IIW 2008b Report November , Mountain View Abbie Barbir Nortel OASIS IDtrust Steering Committee

IIW 2008 Take home points..1 Many interactive and important session were proposed covering various topics. Full details at IIW 2008 wiki at Key involvement from Google, M/S, AOL and Yahoo 180 participants Focus was on using the technology in real market deployment. Google is pushing for taking OpenID in combination of other protocols main stream. Google is becomming an OpenID provider. Discovery is deemed to be very important. A 3.5 hour session was conducted on the topic led by Yahoo. Relation to XRDS, XRI and OAuth is important.

IIW 2008 Take home points..2 OAuth authors would like to standarize OAuth at the IETF as opposed to OASIS for various reasons: They do not feel that they will need to pay OASIS so that they can do their work They do work outside their companies as supporters of the work this means that their companies will not be interested in joining OASIS IPR issues need to be solved if they join a TC OASIS rule of having no more two individuals from a single company hinders the abililty of these individuals to join OASIS Some individulas can not afford the $300 fee to join OASIS. A BoF on OAuth was done at the November meeting of IETF A discussion list was established for OAuth Need to encage this community to get them to do work in IDTrust Discussions already started to get them at XRDS TC. Drummond to provide an update. Same problem occurs with the Open Web Foundation People. An OASIS wide policy is need to deal with the issue.

Important Sessions and impacts..1 Google OAuth & Federated Login Research see Goal is to give investigate how OAuth, OpenID, SAML, XRDS, SaaS, Strong/2ndFactorAuth, InformationCards, CardSpace, OpenSocial, Portable Contacts, WS-*, Geneva,.. technologies fit together Direct reserach on user login aspects and go to market strategies Requires IDTrust to focus on Social network aspects and OAuth in addition to XRI/XRDS. Google Strong Auth Usability and Demos was also covered see videos at

Important Sessions and impacts..2 Effort underway to standardize Portable Contacts – contact schema; discovery / auth; common operations – Focused on ease & speed of adoption – Active involvement from large & small players – More info & current draft spec: – IDTrust need to see what role it can play here

OpenID Authentication has been finalized; bunch of implementations; found lots of spec bugs Core specification can support oauth and addresses Current focus om making spec more readable, fixing bugs (eratta) and a security appendix Working on clarifying XRI Currently there's no firm message about whether RPs MUST support XRIs or not. Need to clarify how exactly XRI should be used with OpenID. Clarify if RPs can white or blacklist what OPs they accept, and vice-versa. Discovery of type of identifiers an RP supports. Updating discovery. Possibly including the XRD discovery. Clarifying whether association over SSL must/can use diffie-hellman. Exploratory work: Signature mechanisms. Looking at additionally supporting the mechanisms defined in OAuth so that they can be closer together. Possibly deprecating the current signature mechanism. Use of Public keys? Need coordination with them and see what they want to do with OpenID. Same participation problems like the OAuth

Browser Extension Convergence Quick inventory of the existing browser extensions: Firefox: Sxipper (OpenID, UN/PW), Higgins: HBX4FF (I-Card), OpenInfoCard (I-Card), DigitalMe (I-Card), OpenLiberty (SAML), Verisign Seatbelt (OpenID), IDIB (OpenID…) IE: Microsoft’s I-Card built-in, Higgins: HBX4IE A list of protocol “families” that each extension should support: Username/Password (Form-based, HTTP Auth, WS-Security) OpenID (OpenID, SAML); I-Card (ISIP‡IMI-TC) Kerberos; SAML (SAML SSO, SAML ECP) Browser-native add-on/extension/plug-in Flash, Java, Gears, Silverlight Browser Support for RP Auth Discovery Everyone agreed that creating common specs for this was a good idea. Could use XRDS as the basis for discovery of a relying party (RP) site’s authentication support for multiple protocols. The RP site would publish an XRDS document that would allow a “smart client” (well, a browser extension) to discover information about what protocols were supported and how they might be used to authenticate to the site. Possible new work in IDTRust

Need for a Common Terminology Exploring the Construction of Online Identity & Definition of Terms. IDTrust can take a lead role here. ITU-T has a current up to date document.

Conclusion Very Important event Need to keep involved OASIS was mentioned a lot in the meeting, the message is going forward to consider OASIS as an SDO Many opportunities to get involved Main obstacle is how this community can do their work in OASIS.