fidzu : OpenID

The largest mobile operator in Japan, NTT docomo, which covers approximately 50% of Japanese population, has started offering OpenID authentication on March 9.

Every docomo user has an identifier called i-modeID. Using this, users have been able to single sign on to the mobile sites using docomo handsets, making one-click payment, and so on. These kind of features were one of the reason for the great success of the mobile commerce in Japan. However, this merit has not been extended to the non-docomo handset world, notably PC. For PC, docomo has been offering a separate identifier called "docomo ID" but since it remained independent of "i-modeID", it did not enjoy the same kind of popularity.

This situation was changed today by linking the two identifiers by OpenID.

From today, a user can login to a site using "docomo ID" as an OpenID, then the site can obtain "i-mode ID" that is linked to the "docomo ID" transparently. It is expected that the payment on the PC sites through "i-mode payment service" would accelerate the contents sales through PC.

NTT docomo published the docomoID Authentication Technical Specification on their Web site. As an OP Identifier, one should specify "https://i.mydocomo.com/". As a normal claimed identifier, one should specify "https://i.mydocomo.com/id/{user_unique_identifier}" where {user_unique_identifier}" is a random alpha-numeric string that is unique to the user-realm pair.

One peculiar feature of docomo's implementation is that, to provide "i-mode ID" to the contents providers, contents providers should call a very simple GET API after they obtained the OpenID Assertion. The decision seems to have been made to avoid the transmission of i-mode ID through browsers, which may act as a man-in-the-middle attack point as users' PC environment is not particularly safe. Using OAuth for this purpose seems to have been an option, but docomo seems to have decided that requiring it on top of OpenID to the contents provider seemed to be a little too demanding. Thus, they devised this extremely simple API. Together with it, docomo also defined a kind of contact service API, which allows the content provider to send mail [*1] to the user's mobile phone without sharing the mail address.

According to their official page, there are 55,692,500 docomo subscribers as of February, 2010. Japan's population over 15 as of Feb. 1, 2010 is 110,470,000.

[*1] Currently, this "contact service" is currently limited to send a mobile site URL

09 Mar 2010 4:35pm GMT

Ministry of Economy, Trade and Industry of Japan, METI, opened a site called "IdeaBox".

IdeaBox is a web site that solicits the idea for IT Policy widely. At the site, people can propose policy and discuss about them, and vote on them. METI positions it as a network based committee which is open to public. A similar site was operated last year from October to November and attracted over 1700 policy idea.

This version of IdeaBox, which opend on Feb.23 accepts OpenID so that one can login with the account at mixi, Yahoo! Japan, Livedoor and Google. It has various other social components so that one can also tweet about it directly from the site, bookmark it on delicous and hatena bookmark, etc. This version runs until March 15.

Site Address: http://open-meti.go.jp/

09 Mar 2010 1:09pm GMT

Over the weekend I took a quick stab at what a new draft of an OAuth 2.0 spec would look like. I don't have a lot of normative text but wanted to share what I was thinking about in terms of the specification's structure and technical inner-workings.

This comes out of the survey from two weeks ago which Peter Saint-Andre summarized as there being consensus around:

• OAuth 2.0 taking aspects from both the 1.0 and WRAP specs/drafts with a preference toward the WRAP draft
• we should go back to working on a single document
• OAuth 2.0 should support signatures as a mechanism for making requests

Documents involved:

1. OAuth 1.0: http://tools.ietf.org/html/draft-hammer-oauth-10
2. WRAP: http://tools.ietf.org/html/draft-hardt-oauth-01

Combined document structure:

My goal is that sections one through four are not more than fifteen to twenty pages combined.

0. Abstract

1. Introduction
1.1 Acknowledgments
1.2 Terminology
1.3 Notational Conventions

2. Getting an Access Token
2.1 Web App / JavaScript Profile (in browser)
2.2 Rich App Profile (can open a browser)
2.3 Device Profile (no browser, should be like the Netflix flow)
2.4 Username and Password Profile
2.5 Client key and secret (not in the context of a user)

3. Refreshing an Access Token

4. Accessing a Protected Resource
4.1 Using SSL
4.2 Using a signature

5. Security Considerations

Abstract

OAuth 2.0 provides a method for an application (Client) to access the Protected Resource hosted on a server on behalf of a Resource Owner (such as a different client or an end-user). It provides a process for end-users to authorize third-party access to their Protected Resources via a variety of Authorization Profiles which generally do not include having to share their credentials (typically, a username and password pair). A server can additionally delegate authorization to one or more authorities (Authorization Server) which issue Access Tokens to Clients.

Introduction

• This section should provide a longer description of the protocol flows and the evolution from OAuth 1.0.
• The terminology should be based on updated OAuth 1.0 terminology which is already close to the WRAP terminology as well. We should err on the side of more generally understood terms.
• Both OAuth 1.0 and WRAP contain fairly complete introductory sections. I think that the WRAP one is a bit too long and we should shoot for this section being a little over two pages (including terminology).

