IIW 2008b ReportNovember 10-12 2008, Mountain View

www.oasis-open.org

Abbie Barbir (abbieb@nortel.com)

Nortel

OASIS IDtrust Steering Committee

IIW 2008 Take home points ..1

Many interactive and important session were proposed covering various topics. Full details at IIW 2008 wiki at http://iiw.idcommons.net/Notes_08b

Key involvement from Google, M/S, AOL and Yahoo 180 participants Focus was on using the technology in real market deployment.

Google is pushing for taking OpenID in combination of other protocols main stream. Google is becomming an OpenID provider.

Discovery is deemed to be very important. A 3.5 hour session was conducted on the topic led by Yahoo. Relation to XRDS, XRI and OAuth is important.

IIW 2008 Take home points ..2 OAuth authors would like to standarize OAuth at the IETF as opposed to OASIS for

various reasons: They do not feel that they will need to pay OASIS so that they can do their work They do work outside their companies as supporters of the work this means that

their companies will not be interested in joining OASIS IPR issues need to be solved if they join a TC OASIS rule of having no more two individuals from a single company hinders

the abililty of these individuals to join OASIS Some individulas can not afford the $300 fee to join OASIS. A BoF on OAuth was done at the November meeting of IETF A discussion list was established for OAuth Need to encage this community to get them to do work in IDTrust Discussions already started to get them at XRDS TC. Drummond to provide an

update.

Same problem occurs with the Open Web Foundation People. An OASIS wide policy is need to deal with the issue.

Important Sessions and impacts..1

Google OAuth & Federated Login Research see

http://sites.google.com/site/oauthgoog/

Goal is to give investigate how OAuth, OpenID, SAML, XRDS, SaaS,

Strong/2ndFactorAuth, InformationCards, CardSpace, OpenSocial, Portable

Contacts, WS-*, Geneva, .. technologies fit together

Direct reserach on user login aspects and go to market strategies

Requires IDTrust to focus on Social network aspects and OAuth in addition to

XRI/XRDS.

Google Strong Auth Usability and Demos was also covered see videos at

http://sites.google.com/site/oauthgoog/UXFedLogin/strongauthvideos

Important Sessions and impacts..2

Effort underway to standardize Portable Contacts– contact schema; discovery / auth; common operations

– Focused on ease & speed of adoption– Active involvement from large & small players

– More info & current draft spec: http://portablecontacts.net

– IDTrust need to see what role it can play here

OpenID Authentication 2.1 2.0 has been finalized; bunch of implementations; found lots of spec bugs

Core specification can support oauth and email addresses

Current focus om making spec more readable , fixing bugs (eratta) and a security appendix

Working on clarifying XRI Currently there's no firm message about whether RPs MUST support XRIs or not. Need to clarify how exactly XRI should be used with OpenID.

Clarify if RPs can white or blacklist what OPs they accept, and vice-versa. Discovery of type of identifiers an RP supports.

Updating discovery. Possibly including the XRD discovery.

Clarifying whether association over SSL must/can use diffie-hellman.

Exploratory work:

Signature mechanisms. Looking at additionally supporting the mechanisms defined in OAuth so that they can be closer together.

Possibly deprecating the current signature mechanism. Use of Public keys?

Need coordination with them and see what they want to do with OpenID. Same participation problems like the OAuth

Browser Extension Convergence Quick inventory of the existing browser extensions:

Firefox: Sxipper (OpenID, UN/PW), Higgins: HBX4FF (I-Card), OpenInfoCard (I-Card), DigitalMe (I-Card), OpenLiberty (SAML), Verisign Seatbelt (OpenID), IDIB (OpenID…)

IE: Microsoft’s I-Card built-in, Higgins: HBX4IE

A list of protocol “families” that each extension should support:

Username/Password (Form-based, HTTP Auth, WS-Security)

OpenID (OpenID, SAML); I-Card (ISIP‡IMI-TC)

Kerberos; SAML (SAML SSO, SAML ECP)

Browser-native add-on/extension/plug-in

Flash, Java, Gears, Silverlight

Browser Support for RP Auth Discovery Everyone agreed that creating common specs for this was a good idea. Could use XRDS as the basis for discovery of a relying party (RP) site’s authentication support for multiple protocols. The RP site would publish an XRDS document that would allow a “smart client” (well, a browser extension) to discover information about what protocols were supported and how they might be used to authenticate to the site.

Possible new work in IDTRust

Need for a Common Terminology

Exploring the Construction of Online Identity &

Definition of Terms. IDTrust can take a lead role

here. ITU-T has a current up to date document.

Conclusion

Very Important event

Need to keep involved

OASIS was mentioned a lot in the meeting,

the message is going forward to consider

OASIS as an SDO

Many opportunities to get involved

Main obstacle is how this community can do

their work in OASIS.