Post on 12-May-2015
description
As an ID expert we like to present this problem
For 25 years nobody really cares!
• Double digit growth eCommerce• PKI Smartcards as a beer coaster• Infocard not shipped• Self asserted username-passwords is fine• Employees bypass security systems to do their real
work
eID the right tool at the right time?
Different use-cases, or just a different market approach towards a consumer
accepted e-ID?
Additional trends that confirm a need for a different approach
• Password fatigue• Mobile first• Socialisation of the web• Cloud – Services Integration
‘GBA’
Registration fatigue
7
Consumers create single sign-on
8
A new identity console
9
Your digital identity on the social web
10
500M+
175M+
Sharing your data under consent between services (oauth)
11
OpenID, one single digital identity for consumers?
•OpenID is a successful multichannel protocol to enable consumers and merchants to share identities
•Consumers do not understand OpenID as their single identity
•Identity providers want to promote their brand and competitive advantage
•Re-use exiting accounts, like Google, Facebook, Hyves, LinkedIn
12
More on OpenID situation 2011 “OpenID Swot”
The Evolution of Open Identity 2007 2008-2009 2010
• OpenID User must understand and remember URL
• Each OpenID Provider has different URL syntax
• This worked “OK” on tech-focused blogs, wikis, discussion groups, etc. but not well with broader audiences and applications
• Yahoo buttons, Google Friend Connect, Facebook Connect, ID Selector
• Content Provider Advisory Committee meeting in NYC
• First UX Summit at Yahoo• Major OPs improving
workflow
• User only needs to click on icon for preferred identity account
• Second UX Summit at Facebook
• Graphical interface of major Identity Providers, including proprietary solutions from Facebook, MySpace, & Microsoft
2011 Challenges/Priorities OpenID foundation
Challenge: Improve the OpenID “product”–Finalize and implement OpenID ABC–Outreach to other identity protocols (UX, Attributes, Consent)
Challenge: Globalize OpenID Adoption–Worldwide OpenID summits will improve specifications and adoption–OIDF leaders organize, sponsor and speak at global identity events, OpenID summits
Challenge: Build momentum and expand outreach–Collaborate with related standards bodies and organizations–Extend content curator program
Challenge: Keep OpenID free and IPR protected–Extend trademark protections globally
Working Group• Current specification OpenID 2.0 used successfully in
different use cases (also enterprise)• New Spec in progress “OpenID ABC”
– Almost certainly not final branding!– Spec work occurring in “Artifact Binding” working group– Incorporates submissions to former “OpenID Connect” working
group• Points of departure
– Mobile phones and other limited platforms– “Facebook Connect” style functionality for easy registration– Easier deployment than OpenID 2.0
The OpenID ABC product
• Artifact Binding• UserInfo Endpoint• Simple RPs• Higher LoA• Session Management• Unregistered Clients• OAuth 2 Integration• Use of JWTs• Single Logout
Protocol workgroup participants• Key working group participants:
– Nat Sakimura – Nippon Research Institute – Japan– John Bradley – Independent – Chile– Breno de Medeiros – Google – US– Paul Tarjan – Facebook – US– Axel Nennker – Deutsche Telekom – Germany– Kick Willemse – Independent – Netherlands– Tony Nadalin – Microsoft – US– Mike Jones – Microsoft – US
• By no means an exhaustive list!• OpenID specs developed via an open process• All free to participate
Discussion & Resources
• Artifact Binding Working Group Wiki Page– http://wiki.openid.net/w/page/12995134/
Artifact-Binding
• Artifact Binding Mailing List– http://lists.openid.net/mailman/listinfo/openid-
specs-ab
Specification Structure• OpenID AB spec contains in two parts
– Core – abstract specification– Binding – OAuth 2 based binding
• JSON Web Token (JWT) spec with signing– Next version will add encryption– Other specs like UMA are looking to adopt it
• Discovery a separate spec• Will refer to OAuth 2.0 specs once finished
Spec Progress• Current status
– Core – 70% done– Bindings – 75% done (pending OAuth 2.0 completion)– Discovery – 80% (working from SWD)– JWT – 90% done for tokens and signature
• Encryption remains to be specified
– OAuth 2.0 – 95%
• Target: Complete drafts by Internet Identity Workshop (IIW) in May, Final IIW in November 2011
Visit our summits for updates and discussionsJanuary 18 Completed OpenID Policy Summit hosted and sponsored by OIX in Washington DC
March 8 Completed OpenID Retail Summit hosted by PayPal in San Jose
May 2 12-5 PM OpenID Security Summit co-hosted by Symantec/Google in Mountain View
May 10 8-12 AM OpenID Technology Summit at EIC co-sponsored by Google and Microsoft in Munich
TBD TBD OpenID Asia/Pacific Technology Summit hosted by NRI in Tokyo
July 19 8-12 AM OpenID Enterprise Summit hosted by Ping Identity in Keystone, Colorado
Oct 10 TBD OpenID Technology Summit at RSA Conference co-hosted by Microsoft and Google in London
November 12-5 PM OpenID Social Media Summit November hosted by FaceBook in Palo Alto
http://Wiki.openid.net
So what about trust levels? • OpenID is not a trustscheme• Do you really need a trust level or may self assertion, pre-
registration or IDP whitelisting work for you? • Local trust schemes, country specific• US-Gov Profile OpenID ICAM profile• Stork E-ID and ISO/IEC 29115• International movement towards trustschemes that make it
possible to re-use existing identities, both private and public
The trust framework paradox?• Identity = A collection of multiple attributes or claims
about a person or system– Name– E-mail– Date of Birth– Profession– Address
• Why do we want to define Levels of Assurance (LOA) on a single Identity Level and not attribute level?
Mapping attribute schemes is an important condition for LOA’s
• A datamodel for personal data SEMIC (EU)• Attribute Exchange, Sreg in OpenID• Open Social – Portable Contacts• Social network specific• Country specific
Trust scheme on attribute level
• A first scheme for e-mail by Google within OIX– OpenID Summit certification list/ Google RP
• Possible methods of verification– Self asserted– Proof of Possesion– Authentic Register– Certificate of origin
Interested in helping shape the future of internet identity?
OIDF Company/Organizational Membership• Share experience and concenrs with important identity players like Google, Paypal,
Microsoft, FaceBook, Ping, Deutsche Telekom • Inclusion in OpenID Foundation press releases and industry events• Corporate logo displayed on the OpenID Foundation website and materials• OpenID Summits fees waived for all employees• Propose and lead OpenID technical and marketing work groups• Vote on ratification of OpenID specifications and recommendations
OIDF Individual Membership• Vote on OpenID workgroups, specifications, and community board members• Use the OpenID Foundation Member logo and signature on your blog, email,
website, apps• Influence the technical development of OpenID technology and adoption• Free pass to all OpenID Summits and discounts to conferences on internet identity
– Students and Professional Courtesy options available on request.