Getting an Access Token

• This section really comes from WRAP. I believe that a server MUST implement at least one of the profiles to be considered OAuth compatible.
• The updated OAuth 1.0 spec could also be useful for more complete language around the Web App Profile though we should also draw from Luke Shepard's JavaScript profile (which needs updating). I believe the main difference is the security characteristics.
• While the SAML assertion profile has been in WRAP, I haven't seen strong advocates on the mailing list or in the survey for it. Does someone want to argue for keeping it? Could it be drafted as a separate profile from the core spec?

Refreshing an Access Token

• In WRAP this functionality is described along with each individual authorization profile. Some profiles require the client id and secret though not all of them. In terms of writing more reusable code I imagine that implementors will write a single refresh_token(client_id, client_secret) function so breaking this out into its own section will be easier to implement.
• We could either require the client id and secret for all profiles or keep them as optional for some profiles. Personally I lean toward consistency.

Accessing a Protected Resource

• This section is really a combination of WRAP and OAuth 1.0. SSL support will be a MUST and signatures will be optional.
• Bearer tokens (even short lived) without using SSL or signatures feels like a poor idea, but given the WRAP draft it seems like the security teams at Google, Microsoft and Yahoo! are all comfortable with doing so? Given that we'll be adding signatures as an option do we still need unprotected bearer tokens?
• The SSL section basically copies directly from WRAP section #4. It's about a page and a half and really easy to implement.
• We need to agree on the signature method though there is a lot of normative text in the OAuth 1.0 spec to draw from. OAuth 1.0 is about three pages of text assuming people are happy with the mechanism; it would be good to simplify as much as possible.
• • We're missing an access token secret, but I'm wondering if we can treat the refresh token as the access token secret since it's only sent over the wire via SSL?
  • Alternatively we could modify the refresh token request to let the client specify that they'd also like an access token secret for that request. This seems like the right way of doing it.
  • Both break the idea that the API endpoint doesn't have access to secrets, but the deployment scenarios I've seen discussed as wanting signatures (at least Facebook and Twitter) won't be separating their architecture anyway.

Security Considerations

• I'm the wrong person to write this section.

Misc

• Rename parameters to oauth_

If I were to spend some time over the next week or two drafting this spec would folks generally be supportive of it? If not, what would you change so that you could be supportive of it?

One of my goals is getting OAuth 2.0 to the point - fairly quickly - where we can start to architect the next version of OpenID on top of it. WebFinger + OAuth 2.0 + identity would be sweet and finally give us a consistent story for both authentication and authorization. I'd love whatever help I could get with all of this as well!

Cross posted to the OAuth IETF mailing list

03 Mar 2010 10:29pm GMT

Washington, D.C. - March 3, 2010 -The Open Identity Exchange (OIX) www.openidentityexchange.org, a non-profit organization dedicated to supporting an Internet-scale trust ecosystem, announced today it will commence work on an open government pilot under the requirements set forth by the ICAM Trust Framework Adoption Process (TFAP) established by U.S. General Services Administration (GSA). The National Institutes of Health (NIH) will serve as lead agency using open identity technologies to support a number of services, including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, with strong privacy protections, all designed to ensure accessible and transparent communication between the government agency and U.S. citizens.

The OIX has been certified by the GSA as a Trust Framework Provider. This permits the OIX to issue certifications to Identity Providers who choose assessors and certification models, including the audited self-certification model championed by the OpenID Foundation. As lead government agency, the NIH is ready to move into production status with OpenID credentials for existing, pilot-status and future applications using NIH Login (now known as iTrust/NIH).

"The NIH has played a critical role pioneering the use of open identity standards for open government," said Don Thibeau, chair of the OIX. "We want to acknowledge the critical role the agency has played as a pioneer in the government's use of open identity standards. The impact of the NIH iTrust pilots is reflected not only in the formation of Open Identity Exchange in the marketplace but also in the groundbreaking leadership NIH has demonstrated in new public sector applications."

"This pilot supports and illustrates the value of the President's open government initiative. We believe deeply in using electronic identity technologies to enable communication between government entities and citizens," said Dr. Peter Alterman, Senior Advisor to the NIH Chief Information Officer for Strategic Initiatives. "By doing so, we are sending a strong message to citizens that we care deeply about their security and privacy."

03 Mar 2010 3:01pm GMT

Washington, D.C. and San Francisco - March 3, 2010 - Industry leaders Google, PayPal, Equifax, VeriSign, Verizon, CA, and Booz Allen Hamilton today announced at the RSA Conference 2010 the formation of the Open Identity Exchange (OIX) www.openidentityexchange.org, a non-profit organization dedicated to building trust in the exchange of online identity credentials across public and private sectors. With initial grants from the OpenID Foundation (OIDF) and Information Card Foundation (ICF), OIX has been approved as a trust framework provider by the United States Government to certify online identity management providers to U.S. federal standards for identity assurance.

