse in June 2020.

October 21, 2019
OpenID Connect Federation draft 09 ready for your review

OpenID logoDraft 09 of the OpenID Connect Federation specification has been published at https://openid.net/specs/openid-connect-federation-1_0-09.html. This version of the specification benefitted from in-person review by experts at IIW. Major changes were:

  • Separated entity configuration discovery from operations provided by the federation API.
  • Defined new authentication error codes.

The authors believe that this version should become the second Implementer’s Draft, in preparation for interop testing in the coming year. Please review!

October 10, 2019
Using OpenID Connect Self-Issued to Achieve DID Auth

OpenID logoMy co-authors and I recently competed the paper Using OpenID Connect Self-Issued to Achieve DID Auth, which was created as a result of discussions at the eighth Rebooting the Web of Trust workshop. The paper’s abstract is:

Proving control of a DID requires proving ownership of a private key corresponding to a public key for the DID. Of course, this could be done with a new DID-specific protocol. However, standard protocols for proving ownership of a public/private key pair already exist.

This paper describes how to reuse the Self-Issued OpenID Connect (SIOP) specification and related protocol messages to prove control of a DID. It describes both why and how to do this. Related topics, such as release of claims, are also touched upon.

Several people came to the workshop wanting to explore how to use the OpenID Connect Self-Issued OpenID Provider functionality to prove control of a Decentralized Identifier (DID), including myself. The paper describes the approach being taken by a number of groups using DIDs, including Microsoft. The paper’s publication is timely, as the W3C DID Working Group has just formed to create a DID standard. Microsoft is an active member of the working group.

Special thanks to Dmitri Zagidulin for getting the paper over the finish line!

Next »