I gave this keynote presentation at the January 2020 OpenID Japan Summit: Enabling Large-Scale Multi-Party Federations with OpenID Connect. View it in PowerPoint or PDF.
Thanks to Roland Hedberg for collaborating on the presentation with me and for being primary author of the OpenID Connect Federation specification.
And as a preview of coming attractions, I’ll also be presenting on OpenID Connect Federation at Identiverse in June 2020.
Draft 09 of the OpenID Connect Federation specification has been published at https://openid.net/specs/openid-connect-federation-1_0-09.html. This version of the specification benefitted from in-person review by experts at IIW. Major changes were:
The authors believe that this version should become the second Implementer’s Draft, in preparation for interop testing in the coming year. Please review!
My co-authors and I recently competed the paper Using OpenID Connect Self-Issued to Achieve DID Auth, which was created as a result of discussions at the eighth Rebooting the Web of Trust workshop. The paper’s abstract is:
Proving control of a DID requires proving ownership of a private key corresponding to a public key for the DID. Of course, this could be done with a new DID-specific protocol. However, standard protocols for proving ownership of a public/private key pair already exist.
This paper describes how to reuse the Self-Issued OpenID Connect (SIOP) specification and related protocol messages to prove control of a DID. It describes both why and how to do this. Related topics, such as release of claims, are also touched upon.
Several people came to the workshop wanting to explore how to use the OpenID Connect Self-Issued OpenID Provider functionality to prove control of a Decentralized Identifier (DID), including myself. The paper describes the approach being taken by a number of groups using DIDs, including Microsoft. The paper’s publication is timely, as the W3C DID Working Group has just formed to create a DID standard. Microsoft is an active member of the working group.
Special thanks to Dmitri Zagidulin for getting the paper over the finish line!
I gave the following presentations at the Monday, September 30, 2019 OpenID Workshop at Verizon Media:
I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 1, 2019:
Check out the post OpenID Connect Federation Progress describing the recent updates that Roland Hedberg and I made to the OpenID Connect Federation 1.0 specification. We used the TNC19 conference — a gathering of federation experts — as a venue to get together to review and refine the specification. Besides getting lots done on the spec, I also really enjoyed the TNC conference and its attendees!
Given that the syntax and semantics should now be stable, it’s my hope that early adopters will start kicking the tires — building implementations and making trial deployments. I can’t wait for the useful feedback that results!
The W3C WebAuthn and FIDO 2.0 standards have won the 2019 European Identity and Cloud Award for Best Future Technology / Standard Project at the European Identity and Cloud (EIC) conference. This award recognizes the significance of these recently-approved standards, which enable password-less sign-in with platform authenticators, mobile devices, and security keys. They provide a huge step forward for online security, privacy, and convenience.
Thanks to Kuppinger Cole for recognizing the importance and impact of these important new standards!
I gave the following presentations at the May 14, 2019 OpenID Workshop at the 2019 European Identity and Cloud (EIC) conference:
This deck was also prepared but not presented, due to time limitations:
I gave the following presentations at the Monday, April 29, 2019 OpenID Workshop at Verizon Media:
I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 30, 2019:
I gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 23, 2018:
I gave the following presentation during the June 2018 Identiverse Conference:
News included:
Action items included:
I gave the well-received presentation “Deprecating the Password: A Progress Report” at the May 2018 European Identity and Cloud Conference (EIC). The presentation is available as PowerPoint (large because of the embedded video) and PDF.
The presentation abstract is:
If you ask almost anyone you meet if they have too many passwords, if they have trouble remembering their passwords, or if they are reusing the same passwords in multiple places, you’re likely to get an ear-full. People intuitively know that there has to be something better than having to have a password for everything they do!
The good news is that passwords are being used for fewer and fewer identity interactions. They are being replaced by biometrics (sign into your phone, your PC, or your bank with your face or fingerprint), local PINs (prove it’s you to your device and it does the rest), and federation (sign in with Facebook, Google, Microsoft, etc.). This presentation will examine the progress we’ve made, the standards and devices making it possible, and stimulate a discussion on what’s left to do to deprecate the password.
Key takeaways are:
Thanks to Steve Hutchinson for this photo from the presentation and his vote of confidence.
