OpenID a katalyst for EU e-id

k.willemse@evidos.nl

As an ID expert we like to present this problem

For 25 years nobody really cares!

• Double digit growth eCommerce• PKI Smartcards as a beer coaster• Infocard not shipped• Self asserted username-passwords is fine• Employees bypass security systems to do their real

work

eID the right tool at the right time?

Different use-cases, or just a different market approach towards a consumer

accepted e-ID?

Additional trends that confirm a need for a different approach

• Password fatigue• Mobile first• Socialisation of the web• Cloud – Services Integration

‘GBA’

Registration fatigue

7

Consumers create single sign-on

8

A new identity console

9

Your digital identity on the social web

10

500M+

175M+

Sharing your data under consent between services (oauth)

11

OpenID, one single digital identity for consumers?

•OpenID is a successful multichannel protocol to enable consumers and merchants to share identities

•Consumers do not understand OpenID as their single identity

•Identity providers want to promote their brand and competitive advantage

•Re-use exiting accounts, like Google, Facebook, Hyves, LinkedIn

12

More on OpenID situation 2011 “OpenID Swot”

The Evolution of Open Identity 2007 2008-2009 2010

• OpenID User must understand and remember URL

• Each OpenID Provider has different URL syntax

• This worked “OK” on tech-focused blogs, wikis, discussion groups, etc. but not well with broader audiences and applications

• Yahoo buttons, Google Friend Connect, Facebook Connect, ID Selector

• Content Provider Advisory Committee meeting in NYC

• First UX Summit at Yahoo• Major OPs improving

workflow

• User only needs to click on icon for preferred identity account

• Second UX Summit at Facebook

• Graphical interface of major Identity Providers, including proprietary solutions from Facebook, MySpace, & Microsoft

2011 Challenges/Priorities OpenID foundation

Challenge: Improve the OpenID “product”–Finalize and implement OpenID ABC–Outreach to other identity protocols (UX, Attributes, Consent)

Challenge: Globalize OpenID Adoption–Worldwide OpenID summits will improve specifications and adoption–OIDF leaders organize, sponsor and speak at global identity events, OpenID summits

Challenge: Build momentum and expand outreach–Collaborate with related standards bodies and organizations–Extend content curator program

Challenge: Keep OpenID free and IPR protected–Extend trademark protections globally

Working Group• Current specification OpenID 2.0 used successfully in

different use cases (also enterprise)• New Spec in progress “OpenID ABC”

– Almost certainly not final branding!– Spec work occurring in “Artifact Binding” working group– Incorporates submissions to former “OpenID Connect” working

group• Points of departure

– Mobile phones and other limited platforms– “Facebook Connect” style functionality for easy registration– Easier deployment than OpenID 2.0

The OpenID ABC product

• Artifact Binding• UserInfo Endpoint• Simple RPs• Higher LoA• Session Management• Unregistered Clients• OAuth 2 Integration• Use of JWTs• Single Logout

Protocol workgroup participants• Key working group participants:

– Nat Sakimura – Nippon Research Institute – Japan– John Bradley – Independent – Chile– Breno de Medeiros – Google – US– Paul Tarjan – Facebook – US– Axel Nennker – Deutsche Telekom – Germany– Kick Willemse – Independent – Netherlands– Tony Nadalin – Microsoft – US– Mike Jones – Microsoft – US

• By no means an exhaustive list!• OpenID specs developed via an open process• All free to participate

Discussion & Resources

• Artifact Binding Working Group Wiki Page– http://wiki.openid.net/w/page/12995134/

Artifact-Binding

• Artifact Binding Mailing List– http://lists.openid.net/mailman/listinfo/openid-

specs-ab

Specification Structure• OpenID AB spec contains in two parts

– Core – abstract specification– Binding – OAuth 2 based binding

• JSON Web Token (JWT) spec with signing– Next version will add encryption– Other specs like UMA are looking to adopt it

• Discovery a separate spec• Will refer to OAuth 2.0 specs once finished

Spec Progress• Current status

– Core – 70% done– Bindings – 75% done (pending OAuth 2.0 completion)– Discovery – 80% (working from SWD)– JWT – 90% done for tokens and signature

• Encryption remains to be specified

– OAuth 2.0 – 95%

• Target: Complete drafts by Internet Identity Workshop (IIW) in May, Final IIW in November 2011

Visit our summits for updates and discussionsJanuary 18 Completed OpenID Policy Summit hosted and sponsored by OIX in Washington DC

March 8 Completed OpenID Retail Summit hosted by PayPal in San Jose

May 2 12-5 PM OpenID Security Summit co-hosted by Symantec/Google in Mountain View

May 10 8-12 AM OpenID Technology Summit at EIC co-sponsored by Google and Microsoft in Munich

TBD TBD OpenID Asia/Pacific Technology Summit hosted by NRI in Tokyo

July 19 8-12 AM OpenID Enterprise Summit hosted by Ping Identity in Keystone, Colorado

Oct 10 TBD OpenID Technology Summit at RSA Conference co-hosted by Microsoft and Google in London

November 12-5 PM OpenID Social Media Summit November hosted by FaceBook in Palo Alto

http://Wiki.openid.net

So what about trust levels? • OpenID is not a trustscheme• Do you really need a trust level or may self assertion, pre-

registration or IDP whitelisting work for you? • Local trust schemes, country specific• US-Gov Profile OpenID ICAM profile• Stork E-ID and ISO/IEC 29115• International movement towards trustschemes that make it

possible to re-use existing identities, both private and public

The trust framework paradox?• Identity = A collection of multiple attributes or claims

about a person or system– Name– E-mail– Date of Birth– Profession– Address

• Why do we want to define Levels of Assurance (LOA) on a single Identity Level and not attribute level?

Mapping attribute schemes is an important condition for LOA’s

• A datamodel for personal data SEMIC (EU)• Attribute Exchange, Sreg in OpenID• Open Social – Portable Contacts• Social network specific• Country specific

Trust scheme on attribute level

• A first scheme for e-mail by Google within OIX– OpenID Summit certification list/ Google RP

• Possible methods of verification– Self asserted– Proof of Possesion– Authentic Register– Certificate of origin

Interested in helping shape the future of internet identity?

OIDF Company/Organizational Membership• Share experience and concenrs with important identity players like Google, Paypal,

Microsoft, FaceBook, Ping, Deutsche Telekom • Inclusion in OpenID Foundation press releases and industry events• Corporate logo displayed on the OpenID Foundation website and materials• OpenID Summits fees waived for all employees• Propose and lead OpenID technical and marketing work groups• Vote on ratification of OpenID specifications and recommendations

OIDF Individual Membership• Vote on OpenID workgroups, specifications, and community board members• Use the OpenID Foundation Member logo and signature on your blog, email,

website, apps• Influence the technical development of OpenID technology and adoption• Free pass to all OpenID Summits and discounts to conferences on internet identity

– Students and Professional Courtesy options available on request.