Ongoing recognition for the impact of OpenID Connect and OpenID Certification

OpenID logoThis week the OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. This is actually the second award for the OpenID Certification program this year and only the latest in a series awards recognizing the value and impact of OpenID Connect and certification of its implementations.

On this occasion, I thought I’d take the opportunity to recount the awards that OpenID Connect, the specifications underlying it, and its certification program have been granted. To date, they are:

My

Alex Simons 92% OpenID Connect
Continue reading "Ongoing recognition for the impact of OpenID Connect and OpenID Certification"

OpenID Certification wins 2018 European Identity and Cloud Award

OpenID Certified logoThe OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. See the award announcement by the OpenID Foundation for more details. This is actually the second award this year for the OpenID Certification program.

The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to Kuppinger Cole for recognizing the impact of the OpenID Certification program!

EIC 2018 Award EIC 2018 Award Certificate EIC 2018 Award John Bradley, Mike Jones, Nat Sakimura EIC 2018 Award Don Thibeau EIC 2018 Award State EIC 2018 Award Don Thibeau, George Fletcher, Mike Jones, John Bradley, Nat Sakimura

OpenID Certification wins the 2018 Identity Innovation Award

OpenID Certified logoI’m thrilled that the OpenID Certification program has won the 2018 Identity Innovation Award at the IDnext conference. See the award announcement by the OpenID Foundation for more details.

The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to IDnext for recognizing the impact of the OpenID Certification program!

Identity Innovation Award

Identity Innovation Award Presentation

What Does Logout Mean?

OAuth logoDigital identity systems almost universally support end-users logging into applications and many also support logging out of them. But while login is reasonable well understood, there are many different kinds of semantics for “logout” in different use cases and a wide variety of mechanisms for effecting logouts.

I led a discussion on the topic “What Does Logout Mean?” at the 2018 OAuth Security Workshop in Trento, Italy, which was held the week before IETF 101, to explore this topic. The session was intentionally a highly interactive conversation, gathering information from the experts at the workshop to expand our collective understanding of the topic. Brock Allen – a practicing application security architect (and MVP for ASP.NET/IIS) – significantly contributed to the materials used to seed the discussion. And Nat Sakimura took detailed notes to record what we learned during the discussion.

Feedback on the discussion was uniformly positive. Continue reading "What Does Logout Mean?"

OpenID Presentations at October 16, 2017 OpenID Workshop and IIW

OpenID logoI gave the following presentations at the Monday, October 16, 2017 OpenID Workshop at PayPal:

I also gave the following “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 17th:

Some new ways to look at infrastructure

Nothing challenges our understanding of infrastructure better than a crisis, and we have a big one now in Houston. We do with every giant storm, of course. New York is still recovering from Sandy and New Orleans from Katrina. Reforms and adaptations always follow, as civilization learns from experience.

Look at aviation, for example. Houston is the 4th largest city in the U.S. and George Bush International Airport (aka IAH) is a major hub for United Airlines. For the last few days traffic there has been sphinctered down to emergency flights alone. You can see how this looks on FlightAware’s Miserymap:

Go there and click on the blue play button to see how flight cancellations have played over time, and how the flood in Houston has affected Dallas as well. Click on the airport’s donut to see what routes are most affected. Frequent fliers like myself rely on tools like this

Continue reading "Some new ways to look at infrastructure"

Strong Authentication and Token Binding Presentations at EIC 2017

EIC logoI gave two presentations at the 2017 European Identity and Cloud Conference (EIC) on progress we’re making in creating and deploying important new identity and security standards. The presentations were:
  • Strong Authentication using Asymmetric Keys on Devices Controlled by You: This presentation is about the new authentication experiences enabled by the W3C Web Authentication (WebAuthn) and FIDO 2.0 Client To Authenticator Protocol (CTAP) specifications. It describes the progress being made on the standards and shows some example user experiences logging in using authenticators. Check it out in PowerPoint or PDF.
  • Token Binding Standards and Applications: Securing what were previously bearer tokens: This presentation is about how data structures such as browser cookies, ID Tokens, and access tokens can be cryptographically bound to the TLS channels on which they are transported, making them no longer bearer tokens. It describes the state of the Token Binding standards (IETF
    Mike presenting at EIC 2017
    Continue reading "Strong Authentication and Token Binding Presentations at EIC 2017"

