=nat: Digital Identity Blog

Et tu Paperboy.

paperboy&co. in Japan started to accept OpenID for its online bookmark service today.

Unfortunately, it only accepts OpenID provided by:

- OpenID.ne.jp
- Yahoo! JAPAN
- livedoor
- hatena
- JugemKey

Why do those services do white listings?

Does it add value? NO. All these are free services, and you can make any number of OpenID with these providers. Then, why bother whitelisting to them?

Clearly, whitelisting does not go with the original philosophy of OpenID.

I hope that this “white listing” boom will find its end soon.

But for it, I guess we need some workable reputation framework…

OpenID Dinner @ Basel

From Left to Right:

=nat, Robert Ott (OpenID Switzerland*), David Reindl (OpenID Switzerland), Martin Paljak (OpenID Estonia), Snorri Giorgetti (OpenID France, OpenID Europe, Chaiman).

It was a six course dinner.
Drink started with Clemont(?) de Alsace, a Swiss white wine, which I do not remember the name, then Mouton Cadet.

* Yet to be formed.

OpenID Foudation Japan Announcement Huge Success

So, this morning, on the 28th, we have made an annoucement on plan to form the OpenID Foundation, Japan Chapter.

45 reporters from 37 magazines and news papers showed up for the press conference and numerous articles were published on it, that it made into the top page of the Google News with a photo.

As of now, over 27 articles were written at various places.

Are National ID Cards Going to Snuggle Up With OpenID?

The REAL ID Act of 2005 is said by some to pave the way for a United States National ID Card and has come under heavy criticism from a wide range of people in the US. Some recent developments indicate that a National ID card could be tied to the federated authentication standard called OpenID.

At the most basic level, this would mean that you could sign in with your National ID card to all the websites where today you can login with a Yahoo! or AIM or other OpenID. Hmmm…

Are National ID Cards Going to Snuggle Up With OpenID?

IMHO, the government forcing the use of the Veronym and centralized government operated OpenID is a bad thing.

However, if it is …

OpenID Compatibility

There seem to be some compatibility issues since the rise of OpenID 2.0. For example, something like

http://www.readwriteweb.com/cgi-bin/mt/mt-comments.cgi

does not support OpenID 2.0 nor XRI so that I cannot login to comment…
It does not even support the https://… url.

[OpenID] Board membership limited?

“[OpenID] Board membership limited?” is a title in the general@openid.net mailing list.

It is posing an interesting question.

As it so happens, Bill (the Executive Director of OpenID Foundation, OIDF), states that “Although the foundation will continue recruiting companies of all sizes to support the OpenID standard, it is not likely to add any more board members.”

It seems the rationale behind it is that community and the corporate power has to be balanced as Dick Hardt states:

The community board members want to ensure that the Foundation represents the community, so would like to limit the Corporate board membership, or at least ensure that community board seats balance the corporate board seats – so adding additional corporate board members …

OpenID Foundation Related Links

OpenID Foundation

IPR
- IPR overview
- Why the IPR policy and process
- IPR Non-Assertion Agreements for Entities and Individuals (covers
through OpenID 2.0)
- IPR Policy and Process (for new spec working groups)
- Executed IPR Non-Assertion Agreements (not all from the corporate
board members have been uploaded yet) -

Foundation
- Articles of Incorporation with the state of Oregon (http://openid.net/pipermail/board/2007-May/000274.html)
- Basic policies and procedures -
- Board Meeting Minutes
- Membership agreement

OpenID module for Xoops 2 and Xoopscube ver.0.2

OpenID RP Module for Xoops JP. ==============================Author: Nat Sakimura (=nat)Date: 2008-02-10Copyright: Nat Sakimura (=nat)License: GPLVersion: 0.2PHP OpenID Library: php-openid-2.0.0DOWNLOAD========
http://www.sakimura.org/modules/mydownloads/visit.php?cid=1&lid=8
INSTALL=======1. Unarchive the files under modules/ directory. 2. Define XOOPS_TRUST_PATH somewhere out of the web accessible path in mainfile.php3. Create a foloder “_php_consumer” under XOOPS_TRUST_PATH and change the permission so that it will be writable by the web server. 4. Install the module like other modules. (For XoopsCube, install the block as well.)5. Give access permission to guest group for this module. 6. Install block for all the modules. TODOs=====1. Create Admin Panel for easy maintenance of the OpenIDs. 2. Make 5 and 6 above automagic. 3. Clean up the code4. Replace Dummy Admin screens to real ones. 5. …

Random thoughs on Reputation

Let me make note of my random thougts before I forget.

Reputation needs to have an identifier of somebody being scored.
The same for who is scoring.
For what criteria, this reputation score was made.
For the reputation to be aggregatable, it has to have a distribution that we know about the aggregated distribution (such as normal distribution).
The information about the distribution, including what distribution, mean, and standard diviation must be published together with the score.
Display score must be intuitive for an average person.
Date that score was made
Signature by the score maker

So, the reputation score file should contain:

itemtypee.g.

