04 Oct 2016

feedPlanet OpenID

Kaliya Hamlin: IIW 23! Register. Its going to be great!

Powered by Eventbrite

04 Oct 2016 5:48pm GMT

27 Sep 2016

feedPlanet OpenID

OpenID.net: The Foundation of Internet Identity

A very brief history of OpenID Connect


27 Sep 2016 5:22pm GMT

13 Sep 2016

feedPlanet OpenID

OpenID.net: Harmonizing IETF SCIM and OpenID Connect: Enabling OIDC Clients to Use SCIM Services

OpenID Connect(OIDC) 1.0 is a key component of the "Cloud Identity" family of standards. At Oracle, we have been impressed by its ability to support federated identity both for cloud business services and in the enterprise. This is the reason why we recently joined the OpenID Foundation as a Sustaining Corporate Member.

In addition to OIDC, we are also strong proponents of the IETF SCIM standard. SCIM provides a JSON-based standard representation for users and groups, together with REST APIs for operations over identity objects. The schema for user objects is extensible and includes support for attributes that are commonly used in business services, such as group, role and organization.

Federated identity involves two components: secure delivery of user authentication information to a relying party (RP) as well as user profile or attribute information. Many of our customers and developers have asked us: can OIDC clients interact with a SCIM endpoint to obtain or update identity data? In other words, can we combine SCIM and OIDC to solve a traditional use-case supported by LDAP for enterprise applications (bind, attribute lookup) recast for the modern frameworks of REST and cloud services.

Working collaboratively with other industry leaders, we have published just such a proposal[1]. The draft explains how an OpenID Connect RP can interact with a SCIM endpoint to obtain or update user information. This allows business services to use the standard SCIM representations for users and groups, yet have the information conveyed to the service in a single technology stack based upon the OIDC protocols.

SAML, OIDC, SCIM and OAuth are the major architectural "pillars" of cloud identity. We would like to see them work together in a uniform and consistent way to solve cloud business service use-cases. Harmonizing SCIM and OIDC is an important step in that direction.

Prateek Mishra, Oracle

[1] http://openid.net/specs/openid-connect-scim-profile-1_0.html

13 Sep 2016 7:18pm GMT

24 Aug 2016

feedPlanet OpenID

OpenID.net: Registration Open for OpenID Foundation Workshop on Monday, October 24, 2016

OpenID Foundation Workshops provide insight and influence on important Internet identity standards. The workshop provides updates on the development of profiles of OpenID Connect as well as review progress on OpenID Connect Certification and an update on Relying Party certification.

We will introduce the FastFed (Fast Federation) while providing updates on others including Connect, Account Chooser, Financial API (FAPI), HEART, iGov, MODRNA (mobile operator discovery, registration & authentication) and RISC. Leading technologists from Amazon, Oracle, Microsoft, Google, Ping Identity and others will update key issues and discuss how they help meet social, enterprise and government Internet identity challenges.

This event precedes the IIW #23 Mountain View October 2016.

Registration can be found here: https://www.eventbrite.com/e/openid-foundation-workshop-tickets-27312519481

The OpenID Foundation Workshop Agenda

Thank you to VMware for hosting and directed funding support of this event.