Trust frameworks are a new way for one site to trust the identity, security, and privacy assurances from another site (the "identity provider") acting on behalf of a user. Google, Paypal, and Equifax are the first three identity providers certified by OIX to issue digital identity credentials that will be accepted for privacy-protected registration and login at U.S. government websites. Verizon is currently in the certification process and is expected to be completed shortly.

The National Institutes of Health (NIH) is the first government website accepting these credentials, including OpenID and Information Card logins, a capability it demonstrated today at the RSA Conference. Citizens can use open identity technologies to support a number of online services across websites, including customized library searches, access to training resources, conference registration, and medical research wikis, with strong privacy protections, all designed to ensure accessible and transparent communication between the government agency and U.S. citizens.

"We want to acknowledge the critical role NIH has played as a pioneer in the government's use of open identity standards. The impact of the NIH iTrust pilots is reflected not only in the formation of Open Identity Exchange in the marketplace but also in the groundbreaking leadership NIH has demonstrated in new public sector applications," said Dr. Peter Alterman, Senior Advisor to the NIH Chief Information Officer for Strategic Initiatives.

"OIX grew out of a public/private industry partnership initiated by the U.S. government at this conference last year," said Don Thibeau, OIDF Executive Director and OIX Board Chair. "OpenID and Information Card technologies can solve the technical problem of using identity credentials across different websites, but can't solve the problem of how those credentials can be trusted at different levels of assurance. OIX is a solution to this problem not just for the U.S. government, but for many different governments, industry alliances, non-profit associations, telcos, academic networks, and others all over the world who need to establish trust across a wide online population."

The first official OIX trust framework meets the requirements set forth by the U.S. Identity, Credential, and Access Management (ICAM) Trust Framework Provider Adoption Process (TFPAP) established by the U.S. General Services Administration (GSA). This trust framework will enable the American public to participate in open, transparent and participatory government while maintaining full control of how much or how little personal information they share with federal websites at all times. "OIX means there is now a safe way to use an OpenID or an Information Card to register and login at any number of federal websites without needing a new username and password for each," said Drummond Reed, ICF Executive Director and Acting Executive Director of OIX. "As we roll out progressively stronger levels of certification, this will empower U.S. citizens to access and mange their tax records, Social Security records, veteran's benefits, and many other government services online."

"Before organizations can confidently consume identity information produced by third parties, they need to have confidence in those third parties' business processes and practices, and in the quality of the information they provide," said Bob Blakley, Research Director, Burton Group Identity and Privacy Strategies, Gartner. "Before individuals can confidently provide information to third parties, they need to have confidence that their privacy will be protected by those third parties. The process of gaining confidence in a third party organization's processes for collecting, verifying, handling, using, and disclosing identity information is called 'identity assurance'. Identity assurance is a key building block for the production and consumption of identity information in open networks like the internet."

OCLC Online Computer Library Center is another founding member of OIX because it wants to develop a cooperative trust framework for libraries and their users. "More than 72,000 libraries in 112 countries and territories around the world have used OCLC services to locate, acquire, catalog, lend and preserve library materials," said Mike Teets, OCLC Vice President, Innovation. "An OCLC trust framework could broaden online access to those library materials, and make it easier for libraries to connect people to the knowledge they seek in any format-digital or print."

OIX is currently working on development of trust frameworks for public media, telecommunications, library services, state and local governments, and professional associations. "We look forward to facilitating trusted transactions throughout the government and eventually Internet channels," said Thibeau. "True trust requires the participation of a broad community so we are engaging industry, government, legal and academia leaders in how best to resolve challenges in usability, security and privacy."

OIX Members and Industry Experts Discuss Open Trust Frameworks

"We're pleased to be among the first organizations to be certified by the newly created OIX," said Eric Sachs, Senior Product Manager at Google. "We've already seen encouraging implementations of identity technologies in the industry, and our hope is that the work of the OIX will expand on this progress to help facilitate more open government participation, as well as improve security on the Internet by reducing password use across websites."

"Trusted identities and consumer control of personal information are essential to the effectiveness of transactions on the Internet," said Andrew Nash, Senior Director of Identity Services for PayPal Inc. "Trusted frameworks that provide identity assurance are a critical factor in the success of the digital identity ecosystem."

"We are honored to support this critical initiative and work with thought leaders of such a broad range of industry expertise," said Ron Carpinella, Equifax's Vice President of Identity Management. "As an innovator of knowledge-based authentication technology and the only information solutions company on this board, we look forward to advancing the development of an open trust platform initiative that will enable more secure and simplified interaction between consumers and the digital world."

"VeriSign is excited to participate in the next phase in the creation and standardization of high assurance identity systems," said Nicolas Popp, Vice President of Product Development at VeriSign. "Drawing from our experience in bringing trust to the Internet, we look forward to contributing to the development of a multichannel identity trust framework that will enable citizens to communicate openly with confidence."

"Verizon shares OIX's vision for establishing a framework for trust on the Internet," said Peter Tippett, Vice President of Security Solutions and Enterprise Innovation at Verizon Business. "As a founding member of OIX, Verizon is working with other key Internet players to push for industry-wide reform that will forever change the way consumers and businesses interact on the Internet."

