Musings on Digital Identity

Month: December 2007

New Years Gift: OpenID Intellectual Property Policy Approved

OpenID logoAs Scott Kveton just posted, earlier this month the OpenID Foundation board approved OpenID Intellectual Property Policy and Procedures documents. These are designed to achieve two goals:

  • Ensuring that contributors to OpenID specifications make intellectual property declarations for relevant inventions that they own so that everyone can freely use those specifications.
  • Defining procedures for working groups to use when developing future OpenID specifications that enable all to participate.

In addition to those Scott thanked, I’d also like to extend sincere thanks to Ron Moore of Microsoft and David Daggett of K&L Gates, both of whose legal expertise was essential to this accomplishment.

This is a significant digital identity accomplishment to finish 2007 with. Happy New Years everyone!

Phishing Protection for the Enterprise

Enterprise Phishing ProtectionI was surprised during the recent blogosphere conversation on user-centric identity in the Enterprise, that no one referenced Sxip’s contemporaneous intelligently-written 2-page piece on how the use of Information Cards can help protect enterprise login credentials from being phished. Using Information Cards to enable safer remote access to hosted enterprise applications makes business sense. This seems to me like a perfect example of what Pam wrote: “I would like to see Enterprises adopt technologies such as the Identity Metasystem for no other reason than because it helps their business to succeed.”

Dick’s introduction to the security bulletin also references a number of recent press articles on phishing attacks against the enterprise that are well worth reading. I’m with Pam: user-centric identity technologies will be adopted in the enterprise exactly when they’re perceived as delivering real business value. This is such a case.

ASP.Net Information Card Relying Party Software

Dominick Baier recently extended his Information Card relying party ASP.Net Control to be able to be used on no-SSL sites in the same way as sites employing SSL. It’s available under an MIT License, so everyone should be able to use it.

At my urging, he also added a demo site where you can try it out, both with and without SSL, and with both self-issued and managed cards. I’ve added the demo site to my page of Sites Using Information Cards.

I-names without Passwords at LinkSafe

I’m pleased to report that ooTao and LinkSafe have recently collaborated to enable you to create and use i-names with Information Cards rather than passwords. They’ve achieved for LinkSafe.name what JanRain did for MyOpenID.com. Below is a screen shot of me signing up for an i-name using an Information Card, rather than a password. Now when you see someone signed in to a site with the OpenID =me, you’ll know who it actually is!

LinkSafe.name i-name signup with Information Card

Firefox Information Card Add-on Collaboration

Firefox logoThe new release of the Firefox Information Card add-on recently announced by Axel Nennker is notable not only for its features, but also because it incorporates contributions by Andy Hodgkinson of the Bandit Project that make it work with the DigitalMe Identity Selector. This means that the same Firefox add-on can now be used with at least three Identity Selectors — openinfocard, DigitalMe, and Windows CardSpace.

The benefits of sharing this core piece of Information Card infrastructure became apparent when some recent releases of Firefox broke the add-on in some scenarios. Because several copies of the code were in use by different projects by then, all the projects had to make their own fixes in their copies, both duplicating effort, and increasing the chances that different selectors would behave differently in quirky and non-obvious ways. I’m really pleased that Andy pitched in and contributed his fixes to the add-on project and that Axel incorporated them in a way that I believe means that DigitalMe won’t have to use a separate add-on anymore. Hopefully the other identity selectors will also follow suit soon, eliminating any unnecessary forking in this key project.

One nit with Axel’s post though… While he suggested calling the add-on “CardSpace for Firefox”, even though I’m a fan of CardSpace, the add-on is intended to work with any Identity Selector — not just CardSpace. Therefore I’d prefer selector-neutral names for the project like “Firefox Information Card add-on”, “Firefox Identity Selector add-on”, “Information Cards for Firefox”, etc. What selector-neutral term for the project do others prefer?

OpenID 2.0 Specifications Complete

This morning at the Internet Identity Workshop, the OpenID Foundation announced that the OpenID 2.0 Specification and a set of related specifications are now complete. Furthermore, Intellectual Property Contribution Agreements have been executed by all the contributors to these specifications.

Here’s a camera-phone photo of Dick Hardt of Sxip Identity, Josh Hoyt of JanRain, and David Recordon of Six Apart making the announcement. Congratulations to the OpenID community on this significant accomplishment!

Dick Hardt, Josh Hoyt, and David Recordon announcing that the OpenID 2.0 specifications are complete

Look ma! No passwords!

As Vittorio excitedly pointed out, you never have to enter a password to create or use an OpenID at MyOpenID.com. Kim’s excited about this too. So am I. When I wrote:

The JanRain team has done a fantastic job integrating account sign-up, sign-in, and recovery via Information Cards into their OpenID provider. I’m really impressed by how well this fits into the rest of their high-quality offering.

I should have expanded upon my point “fantastic job integrating account sign-up” to explicitly call out that no passwords are needed. Notice the Information Card button on the sign-up page below. Thanks Vittorio and Kim, for sharing your excitement about this. I’m hoping that as other sites integrate Information Card sign-in to their user experience that they’ll also follow this example (and the guidance in the deployment guide) and enable password-less sign-up with Information Cards.

MyOpenID.com signup with Information Card

Related to this is JanRain’s earlier announcement that they are including PAPE support in their widely-used OpenID relying party libraries. As Kevin Fox wrote:

Just a note to let everyone know that we are developing and will release relying party libraries supporting PAPE once the specification is finalized.
We have deployed an example relying party available here:
openidenabled.com/python-openid/trunk/examples/consumer/
The example fully supports OpenID 2.0 draft 12, and can request phishing-resistant authentication using PAPE. Feel free to use it for testing.
PAPE allows sites that use OpenID 2.0 authentication to get information about the way that the user authenticated to the provider. This is an important step on the way to getting the convenience needed of OpenID authentication for higher-valued transactions. It’s trivial to implement and will be included in JanRain’s OpenID 2.0 libraries as well as Sxip’s libraries.

Gary Krall also added that:

Verisign will also be releasing an update to the JOID library which we use on the PiP for as you may know we have added PAPE support to the PiP.

And I’ll add that MyOpenID.com and SignOn.com both also support PAPE on their OpenID providers.

Why is this exciting? Because it means that without use of without any use of passwords, people can create and use OpenIDs with their Information Cards. And that sites accepting OpenIDs can ask for phishing-resistant authentication when you sign in — which these OpenIDs will do for you. All more great steps towards building a convenient, secure, ubiquitous identity layer for the Internet!

Nice Shirt!

Andre and Ashish may have liked the Mac, but I liked the shirt. ;-)

Ashish Jain with a Mac and an Information Card shirt

Powered by WordPress & Theme by Anders Norén