Don Thibeau

The OpenID Foundation

24 Aug 2016 7:31pm GMT

10 Aug 2016

feedPlanet OpenID

Nat Sakimura: OAuthに対するWPAD/PAC攻撃と対策

8月3日のBlackhat 2016で発表された、HTTPSのURLが読めるというWPAD/PAC Attack[1]、なるほどねぇ、と思わせるアタックですな。

HTTPS自身を攻撃するわけじゃなくて、HTTPSのhostに対するproxy resolveの時に、PACファイルを使ってURLの内容をフィルタリングして攻撃者のホストに送るというやり口。
毎回proxy resolveが走るブラウザ(例:Firefox, Chrome)とそうでないブラウザがあって、後者だとあまり攻撃は成功しないが、FirefoxやChromeなどでは効果的。ただし、LANのProxy設定などで、「設定を自動的に検出する」がオンになっていなければならない。でもこれは、企業システムなどでは割りとONになっていることが多いのではないだろうか。
  • OpenID authentication URLPassword reset URL
  • OpenID authentication
  • URLPassword reset URL
の間違いかな?OpenID authentication URLPassword reset URLなんてものは無いから。
OAuthのAuthz req/res のqueryは両方共盗られてしまう。つまり、response_type=code * なら codeが、response_type=token * ならばtokenが奪取されて、リアルタイムに攻撃者のサーバに送られてしまいます。
もちろん、ユーザが上記のプロキシ設定自動取得オプションをオフにしていれば大丈夫ですが、これは、OAuth Server/Client側ではいかんともし難いです。できる対策としては、
  • S256のPKCE[RFC7636]を使っていれば、このcodeは使いみちが無いので安全。
  • Form Post mode を使っていても大丈夫。
  • もちろん、Token Binding していれば大丈夫。
Password Reset URLは、やられてしまいますね。むしろこっちの方が問題ですな。あと、DropboxなどでのURLによるファイル共有もやられます。サーバ側でできる対策としては、ファイル識別子を別途Formで入れさせるとかなんだろうけど、多くの人には使えなくなってしまうだろうことがちょっと悩ましいですね。

Copyright © 2016 @_Nat Zone All Rights Reserved.

10 Aug 2016 6:54am GMT

05 Aug 2016

feedPlanet OpenID

OpenID.net: Initial OpenID Connect Enhanced Authentication Profile (EAP) Specifications

The OpenID Enhanced Authentication Profile (EAP) working group charter states that:

The purpose of this working group is to develop a security and privacy profile of the OpenID Connect specifications that enable users to authenticate to OpenID Providers using strong authentication specifications. The resulting profile will enable use of IETF Token Binding specifications with OpenID Connect and integration with FIDO relying parties and/or other strong authentication technologies.

I'm pleased to announce that two new draft OpenID specifications have been adopted by the EAP working group to meet those two goals:

Please give them a read and give your feedback to the working group. Or even better yet, implement them (they're both very straightforward) and send us your feedback!

05 Aug 2016 12:41pm GMT

16 Jul 2016

feedPlanet OpenID

OpenID.net: Preventing Mix-Up Attacks with OpenID Connect

Recently the OAuth community has been concerned with some attack vectors around mixed up clients, particularly when dynamic client registration and discovery are used with user-selected OpenID Providers.

Broadly, the attacks consist of using dynamic client registration, or the compromise of an OpenID Provider (OP), to trick the Relying Party (RP) into sending an authorization code to the attacker's Token Endpoint. Once a code is stolen, an attack that involves cutting and pasting values and state in authorization requests and responses can be used to confuse the relying party into binding an authorization to the wrong user.

Many deployments of OpenID Connect (and OAuth) in which the configuration is static, and the OPs are trusted, are at greatly reduced risk of these attacks. Despite that, these suggestions are best current practices that we recommend to all deployments to improve security, with a particular emphasis on more dynamic environments.

The full research papers on these attacks can be read here: A Comprehensive Formal Security Analysis of OAuth 2.0, and On the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect.

Using the Hybrid Flow to mitigate attacks by a bad OP

Fortunately, the Hybrid flow of OpenID Connect is already hardened against these attacks, as the ID Token cryptographically binds the issuer to the code, and the user's session, and through doing dynamic discovery on the issuer, the token endpoint. In fact, any OpenID Connect flow that returns an ID Token from the Authorization Endpoint already contains the same information returned by the OAuth 2.0 Mix-Up Mitigation draft specification, the Issuer (as the iss claim) and the Client ID (as the aud claim), enabling the RP to verify it, and thus prevent mix-up attacks.

To protect against the Mix-Up attack, RPs that allow user-driven dynamic OP discovery and client registration should:

Use the hybrid code id_token flow, and verify in the authorization response that:

  1. The response contains tokens required for the response type that you requested (code id_token).
  2. The ID Token is valid (signature validates, aud is correct).
  3. The issuer (iss value) matches the OP that the request was made to, and the token endpoint you will exchange the code at is the one listed in the issuer's discovery document.
  4. The nonce value matches the nonce associated with the user session that initiated the authorization request.
  5. The c_hash value verifies correctly.