"Trust, privacy and security are critical to the safe adoption of an identity based digital infrastructure. The formation of the Open Identity Exchange is an important step forward in creating the necessary framework to establish these criteria," said Tim Brown, CA Chief Security Architect and Distinguished Engineer. "With the support of industry leading companies and the OpenID and Information Card Foundations, our efforts will help solve the digital trust problems that our governments and industry face."

"With more people expecting to access services and information online, federal agencies need an easier, more secure approach when interacting with the public," said Patrick Peck, Executive Vice President of Booz Allen Hamilton. "Trust Frameworks can provide this solution for more than 20,000 federal websites through streamlined registration and simplified logins, and we are excited about supporting this public-private partnership to bring operational benefits to service providers and better access to the citizens they support."

Mike Teets from OCLC explains, "There is a surprising amount of valuable content available online through libraries that many consumers are not even aware of. Many states and national governments license a vast amount of resources for their citizens, and these could be made even more readily accessible through this initiative. OIX will put a key piece of the infrastructure puzzle in place to help libraries further reduce barriers of access to content, which is what OCLC is all about."

"Digital trust should originate from the location where it naturally occurs, be it my municipality to validate my residency, my professional affiliations, my educational institutions, my family affiliations, my religious affiliations, etc.," said Hal Warren, President of the OpenID Society, a chapter of the OIDF. "This requires a complex multi-faceted framework through which trusted claims can be transmitted and validated. This is the objective of the OIX. "Simplicity is complexity well done."

"We look forward to facilitating trusted transactions throughout the government and eventually Internet channels," said Thibeau. "True trust requires the participation of a broad community so we are engaging industry, government, legal and academia leaders in how best to resolve challenges in usability, security and privacy."

About Google Inc.

Google's innovative search technologies connect millions of people around the world with information every day. Founded in 1998 by Stanford Ph.D. students Larry Page and Sergey Brin, Google today is a top web property in all major global markets. Google's targeted advertising program provides businesses of all sizes with measurable results, while enhancing the overall web experience for users. Google is headquartered in Silicon Valley with offices throughout the Americas, Europe and Asia. For more information, visit www.google.com.

About PayPal
PayPal is the faster, safer way to pay and get paid online. The service allows members to send money without sharing financial information, with the flexibility to pay using their account balances, bank accounts, credit cards or promotional financing. With more than 81 million active accounts in 190 markets and 24 currencies around the world, PayPal enables global ecommerce. PayPal is an eBay company and is made up of three leading online payment services: the PayPal global payments platform, the Payflow Gateway, and Bill Me Later. More information can be found at https://www.paypal.com.

About Equifax

Equifax empowers businesses and consumers with information they can trust. A global leader in information solutions, we leverage one of the largest sources of consumer and commercial data, along with advanced analytics and proprietary technology, to create customized insights that enrich both the performance of businesses and the lives of consumers.

With a strong heritage of innovation and leadership, Equifax continuously delivers innovative solutions with the highest integrity and reliability. Businesses - large and small - rely on us for consumer and business credit intelligence, portfolio management, fraud detection, decisioning technology, marketing tools, and much more. We empower individual consumers to manage their personal information, protect their identity, and maximize their financial well-being.

Headquartered in Atlanta, Georgia, Equifax Inc. operates in the U.S. and 14 other countries throughout North America, Latin America and Europe. Equifax is a member of Standard & Poor's (S&P) 500® Index. Our common stock is traded on the New York Stock Exchange under the symbol EFX.

About VeriSign

VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, VeriSign helps companies and consumers all over the world engage in communications and commerce with confidence. Additional news and information about the company is available at www.verisign.com.

About Verizon Business

Verizon Business, a unit of Verizon Communications (NYSE: VZ), is a global leader in communications and IT solutions. We combine professional expertise with one of the world's most connected IP networks to deliver award-winning communications, IT, information security and network solutions. We securely connect today's extended enterprises of widespread and mobile customers, partners, suppliers and employees - enabling them to increase productivity and efficiency and help preserve the environment. Many of the world's largest businesses and governments - including 96 percent of the Fortune 1000 and thousands of government agencies and educational institutions - rely on our professional and managed services and network technologies to accelerate their business. Find out more at www.verizonbusiness.com.

About CA

CA (NASDAQ: CA), the world's leading independent IT management software company, helps customers optimize IT for better business results. CA's Enterprise IT Management solutions for mainframe and distributed computing enable Lean IT-empowering organizations to more effectively govern, manage and secure their IT operations. For more information, visit www.ca.com.

About Booz Allen Hamilton

Booz Allen Hamilton has been at the forefront of strategy and technology consulting for 95 years. Every day, government agencies, institutions, corporations, and not-for-profit organizations rely on the firm's expertise and objectivity, and on the combined capabilities and dedication of our exceptional people to find solutions and seize opportunities. Providing a broad range of services in strategy, operations, organization and change, information technology, systems engineering, and program management, Booz Allen is committed to delivering results that endure.