Extra: See all the Microsoft presentations at EIC 2018, including videos of Joy Chik’s and Kim Cameron’s keynotes.
This week the OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. This is actually the second award for the OpenID Certification program this year and only the latest in a series awards recognizing the value and impact of OpenID Connect and certification of its implementations.
On this occasion, I thought I’d take the opportunity to recount the awards that OpenID Connect, the specifications underlying it, and its certification program have been granted. To date, they are:
My sincere thanks to Kuppinger Cole for their early recognition of potential of OpenID Connect, for calling out the value of OAuth 2.0, JWT, and JOSE, and to both IDnext and Kuppinger Cole for recognizing the importance and global impact of OpenID Certification!
Speaking of impact, I can’t help but end this note with data that Alex Simons presented at EIC this week. 92% of Azure Active Directory (AAD) authentications use OpenID Connect. There’s no better demonstration of impact than widespread deployment. Very cool!
The OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. See the award announcement by the OpenID Foundation for more details. This is actually the second award this year for the OpenID Certification program.
The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to Kuppinger Cole for recognizing the impact of the OpenID Certification program!
I gave the following presentations during the OpenID workshop at the May 2018 European Identity and Cloud Conference (EIC):
I gave the following presentations at the Monday, April 2, 2018 OpenID Workshop at Oracle:
I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 3, 2018:
I’m thrilled that the OpenID Certification program has won the 2018 Identity Innovation Award at the IDnext conference. See the award announcement by the OpenID Foundation for more details.
The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to IDnext for recognizing the impact of the OpenID Certification program!
Also, see the IDnext press release announcing the award and its description of the opinion of the award committee:
The significant global impact of the OpenID Certification program was a reason for its selection for the Identity Innovation Award. It recognizes that the innovative use of self-certification, with freely available testing tools, has resulted in substantial participation in the certification program, improving the security, quality, and interoperability of OpenID Connect implementations worldwide.
Finally, here’s the presentation that I gave at the IDnext conference making the case for the award (pptx) (pdf).
Digital identity systems almost universally support end-users logging into applications and many also support logging out of them. But while login is reasonable well understood, there are many different kinds of semantics for “logout” in different use cases and a wide variety of mechanisms for effecting logouts.
I led a discussion on the topic “What Does Logout Mean?” at the 2018 OAuth Security Workshop in Trento, Italy, which was held the week before IETF 101, to explore this topic. The session was intentionally a highly interactive conversation, gathering information from the experts at the workshop to expand our collective understanding of the topic. Brock Allen — a practicing application security architect (and MVP for ASP.NET/IIS) — significantly contributed to the materials used to seed the discussion. And Nat Sakimura took detailed notes to record what we learned during the discussion.
Feedback on the discussion was uniformly positive. It seemed that all the participants learned things about logout use cases, mechanisms, and limitations that they previously hadn’t previously considered.
Materials related to the session are:
I gave the following presentations at the Monday, October 16, 2017 OpenID Workshop at PayPal:
I also gave the following “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 17th:
I gave two presentations at the 2017 European Identity and Cloud Conference (EIC) on progress we’re making in creating and deploying important new identity and security standards. The presentations were:
(Photo from https://twitter.com/drummondreed/status/862314926433603584)
I gave an invited presentation on OpenID Certification at the 2016 Cloud Identity Summit (CIS) this week. I used the presentation as an opportunity to inventory what we’ve achieved with the certification program since its launch in April 2015, and while the numbers are impressive in and of themselves (90 profiles certified for 28 implementations by 26 organizations, with new certifications in May by Clareity Security, Auth0, and Okta), there’s a deeper impact that’s occurring that the numbers don’t tell.
The new thing that’s happening this year is relying parties are explicitly asking identity providers to get certified. Why? Because certified implementations should “just work” — requiring no custom code to integrate with them, which is better for everyone. This network effect is now in play because it provides business value to all the participants.
While I’ve spoken about certification about 10 times since the launch, this presentation is different because it tells this new story that’s playing out in the marketplace. Check it out in PowerPoint or PDF.
(Photo from https://twitter.com/JamieXML/status/740213415172444160)
Powered by WordPress & Theme by Anders Norén