To aid the implementation of the best practice, we recommend that OPs consider supporting OAuth 2.0 Form Post Response Mode, as it makes it simpler for clients doing code id_token to get both the code and the ID Token on the backend for verification.

OPs MUST also follow the OpenID Connect requirement for exact matching of a pre-registered redirect URI, to protect against open redirector attacks.

Using the Code Flow to mitigate attacks involving a compromised OP

Environments with statically registered OPs are not susceptible to dynamic registration attacks (by definition), however, it is still possible for a whitelisted OPs to potentially attack other OPs and for malicious users to bind stolen codes to their own sessions. This may sound far-fetched (why would your trusted OPs attack each other after all?), but if one OP was compromised for example, it could be used to attack the other OPs, which is not ideal. To protect against such attacks, RPs using the "code" flow with statically registered OPs should:

  1. Register a different redirect URI for each OP, and record the redirect URI used in the outgoing authorization request in the user's session together with state and nonce. On receiving the authorization code in the response, verify that the user's session contains the state value of the response, and that the redirect URI of the response matches the one used in the request.
  2. Always use nonce with the code flow (even though that parameter is optional to use). After performing the code exchange, compare the nonce in the returned id token to the nonce associated to the user's session from when the request was made, and don't accept the authorization if they don't match.


The OpenID Connect working group believes that when the above best practices are followed, the attacks described are prevented.

This advice was drafted at a working meeting of the OpenID Connect WG at the 22nd Internet Identity Workshop (IIW), and reviewed at the OAuth Security Workshop 2016 in Trier Germany.

16 Jul 2016 12:34pm GMT

21 Jun 2016

feedPlanet OpenID

Nat Sakimura: なぜ開かれたインターネットが重要なのか #OECDDigitalMX


Q. 開かれたインターネットは重要なのでしょうか?



これまでの全ての産業革命がそうであったように、私たちは今、生産性の急激な増加と価格の大幅な下落~デジタル・デフレーション(Digital Deflation)を目の当たりにしています。しかし、これは悪いことではありません。生産性の向上は、より少量でより多量のものを作り出すことができるようになりますから、平均でみるなら社会はより豊かになりますし、価格の下落は、それまで供給することができていなかった社会層へのサービスの供給も可能にします。





  1. 信頼できる技術
  2. 拡大された接続性
  3. 開かれたインターネット
  4. 利用者と労働者のスキル向上




彼らに接続を与えなければなりません。それは、開かれていなければなりません。でなければ、許可無きイノベーション(permissionless innovation)は実現しません。




Q. プライバシー行政の課題にはどういうものがあるでしょうか?


  1. 産業界における、プライバシーがビジネスを阻害するという誤解
  2. セキュリティの名の下の広範囲な監視 (pervasive surveillance)
  3. 新しい法制が保護主義の新たなツールとして使われる危険性
  4. 負の外部性と倫理的振る舞いの必要性




Copyright © 2016 @_Nat Zone All Rights Reserved.

21 Jun 2016 2:59pm GMT

16 Jun 2016

feedPlanet OpenID

Nat Sakimura: [出演] 労働組合諮問委員会フォーラム@OECD閣僚級会合 (2016/6/21)

来週6月21日(火) に、メキシコのカンクーンで労働組合諮問委員会フォーラム@OECD閣僚級会合のデジタル経済に関するTUAC(Trade Union Advisory Council, 労働組合諮問委員会)フォーラムの「Technological Transformation & New Regulatory Models」というパネル・ディスカッションに出演します。


9:30 am to 10:45 am

Technological Transformation & New Regulatory Models

Existing economic and social structures are increasingly affected by digitization: Some for the better (increased internet openness and exchanges) and other for the worse (security and privacy risks, non-shared profits, and the rise in non-standard work). A coherent set of regulatory policies and investment targets is imperative to enable an equitable technological diffusion, while anticipating trends and risks. As such, the risk of a "digital deflation' is real since companies increasingly encounter pressures on profit margins and rely on short-term financing. At the same time, monopolistic structures are making it difficult for new firms to grow, and leading some to adopt labour-cost saving and high-risk business models, to avoid paying taxes and to seek other legal loopholes. Panelists are invited to discuss the economic and social effects of Internet openness and technological change focusing on:

  • Value creation in the digital sector
  • Legal status and taxation
  • Competitive pressures vs. sustainable business models
  • Long-term investment vs. Digital Deflation

Moderator: Tim Noonan, Communications Director, ITUC

Catalina Achermann, Expert for telecommunications, digital ecosystems, new technologies, and public policy, CEPAL

Robert T Atkinson, President, Information Technology and Innovation Foundation (ITIF)

Yann Bonnet, General Secretary, Conseil National du Numérique (French Digital Council), France

Nat Sakimura, Chairman, OpenID Foundation[1]

Damon Silvers, Policy Director and Special Councel, AFL-CIO

Conrado García Velasco, General Secretary, Sutnotimex


Ruwan Subasinghe, Legal Advisor, International Transport Workers' Federation (ITF)




Copyright © 2016 @_Nat Zone All Rights Reserved.

16 Jun 2016 10:14am GMT

Nat Sakimura: ITAC Forum @デジタル経済に関するOECD閣僚級会合 (2016/6/21)

来週6月21日(火)に、デジタル経済に関するOECD閣僚級会合に先立って行われるOECD ITAC (Internet Technical Advisory Committee, インターネット技術諮問委員会) フォーラムのプログラムが公開されました。

わたしは、隣でやっているTrade Union Advisory Committee (労働組合諮問委員会)のフォーラムでデジタル・デフレーションなどについてパネル・ディスカッションをするので出られませんが…。



ITAC Forum at the 2016 OECD Ministerial on the Digital Economy

Tuesday, June 21, 2016
9:00 am-

9:30 am

Opening and keynote address

▪ Welcome: Laurent Liscia, CEO and Executive Director, OASIS

▪ Keynote: Jari Arrko, Chair, Internet Engineering Task Force

9:30 am -

10:45 am

Getting the Ball Rolling: IPv6 Adoption Since 2008

The adoption of IPv6 was specifically noted in the Seoul Declaration for the Future of the Internet Economy in 2008. This session will discuss the real-world progress in IPv6 adoption since that event, with a particular focus on the accelerated adoption rates seen in many economies over the last 18 months. Discussants will consider the drivers of IPv6 adoption and the lessons learned in terms of what IPv6 adoption means for Internet growth, openness and competition.

Moderator: Alejandro Pisanty, Academic Computing Services of the National University of Mexico (UNAM)


▪ Geoff Huston, Chief Scientist, APNIC

▪ Adriana Lavandini, Commissioner, Instituto Federal de Telecomunicaciones,


▪ John Brzozowski, Fellow and Chief Architect IPv6, Comcast

▪ Hiroshi Esaki, Professor, Graduate School of Information Science &

Technology, University of Tokyo

10:45 am-

11:00 am

11:00 am-

12:15 pm

Open Standards for an Open Internet of Things

The Internet of Things (IoT) promises to usher in a revolutionary, fully interconnected "smart" world, with relationships between objects, people and their environments becoming more connected and intertwined. The potential ramifications of this are huge, particularly in the areas of: security and privacy; interoperability and standards; legal, regulatory and rights issues; and the

inclusion of emerging economies. IoT involves a complex and evolving set of considerations, including the technology underpinnings to support IoT. We therefore need to be prepared. Stakeholders, including governments, need to think and act strategically together so that the maximum advantage can be derived from this emerging phenomenon. Conversely uncoordinated actions such as on standard setting (by state or private actors) risk undermining trust and understanding of the benefits of the IoT.

The session will address the questions of:

· What is the value of open and voluntary standards in sustaining innovation in this domain?

· What is the economic rationale that goes into choosing between a particular set of competing standards?

· What are possible frameworks and solutions for creating an enabling environment for IoT to flourish as a positive force for inclusive economic and social development?

· Who should take such standards forward?