With more than 22,000 people, Booz Allen generates $4.5 billion in annual revenue. To learn more about the firm, visit www.boozallen.com.

About OCLC
Founded in 1967, OCLC is a nonprofit, membership, computer library service and research organization dedicated to the public purposes of furthering access to the world's information and reducing library costs. More than 72,000 libraries in 112 countries have used OCLC services to locate, acquire, catalog, lend, preserve and manage library materials. Researchers, students, faculty, scholars, professional librarians and other information seekers use OCLC services to obtain bibliographic, abstract and full-text information when and where they need it. OCLC and its member libraries cooperatively produce and maintain WorldCat, the world's largest online database for discovery of library resources. Search WorldCat.org on the Web. For more information, visit www.oclc.org.

About Open Identity Exchange

The Open Identity Exchange (OIX) is a neutral, non-profit, multi-channel provider of certification trust frameworks for open identity technologies. OIX was founded by grants from the OpenID and Information Card Foundations and support from companies including Google, PayPal, Equifax, VeriSign, Verizon, CA, and Booz Allen Hamilton. It also includes non-profit members such as OCLC and the OpenID Society. For more information visit www.openidentityexchange.org.

03 Mar 2010 2:56pm GMT

They thought: why not simply requiring everybody to store logs, just in case a crime happens and the authorities would have a much easier time if they could access the logs when they needed them.

The German constitutional court disagreed and requires that all such logs be deleted as soon as possible.

Link to story (in German).

02 Mar 2010 4:15pm GMT

Last Thursday over 60 OpenID advocates met at Sears World Headquarters in Chicago for a full day of discussions on progress to date and future plans for OpenID deployment and utilization. There is a summary of the event on the OpenID Foundation wiki. See Twitter coverage of the event with the hash tag #openidux

Who Attended:
Companies represented included Sears, NPR, PBS, AARP, MTV, Fox News, Universal Music Group, Kodak, Tribune Interactive, White Pages, OpenTable, Scout24/Deutsche Telecom, GameStop, Bank of America, Yahoo, Google, AOL, Microsoft, PayPal, Facebook, JanRain, Exact Target, Ping Identity, and others.

Updates from the Identity Providers:
The session kicked off with presentations by Google (Joseph Smarr), Yahoo (Allen Tom), Microsoft (Angus Logan), Facebook (David Recordon), PayPal (Andrew Nash), and AOL (George Fletcher). Copies of many of the presentations are available on the OpenID Foundation wiki. Some key highlights from these sessions:

• Google is working on providing more API access to its OpenID Services, including Buzz, Portable Contacts, Activity Streams, OAuth WRAP, etc. Their OpenID service will also be certified by the newly formed Open Identity Exchange (OIX) for use on federal government websites.

• Yahoo has deployed an OpenID/OAuth hybrid deployment model for access control to Yahoo data and APIs including Contacts (address book), Yahoo Mail, and Yahoo Updates (Activity Streams). Allen went through a case study of how Yahoo OpenID and OAuth services are being used on Huffington Post and the many benefits to users of this experience. Allen described how Yahoo Updates allows posting back to 300M Yahoo homepage, 300M Yahoo Mail, 90M Yahoo Messenger, and 40M MyYahoo accounts.

• Microsoft reported that they have over 500 million active users across Windows LiveID, Bing, Xbox, HotMail, Messenger, MSN, and Office. They continue to making process in providing 'standards' based access to user data and services. Angus described how Windows LiveID is currently being used across Windows Live and Xbox. He also discussed MS' active involvement in OAuth/WRAP, Portable Contacts, OWF, and Activity Stream initiatives.

• PayPal described their work with the federal government in launching an OpenID service for federal websites. Consumer policy and permissioning mechanism based on the UMA model will be integrated into the IDP operation. They are currently working with a limited number of "white listed" commercial websites for deployment of their OpenID services. Organizations wishing to discuss acceptance of PayPal OpenID on their websites are encouraged to contact Andrew Nash.

• Facebook discussed the widespread adoption of Facebook Connect and how they have been accepting OpenID for logins for the past year. They continued to share user experience learnings from building Connect and stressed the importance of developer simplicity around OpenID this year. David demonstrated a killer multimedia demo where a video feed dynamically consumed and displayed data from Facebook profiles via Connect.

• AOL reported that they will be upgrading their OpenID Provider service to V2.0 within the next few weeks. George discussed that they are pursuing a number additional enhancements based on emerging standards like XRD and webfinger. In addition, as an existing OpenID 2.0 Relying Party, AOL continues to expand the number of properties that accept OpenIDs.

• MySpace was unable to attend due to some last minute scheduling conflicts. Monica Keller, formerly an OpenID Advocate at MySpace has recently transitioned to Facebook and is now working with David Recordon on open standards initiatives.