Open Word—The Podcasting Story

Nobody is going to own podcasting.990_large By that I mean nobody is going to trap it in a silo. Apple tried, first with its podcasting feature in iTunes, and again with its Podcasts app. Others have tried as well. None of them have succeeded, or will ever succeed, for the same reason nobody has ever owned the human voice, or ever will. (Other, of course, than their own.) Because podcasting is about the human voice. It’s humans talking to humans. Voices to ears and voices to voices—because listeners can talk too. They can speak back. And forward. Lots of ways. Podcasting is one way for markets to have conversations; but the podcast market itself can’t be bought or controlled, because it’s not a market. Or an “industry.” Instead, like the Web, email and other graces of open protocols on the open Internet, podcasting is NEA: Nobody owns it, Continue reading "Open Word—The Podcasting Story"

Apple is a clothing company

applebutton1Reading Walt Mossberg’s latest, titled The post-Jobs Apple has soared financially, but lacks a breakthrough product, and looking toward Apple’s coming announcement on Wednesday, and the headline above occurred to me. Because the main things Apple makes are extensions of ourselves. That’s what our phones and laptops have become. They are things we almost wear, like our clothing. Is it just coincidental that Apple Stores inhabit the same shopping streets and districts otherwise populated by upscale clothing retailers? Or that Angela Ahrendts, who runs those stores, came to the company from Burberry? Or that Apple has lately clarified how it differs from nearly every other tech company by caring almost absolutely about personal privacy? With all that in mind, it’s easy to understand why Apple’s product lineup looks stale. Shirts and skirts are stale too. They’ve also been around for thousands of years, and we’ll never stop Continue reading "Apple is a clothing company"

OpenID Certification Progress Report at CIS 2016

OpenID logoI gave an invited presentation on OpenID Certification at the 2016 Cloud Identity Summit (CIS) this week. I used the presentation as an opportunity to inventory what we’ve achieved with the certification program since its launch in April 2015, and while the numbers are impressive in and of themselves (90 profiles certified for 28 implementations by 26 organizations, with new certifications in May by Clareity Security, Auth0, and Okta), there’s a deeper impact that’s occurring that the numbers don’t tell. The new thing that’s happening this year is relying parties are explicitly asking identity providers to get certified. Why? Because certified implementations should “just work” – requiring no custom code to integrate with them, which is better for everyone. This network effect is now in play because it provides business value to all the participants. While I’ve spoken about certification about 10 times since the launch, this presentation is different
Mike presenting at CIS 2016
Continue reading "OpenID Certification Progress Report at CIS 2016"

OpenID Connect Discussions at EIC 2016

OpenID logoOn May 10, during the OpenID Workshop at the 2016 European Identity and Cloud (EIC) conference, I gave a status update on the OpenID Connect working group to the 46 workshop attendees, including continued progress with OpenID Certification. You can view the presentation in PowerPoint or PDF format. While I was happy to report on the working group activities, what I really enjoyed about the workshop was hearing many of the attendees telling us about their deployments. They told us about several important OpenID Connect projects each in Europe, Australia, South America, North America, and Asia. Rather than coming to learn what OpenID Connect is, as in some past EIC workshops, people were coming to discuss what they’re doing. Very cool!

Toward an ethics of influence

2016-05-02berkman Stop now and go to TimeWellSpent.io, where @TristanHarris, the guy on the left above, has produced and gathered much wisdom about a subject most of us think little about and all of us cannot value more: our time. Both of us will be co-investing some time tomorrow afternoon at the @BerkmanCenter, talking about Tristan’s work and visiting the question he raises above with guidance from S.J. Klein. (Shortlink for the event: http://j.mp/8thix. And a caution: it’s a small room.) So, to help us get started, here’s a quick story, and a context in the dimension of time…
Many years ago a reporter told me a certain corporate marketing chief “abuses the principle of instrumentality.” Totally knocked me out. I mean, nobody in marketing talked much about “influencers” then. Instead it was “contacts.” This reporter was one of those. And he was exposing something
googletrends-influencer
googletrends-influencer-marketing
Continue reading "Toward an ethics of influence"

The Data Bubble redux

It didn't happen in 2010, but it will in 2016.

It didn’t happen in 2010, but it will in 2016.