· With IoT's multi-faceted nature that allows it to cross over many disciplines and vertical markets, how do stakeholders ensure a path that supports convergence and interoperability?

Moderator: Karen McCabe, Senior Director, Technology Policy and International Affairs, IEEE Standards Association


▪ Monique Morrow, CTO, Evangelist for New Frontiers Development and

Engineering, CISCO

▪ Laurent Liscia, CEO and Executive Director, OASIS

▪ David Conrad, Chief Technology Officer, ICANN

▪ Roberto Minerva, Research Coordinator at Telecom Italia Lab; Chair of the

IEEE IoT Initiative

▪ Luis Kun, Prof. of National Security at the

Center for Hemispheric Defense Studies (CHDS) at the National Defense University

▪ Elsa Chan, Co-Founder, Jetlun

12:30 pm -

2:00 pm

Joint stakeholder hosted lunch (ITAC, BIAC, CSISAC, TUAC)
2:00 pm-

3:30 pm

A collaborative approach to Internet Security

The Internet (a global interconnected network of networks) has enabled a global digital economy to flourish. Yet, the same interconnectedness that fosters communication, opportunities, innovation and commerce on a global scale, also means that participation in the global digital economy means global interdependence and shared risk. Therefore, we have a common interest in the security of this shared economic growth resource and a collective responsibility to care for the Internet. Further, the continued effectiveness of the Internet as a driver for a vibrant and sustainable global digital economy also depends on the

Internet being a trusted platform for social interaction and commerce.

As the Internet and its applications become ever more pervasive in our daily lives through the Internet of Things, widespread use of sensors and the digitization of biological traits, collaborative risk-based approaches to Internet security are needed more than ever.

• How can we, as a global community, overcome silo approaches and evolve beyond considering only one's own security risks?

• How will we share resources to ensure the delivery of a more secure Internet?

• How will we integrate the rights and expectations of users in security solutions?

• How will we collaborate to empower e-entrepreneurs and SMEs to effectively contribute to the overall security risk management of the Internet?

Building on the OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity, this session will highlight real world examples of collaborative approaches to strengthen the security of the Internet and its use, identify economic impediments to deployment of Internet security solutions, and suggest ways forward so that the Internet's full potential can be realised.

Moderator: Robin Wilton, Technical Outreach for Identity and Privacy, Internet Society


▪ Laurent Bernat, Cyber Security and Privacy Risk Policy Analyst, OECD

▪ Bruce Schneier, Chief Technology Officer, Resilient Systems, Inc.

▪ Yurie Ito, Director of JPCERT/CC and Founder and Executive Director of


▪ Geoff Huston, Chief Scientist, APNIC

▪ Belisario Contreras, Cyber Security Program Manager at the Organization of

American States

▪ David Conrad, Chief Technology Officer, ICANN

▪ Sebastian Bellagamba, Regional Bureau Director for Latin America and The

Caribbean, Internet Society

5:30 pm -

6:30 pm

Joint Stakeholder Press Conference
7:30 pm -

9:30 pm

Official Ministerial Welcome Reception

Copyright © 2016 @_Nat Zone All Rights Reserved.

16 Jun 2016 9:43am GMT

13 Jun 2016

feedPlanet OpenID

Nat Sakimura: 速報 マイクロソフトがLinkedInを買収

6月13日公開のLinkedInブログによると、マイクロソフトがLinkedInを買収に同意した模様。買収額は、USD26.2B 日本円で約2.77兆円。[1]。しかも、全額現金だそうです。マイクロソフト市場最大の買収とのこと。


詳細はこちら https://blog.linkedin.com/2016/06/13/microsoft-and-linkedin


Copyright © 2016 @_Nat Zone All Rights Reserved.