Some History and Recommendations:
After the updates from the Identity Providers, Brian Ellin, Product Manager at JanRain, chronicled the evolution of OpenID UX. Brian made a number of recommendations to RPs looking to drive adoption and usage of OpenID registration and login:

• Simplify the login and registration flow - rethink the process and optimize it for a third party approach, don't just bolt it onto your existing page
• Avoid lengthy registration forms. Engage quickly, progressively ask for data as needed. Import SREG, AX, and/or OAuth data where possible to pre-populate registration forms.
• Remember user preferences and present only the preferred ID provider upon return visits.
• Consider a branded button-driven interface, select the ID providers that are most relevant for your user base.
• Queue the users right at the register/login link with favicons or other visual images and text that makes it clear that they can use existing accounts instead of having to create an entirely new account.
• Placement of elements of the workflow on the webpage can impact adoption and usage
• Consider combining registration and login into one integrated service
• Use the OpenID UX extension for a pop-up interface that keeps the login process in the context of the host website - avoid the full browser redirect. Use check immediate mode when possible so user achieves a "single click login" experience.
• OpenID for mobile applications is great - less typing required, easier to import data for registration forms, no username/password to input. Don't use pop-up for mobile interface.
• Use "verified email" from ID providers when available to eliminate the 2 step email verification registration flow that results in reduced success rates.
• Use the OpenID/OAuth hybrid for access to rich user data including friends, address books, photos, etc.

By implementing these recommendations, Blink182.com saw that 60% of users opted for 3rd party registration over the legacy username/password option. Through a finely tuned implementation that evolved through iterative testing, Universal Music Group's Lady Gaga website was able to achieve an astounding 89% 3rd party login preference over the traditional username/password option.

"Voice of the Customer" - Input from Website Operators:
Next up were Daniel Jacobson from NPR, Rob Harles from Sears, and Jonathan Coffman from PBS representing the "voice of the customer."

National Public Radio (NPR):
Daniel Jacobson, Director of Application Development at NPR, was recently elected to the Board of Directors of the OpenID Foundation and as the Chairman of the Adoption Committee. He reported on goals and priorities of the Adoption Committee for the upcoming year. Daniel's vision behind these goals is to help position OpenID as a product that will make it easier for website operators to implement while providing a better user experience for the end users. The top priorities supporting this vision include:

• Increased market research on the needs of RPs, OPs, and end users
• Enhancement of the open source libraries
• Marketing, education, and promotion
• Improved ability to serve non-browser-based platforms, including mobile

Anyone willing to contribute to the discussion on how to increase adoption and usage of OpenID may want to subscribe to the Adoption Committee mailing list.

Daniel also described the research that NPR has been doing with OpenID and that their "end game" is shared identities across all public media. They are currently collaborating with PBS and the OpenID Foundation to determine the next steps in their identity sharing strategy.

Sears:
Rob Harles, VP Social Media and Community at Sears Holdings Company, presented a summary of Sears recent deployment on the MySears and MyKmart communities as well as their plans to roll out across all the Sears websites. Rob was recently elected to the Board of Directors of the OpenID Foundation and serves as the Chairman of the Online Retailer Committee.

Rob reported that Sears has one of the fastest growing retail communities, with 400% growth in 2009. They deployed JanRain's RPX integrated into the Viewpoints community platform to accept third party registration and login from Yahoo, Google, Facebook, MySpace, AOL, Twitter, Windows LiveID, and general OpenID accounts.

Additionally they surveyed their members to find out what drives interest in 3rd party login. The top two motivators were login convenience and the desire to not have to set up yet another username & password for a new account. When asked what would further improve user experience, the top two requests were the ability to share content and photos with friends.

Rob described their objectives as a combination of serving their existing customers better while also reaching out to a broader demographic than their traditional 35 to 53 year old female segment. He said that accepting registrations from a wide variety of identity providers definitely helped to expand their demographic reach.

Public Broadcasting Service (PBS):
Jonathan Coffman, Social Media Strategist and Product Manager at PBS, was also recently elected to the Board of Directors of the OpenID Foundation and serves on the Adoption Committee. PBS has launched an OpenID service for use across PBS websites.
Next steps for PBS include:

• Enhanced user profiles, including allowing RPs to store extended profile data at the OP
• Begin building out the consumer side of system, allowing users to connect with and use their 3rd party accounts across ecosystem
• PBS has teamed up with the OIDF to investigate what a Public Media Trust Framework, modeled after the US federal government trust framework, might entail
• Talking to Stations, Shows, NPR, and companies like Google and PayPal to envision a time when all of this might come together and to create a path forward.

Best Practices and Data Management:
Finally, Allen Tom reviewed some best practices including account recovery/reset, attaching multiple identifiers, mobile authentication, and using WebFinger. Joseph Smarr discussed data management including updates on SREG, AX, OAuth, WRAP, Portable Contacts, and Activity Streams. Joseph acknowledged that there are a lot of moving parts and that things are changing quickly, so organizations who don't have sufficient internal resources or expertise might want to consider outsourcing to a solution provider.