This Post ran on my blog almost six years ago. I was wrong about the timing, but not about the turning: because it’s about to happen this month at the Computer History Museum in Silicon Valley. More about that below the post.
_________________

The tide turned today. Mark it: 31 July 2010.

That’s when The Wall Street Journal published The Web’s Gold Mine: Your Secrets, subtitled A Journal investigation finds that one of the fastest-growing businesses on the Internet is the business of spying on consumers. First in a series. It has ten links to other sections of today’s report.

It’s pretty freaking amazing — and amazingly freaky, when you dig down to the business assumptions behind it. Here is the rest of the list (sans one that goes to a linkproof Flash thing):

Here’s the gist:

The Journal conducted a
Continue reading "The Data Bubble redux"

Mercy for the bereaved

I didn’t know Dave Goldberg, but I can’t count all the friends and relatives who were close to him. By all their accounts, he was a brilliant and wonderful guy, much loved and respected by everybody who knew and worked with him. Along with the rest of the world, I await word on what happened. So far that word hasn’t come. But it hasn’t stopped speculation. For example, this post by Penelope Trunk, which imagines a worst-possible scenario — or a set of them — on the basis of no evidence other than knowing nothing. And why do we know nothing? Put yourself in Dave’s wife’s shoes for a minute. You’re a woman on vacation with your husband, to a place where nobody knows you. Then your husband, healthy and just 47 years old, dies suddenly for no apparent reason. What do you do, besides freak out? First you deal with the local authorities, which is rarely Continue reading "Mercy for the bereaved"

Perspectives on the OpenID Connect Certification Launch

OpenID Certified logoMany of you were involved in the launch of the OpenID Foundation’s certification program for OpenID Connect Implementations. I believe that OpenID Certification is an important milestone on the road to widely-available interoperable digital identity. It increases the likelihood that OpenID Connect implementations by different parties will “just work” together. A fair question is “why do we need certification when we already have interop testing?”. Indeed, as many of you know, I was highly involved in organizing five rounds of interop testing for OpenID Connect implementations while the specs were being developed. By all measures, these interop tests were highly effective, with participation by 20 different implementations, 195 members of the interop testing list, and over 1000 messages exchanged among interop participants. Importantly, things learned during interop testing were fed back into the specs, making them simpler, easier to understand, and better aligned with what developers actually need for Continue reading "Perspectives on the OpenID Connect Certification Launch"

10 Years of Digital Identity!

How time flies! In March 2005 I began working on digital identity. This has by far been the most satisfying phase of my career, both because of the great people I’m working with, and because we’re solving real problems together. An interesting thing about digital identity is that, by definition, it’s not a problem that any one company can solve, no matter how great their technology is. For digital identity to be “solved”, the solution has to be broadly adopted, or else people will continue having different experiences at different sites and applications. Solving digital identity requires ubiquitously adopted identity standards. Part of the fun and the challenge is making that happen. Microsoft gets this, backs our work together, and understands that when its identity products work well with others that our customers and partners choose to use, we all win. Very cool. Those who of you who’ve shared the journey with me have experienced lots of highs and lows. Technologies that have been part of the journey have included Information Cards, SAML, OpenID 2.0, OAuth 2.0, JSON Web Tokens (JWTs), JSON Web Signing and Encryption (JOSE), and OpenID Connect. Work has been done in OASIS, the Information Card Foundation, the OpenID Foundation, the Open Identity Exchange (OIX), the Liberty Alliance, the IETF, the W3C, the FIDO Alliance, and especially lots of places where the right people chose to get together, collaborate, and made good things happen – particularly the Internet Identity Workshop. It’s worth noting that this past week the Internet Identity Workshop held its 20th meeting. They’ve been held like clockwork every spring and fall for the past 10 years, providing an indispensable, irreplaceable venue for identity practitioners to come together and get things done. My past 10 years wouldn’t have been remotely the same without the past 10 years of IIW. My sincerest thanks to Phil, Doc, and Kaliya for making it happen! I won’t try to name all the great people I’ve worked with and am working with because no matter how many I list, I’d be leaving more out. You know who you are! While we’re all busy solving problems together and we know there’s so much more to do, it’s occasionally good to step back and reflect upon the value of the journey. As Don Thibeau recently observed when thanking Phil Windley for 10 years of IIW, “these are the good old days”.