13 Jun 2016 1:08pm GMT

10 Jun 2016

feedPlanet OpenID

Nat Sakimura: コスタリカで、憲法にアイデンティティ権を書き込む運動が再始動

2004年に一時期試みられていた、Virtual Personality (英語で言うとDigital Identityかな)を持つ持たないを個人が決定する権利を憲法で規定しようとする動きが、6/3にコスタリカ国会で再始動した模様。


「海外では、アイデンティティへの権利というと、自らのアイデンティティを証明して、教育だとかもろもろの権利を享受することができるようにするための権利だと思うけどね~。たとえば、国連のTHE 2030 AGENDA FOR SUSTAINABLE DEVELOPMENTGoal 16.9 [2]とか。主に、Thin filed people (身元証明できるような書類が非常に少ない人)日本で言えば無戸籍児とか、今の欧州なら難民とか向けの話で。

そういえば、2004年にはコスタリカで改憲運動が起きていて、その時主導者の1人の最高裁判事にも会ったよ~。日本の今回のとはだいぶ違うね。」という話をしていて、懐かしくて Jaco Aizenman Leiner のTLを見たら、こんなのが出てきた。


この投稿をしている Jaco Aizenman Leinerは、当時のXDI.org の2004年当時の理事仲間で、上記のコスタリカ訪問の立役者。その後二人共XDI.orgは離れていたけど、こうやってまた運命がクロスするものなのね。

Copyright © 2016 @_Nat Zone All Rights Reserved.

10 Jun 2016 3:12pm GMT

25 May 2016

feedPlanet OpenID

Nat Sakimura: Open Data in Finance @ London は6月15日!

FinTechの3本柱の1つとして注目されるAPIですが、特に欧州ではPayment Service Directive 2で銀行が2017年末までに金融API提供を義務付けられたことに伴い、とてもホットな話題になっています。日本ではまだまだブロックチェインの後塵を配していますが、まだまだリサーチ・プロジェクトと言っても良いブロックチェインに比べて、金融APIは喫緊の課題です。

こうした中で、金融APIをメインに取り扱う、「Open Data in Finance」というカンファレンスが、欧州金融の中心地・ロンドンで6月14日、15日の2日間にわたって行われます。6月14日はワークショップで、メインのカンファレンスは6月15日です。到底力不足ながら、不詳、わたくし、Nat Sakimura が、カンファレンスを通じたChair を拝命しております。

Screen Shot 2016-05-25 at 23.03.32

プログラムは、こちらのページ(Agenda)からご覧いただけますが、The Open Banking Standard のステアリング・コミッティのチェアの Open Data Institute の CEO の Gavin Starks とバークレイズ銀行のManaging DirectorのMatt Hammerstein の Armchair Chatに始まり、多くの有識者たちによるパネル・ディスカッションやラウンドテーブルを聞くことができ、欧州における金融APIの「今」を知るための貴重な機会となろうかと思います。



Copyright © 2016 @_Nat Zone All Rights Reserved.

25 May 2016 2:17pm GMT

24 May 2016

feedPlanet OpenID

Nat Sakimura: CISでのOpenID Trackは6月7日火曜日

昨年までは、CISでのOpenID Trackは、Pre-conference day でしたが、今年は 『Achieving Internet Scale Identity with OpenID Connect』と題して、main conferenceに取り込まれました。

トラック・コーディネーターはDon Thibeauです。
今年は、わたしは金融API WGの紹介をします。

Achieving Internet Scale Identity with OpenID Connect

Tuesday, June 7.
  • OpenID Connect - Certification and Futures
    9:30 AM - 9:55 AM | SPEAKER: Michael Jones
  • The Mobile OpenID Connect Profile
    10:05 AM - 10:30 AM | SPEAKER: Bjorn Hjelm
  • Account Chooser
    10:40 AM - 11:05 AM | SPEAKER: Pamela Dingle
  • The Mission Critical, First Responder Profile of OpenID Connect to Serve & Protect
    2:30 PM - 2:55 PM | SPEAKER: Adam LewisFintech
  • OpenID Connect: Introducing FAPI WG
    3:40 PM - 4:05 PM | SPEAKER: Nat Sakimura
  • Protecting Users and Infrastructure: Can We Create a Sharing Economy of Security Signals?
    4:20 PM - 4:45 PM | SPEAKER: Andrew Nash , Alexander Weinert , Adam Dawes , Richard Struse
  • Protecting Users and Infrastructure (Continued)
    4:55 PM - 5:20 PM | SPEAKER: Andrew Nash , Alexander Weinert , Adam Dawes , Richard Struse

Copyright © 2016 @_Nat Zone All Rights Reserved.