What was especially memorable for this event was the active involvement, questions, and recommendations from existing and prospective OPs. Representatives from Sears, NPR, PBS, AARP, MTV, Fox News, Universal Music Group, Kodak, Tribune Interactive, White Pages, Scout24/Deutsche Telecom, and GameStop provided lots of constructive feedback for the OpenID Foundation and the Identity Providers.

Thanks to the Sponsors:
Many thanks to Sears for hosting the event, Google for providing video conference access from DC and Mt. View, and to all the participants who braved the Chicago weather and airport challenges to attend this exceptional event.

02 Mar 2010 12:59am GMT

Commentary by Mark Wahl, CISA

RSA Conference 2010 (20100227)

Next week I'll be at the RSA Conference in San Francisco, California.

On Tuesday, March 2^nd, there's a keynote on Creating a Safer, More Trusted Internet. The RSA Conference Expo opens to all attendees shortly afterward, and the Microsoft booth is just inside the front doors. There's a identity and access management preview video on the Microsoft RSA conference page.

27 Feb 2010 8:00am GMT

My company Urban Airship just closed a round of venture financing. We're pretty excited about it.

(Note: I needed this post here to force an update to Google search results - long story … I'm not navel gazing here)

22 Feb 2010 7:28pm GMT

It turns out Google I/O is the week of IIW. We found out to late to shift weeks but early enough to shift days to only conflict 1 day (the 19th). Please mark your calendars accordingly.

Early Bird Registraiton is in effect for another Month. Sponsorships and "big tickets" (for those who can expense a higher ticket price but can't get actual "sponsorship budget") are still available.

Related posts:

1. FREEDOM Infringed…
2. Identity Open Space: SIGN UP INFO
3. IIW IX is open for business

18 Feb 2010 9:31pm GMT

There are a few events on the yearly calendar where a corum of identity folks come together - RSA is one of them.

We are organizing an informal community Dinner on Tuesday evening at 7pm.

Everyone is WELCOME! just RSVP here on eventbrite. It will be no-host but not that expensive. We are looking at Indian places near the main hotel cluster for RSA.

The hosted Ping Party will follow at a location TBD.

If you were ever a part of or are interested in knowing more about the Identity Gang, OpenID, Information Cards, Higgins, Project VRM, PubSubHubbub, Salmon, XRD, LRDD, XRI, XDI, Volunteered Personal Information, UMA, Kantara, DiSo, Open Social, augmented browsing, end user focused proctols for individual and community empowerment this event is for you.

Related posts:

1. Identity for Online Community Managers
2. Identity Gang Dinner at RSA
3. Where is Identity: Supernova 2007 Panel: Do you know where your Identity is?

18 Feb 2010 9:26am GMT

Next month we are hosting a gathering called Map the Gaps. It came out of a session I ran several IIW's ago asking the question what if there was a "Legal-IIW" the intent was always to cross communities and connect activities already in this area. The intent from the beginning was to connect with and work with PPEG at Liberty Alliance. I am happy to be working with Robin from Kantara who ran the PPEG group at Liberty Alliance. Lucy from the Internet Society has been a real champion of the event.

We are threading the needle of size and accessability. Our intent is to make as much as possible about the conversation public and report out. We also know that the energy is really different with 20-30 people vs. 100. We are seeking interest particularly from technologist who are interested in understanding how Lawyers think and how different aspects of law are going to end up impacting the technologies they build and how those technologies will change the law.

You can see the matrices we are looking to fill in here on the ID-Commons wiki.

Here is the invitation and this is a link to express interest in attending.

Identity Commons and The Kantara Initiative
present an identity workshop and symposium to
"Map the Gaps"
Sponsored by the Internet Society.
March 18th-19th, 2010, Washington DC

The event will be attended by representatives of the diverse identity communities to help "Map the Gaps" that currently exist between the policy/legal and technology views of digital identity and online privacy.

The intention of the "mapping" exercise is to benefit the overall identity community by cataloguing and examining the characteristics and approaches of various online identity-related technical and legal initiatives, so that they can be applied to find common ground to integrate the research and development initiatives in the identity space.

The infrastructure for online identity continues to evolve, and increasingly raises social and privacy questions which are large, complex, and cannot be solved either by technology alone, or by a "single-stakeholder" approach.

While technologists and lawyers have worked separately in the past, identity technologies are now bringing people together in ways that are so intimate and far-reaching that they change both the way humans relate to technology, and the technologically-mediated ways humans relate to each other. Many of those technologically-mediated interactions are the subject of various established laws, which must now be reviewed in the light of this evolution: the technology cannot properly develop without legal guidance and vice versa.

This effort will depend upon the identification and creation of common concepts, language and paradigms to guide future development in the area. Our aim is to bring technologists and legal and policy professionals together, establish a common understanding of each other's domains, and map out the gaps which subsequent work would aim to bridge.

The "Map the Gaps" event will provide participants with a forum to contribute various perspectives on identity-related themes, the output of which may be coordinated with American Bar Association events as well as within working groups at ID Commons and the Kantara Initiative.

Due to limited space, the event is being held by invitation only. There are, however, other ways to participate in this important work, including submitting written materials for inclusion in symposium online materials.