24 May 2016 7:24am GMT

23 May 2016

feedPlanet OpenID

OpenID.net: Announcing the Financial API (FAPI) Working Group

In many cases, Fintech services such as aggregation services uses screen scraping and stores user passwords. This model is both brittle and insecure. To cope with the brittleness, the new OpenID Foundation Work Group invites developers, architects and technologists to contribute to an open standard approach using an API model with structured data and to cope with insecurity, it should utilize a token model such as OAuth [RFC6749, RFC6750].

The OpenID Foundation Financial API (FAPI) Working Group aims to rectify the situation by developing a REST/JSON model protected by OAuth. Specifically, the FAPI Working Group aims to provide JSON data schemas, security and privacy recommendations and protocols to:

Both commercial and investment banking account as well as insurance, and credit card accounts are to be considered.

The FAPI Working Group is building a Fintech bridge through open standards. This effort builds on the wide international adoption of OpenID Connect.

The FAPI Working Group was proposed by Nat Sakimura (NRI), Tony Nadalin (Microsoft), and Cindy Barker (Intuit). A charter will be approved and a chair selected at the first FAPI Working Group meeting.

The FAPI Working Group chairs will be presenting on the focus of the group at upcoming conferences including the 2016 Cloud Identity Summit in New Orleans and the Open Data Finance conference in London, both in June.

The Open Data in Finance conference is an end-user driven event that focuses exclusively on open data and data sharing in the finance sector.

It will bring together influential representatives at the nexus of the open data initiative, to give insights into the plans of government and key industry players, and share how they are shaping and responding to this market change.

The Open Data in Finance organizers have offered OpenID Foundation members a 20% discount to attend. Please contact me directly if interested.

Links of interest:

OIDF FAPI Working Group Page

Subscribe to the FAPI Working Group Mailing List

Those interested in participating will need to submit a signed IPR Agreement indicating their participation in the FAPI WG. The IPR agreement can be submitted online via DocuSign or emailed to help@oidf.org.

23 May 2016 8:15pm GMT

Nat Sakimura: Let’s Encrypt あらため certbot でSSL証明書インストール

Let's Encrypt がついにβフェーズを終わって正式リリースされました。そして、EFF提供のcertbotになりました。


まず、https://certbot.eff.org/ に行ってください。すると、Web Server と OS を選ぶ画面が出てきます。

Certbot Front Screen

図)自分が使っているWeb ServerとOSを指定すると、インストラクションが出てくる。

ここで、自分の使っている Webserver と OS を選ぶと、お使いの環境ごとのマニュアルが出てきます(英語ですが)ので、それに従うだけです。たとえば、Apache + Ubuntu 14.04 だと、

$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto

で、certbot のインストールファイルを落としてきて権限変更し、

$ ./certbot-auto

とすることで、certobot のインストールができます。


$ ./path/to/certbot-auto --apache

でできます。使い勝手はほぼ Let's encrypt と同じです。

ついでに、Courier MTA のSSL certs も切り替えてみよう

さて、Apache はほとんど全自動で設定できたのではないでしょうか?ついでですから、Courier MTAのSSL certs もこれに切り替えちゃいましょう。

Courier MTA で使う .pem ファイルは、プライベート・キー+証明書+証明書チェーンとつなげたものです。certbotの場合、あなたのドメインが「example.com」だった場合、/etc/letsencrypt/live/example.com/ にこれらのファイルは入っています。Courier MTA SSL の設定ファイル(/etc/courier/esmtpd-ssl ) から読んでいる .pem ファイルが /etc/courier/esmtpd.pem だったとしましょう。その場合、

$ sudo cd /etc/letsencrypt/live/example.com/
$ sudo cat privkey.pem cert.pem fullchain.pem > /etc/courier/esmtpd.pem
$ sudo /etc/init.d/courier-mta-ssl restart


Copyright © 2016 @_Nat Zone All Rights Reserved.

23 May 2016 5:48pm GMT