In order to assure that the broadest possible representation of interests is achieved to inform the work that will take place at the symposium, all submitted papers will be made available to attendees and others on the Identity Commons and Kantara symposium-related websites.

Limited spaces have been reserved at the symposium for a few additional invitations to be extended to individuals and institutional representatives based on a review of submitted papers. Additional invitations may be extended based on those papers that offer significant perspectives and insights that are perceived to be different than or complementary to those already represented by the existing symposium attendees.

Next steps:
The symposium will be interactive and participant-driven: we ask all persons who would like to attend the meeting as participants to contribute, in advance (and no later than February 28, 2010), a brief (250-500 words) position paper, analysis or other description of an interesting or pressing problem they have encountered in this field. Papers will be posted as noted above, and we will extend invitations for participation to the authors of those papers that satisfy the criteria indicated above.

To express interest in the "Map the Gaps" workshop and symposium:

https://www.isoc.org/isoc/conferences/registration/?id=19

Event Committee:

• Scott David, K&L Gates LLC.
• Lucy Lynch, Internet Society
• Kaliya Hamlin, ID Commons
• J. Trent Adams, Internet Society
• Robin Wilton, Future Identity, Ltd.

Related posts:

1. Online Community Unconference East
2. Legal Haze for Social networks. Identity and Freedom of Expression.
3. Announcing The Virtual Rights Symposium on Digital Identity & Human Rights

18 Feb 2010 9:03am GMT

First, my apologies to everyone who commented on Fixing the Google Account Problem. For some reason WordPress stopped notifying me about comment approval (I'm using Akismet but I still find the majority of comments that get through it are spam, so I moderate comments). So I just logged in and found a bunch of great comments, including several that I replied to.

Three clear themes emerge from these:

1. The problem is even worse if Google Apps is involved. Apparently there isn't a solution to merging a Google account and a Google Apps account yet (which frightens me because I'm about to need to set up my first Google Apps account).
2. Using email addresses as primary account identifiers is problematic, period.
3. Internet identity managment, especially at scale, is hard. A lot harder than it looks.

I'm told the good folks at Google have been discussing this. Please feel free to add more suggestions about exactly what you think they should do.

14 Feb 2010 2:40am GMT

Sometimes the results of OpenID logins look a little bit strange, certainly not as expected by users. Blog comments are a good example. Usually I would expect my real name or username displayed there but occasionally it looks like this:

The provider simply didn't send my name (Google in this case).

While some providers allow personas, i.e. users can create different sets of login information, e.g. one with a business email address and one with a personal one, the most don't. So what can users do if they want to change
any of the information like name or email address? Actually not very much. Changing the information before each login at the provider is not really an option. Switching to a provider that features personas is a good idea but doesn't suit all users.

Disqus is a comment system for various platforms like WordPress, Drupal, and many more, and is tackling at least one part of this problem in a rather elegant way. Among other ways it lets users comment with their OpenID. When commenting users see this popup:

They can easily change the display name. It's a small popup, it's unobtrusive, and a good example of how relying parties can improve the user experience of OpenID. Well done!

13 Feb 2010 7:39am GMT

If you want to know, read through this slide presentation put together by Joint Venture Silicon Valley and the Silicon Valley Community Foundation. It aggregates a wealth of data.

One thing that struck me particularly: it says that 45% of all people speak a language other than English at home. That is more than the third of people who were foreign-born.

11 Feb 2010 4:37pm GMT

When I joined the company a month ago, I was baited with the promise that Google was ready to get serious about the social web.

Yesterday's launch of Google Buzz and the fledgling Google Buzz API is like a downpayment on what I see as Google's broader social web ambitions, that have been bubbling beneath the surface for some time. Understand that Buzz is not entirely an end unto itself, but a way for Google to get some skin in the game to promote the use and adoption of different open technologies for the social web.

In fact, I'd argue that Buzz is as much about Google creating a new channel for conversation in a familiar place as it is about how we're going about building its public developer surfaces. Although today's Buzz API only offers a real-time read-only activity stream, the goal is to move quickly towards implementing a host of other technologies - most of which should be familiar to readers of this blog.

As Kevin Marks observes, in order to address the mess of the social web that Mike Arrington described, we need widespread use [of common standards] so that we can generalize across sites - and thus enable people to interact and engage across the web , rather than being restricted to any particular silo of activity - which may or may not reflect their true social configuration.

In other words, standards - and in particular social web standards - are the lingua franca that make it possible for uninitiated web services to interact in a consistent manner. When web services use standards to commoditize essential and basic features, it forces them to compete not with user lock-in, but by providing better service, better user experience, or with new functionality and utility. I am an advocate of the open web because I believe the open web leads to increased competition, which in turn affords people better options, and more leverage in the world.

Buzz is both a terrific product, and a great example of how the social web is evolving and becoming truly ubiquitous. Buzz is simply one more stitch in the fabric of the social web.

11 Feb 2010 5:07am GMT