SubjectID
XRI/URI
=nat

ReputationServiceID
XRI/URI
@myRS

Criteria
Text
Operation quality of this RP

Display Score (Cumulative Percentage)
float
74.2

Score
Float
56.8

Distribution
enum
normal

Mean
float
50

Standard Deviation
float
10

Subject Public Key
String
2fdlafodnewoldfjkaslf …

Date
XMLDATE
2008-02-01T14:34:00Z

Signature
string
af8afsld92dfjdsla…blah…blah…

In the above table, I am proposing to use …

On OpenID Association

Well, I am not talking about “association” in the sense of “organization”. It is the first phase of the OpenID protocol that I am talking about.

As it so happens, in OpenID 2.0, RP after resolving the OP address, requests OP to establish the association by Diffie-Helman. The association needs to be stored at both OP and RP. Also, because of this phase, check_authentication phase is also required.

Perhaps this was necessary in the days of OpenID 1.0, but I feel it to be rather redundant now.

If OP and RP publishes their Public Key in their XRDS, we do not need Association nor check_authentication, I think, simplifying the protocol further, and strengethning the security further with Reputation Service that …

RedMine OpenID authentication

=masaki has completed the integration of RedMine with OpenID.

IIW2007b Day 2

Today, I have presented the concept of Trusted Data Exchange and Reputation Service at iiw2007b.
Am writing an article in iiw wiki, but submit succeeds only sporadically.
Had a problme with Linksafe login, so to create the article, I am using =sakimura which is being hosted at 2idi, but that is me, =nat. This seems to be the problem that was introduced in conjunction with the introduction of CardSpace as one of the authentication method.
Conversations:
with =eekim and =ovdavis: ref linking of inames crossing over the ibroker.
with Ashish Jain: Necessity of Reputation service for the distributed authentication and data exchange service to be useful, esp. on the RP reputation.
with Paul Trevithick: Higgins and the contract format.
with …

Trusted and Flexible Data Exchange for OpenID

My team has been looking at AX etc. for some time whether it can fulfill the needs of our clients. It looks it is kind of hard to. So, we are defining an additional protocol that hooks to AX. Hopefully, I can present it at iiw2007b.

Libery Alliance Day 2007

On the 26th of October, I went to Liberty Alliance Day 2007 in Tokyo. I was invited to the event as a panelar to speak about OpenID at the cocktail reception, but I attended all the other sessions as well as some of the demos.

Panel Discussion in Japan oftern ends up just as a series of presentation, but this time, it was a real panel discussion, which was good.

At the end of the Panel discussion, Mr. Takahashi asked the panelers “What is Digital Identity?”. I was the third person to talk about and by the time it reached me, pretty much was spoken. So, I said “It is a technology that brings Power to the People. ” refering …

Hatena Start Providing OpenID support

Hatena, one of the major Japanese blog provider, started the support of the OpenID.

See http://www.hatena.ne.jp/info/openid for the further details.

As an OP, it provides OpenID in the form of

http://www.hatena.ne.jp/hatena_user_name/

As an RP, it only supports the following OpenID providers.

livedoor
LiveJournal
TypeKey
Vox

As the result, I cannot use their service with my OpenID. This is rather unfortunate.

Whether it is OP or RP, unless we ready the reputation service that measures the trustability of the services quickly, the openess of the OpenID gets hart. Need to sort this out.

PAPE or AQE?

Over the dinner at a Tofu restaurant in Ginza, Tokyo, David Recordon and I discussed on what would be the appropriate way of achieving an OP that provide registration and authentication quality: whether to use PAPE or AQE. David’s recommendation seemed to be PAPE.
Going over the PAPE spec this morning, however, I did not find too much about RA activities. NIST SP800-63 Level 2 and upwards requires identity proofing, but from the PAPE spec, it is not clear if these are required.
Specifically, for openid.pape.nist_auth_level, the spec states “[NIST_SP800-63] corresponding to the authentication method and policies employed by the OP when authenticating the End User”.
The examples following the above statement also talks only about the authentication and not …

OpenID/XRI authentication module for Xoops 2.0.16JP

I have developed and deployed the OpenID/XRI authentication module to this site. (http://www.sakimura.org/en/)
I am pretty sure that there are rough edges, but please have a try and let me know those.
Unfortunately, current server that I use is not too stable so there might be the times that you need to retry 5 min. or so later but … (I think this is the effect of Xen. I do not know how to fix it…)

XRI Resolution 2.0 cycle near completion

Most current working draft has been submit to http://www.oasis-open.org/committees/download.php/24096/xri-resolution-v2.0-wd-11-ed-01.doc
Proposed time schedule to make it Comitte Draft are:

May 31 - Editors Draft 02 (ED02) - content complete version
June 7 - Editors Draft 03 (ED03) - polished version to be submit for comitte approval.
If you have anything to speak up, this is the time to do so!

Estonia to provide OpenID to all its eID holders

This means that over 1,000,000 smart card based OpenIDs will be provided to the Estonian citizen.
Around 80% of Estonian has something called “eID”. They will be provided with unique OpenID with the format open.id.ee/[firstname].[lastname](.number) Example: open.id.ee/martin.paljak
There will be two types of hardware token:
(1) Traditional Smart Card.
(2) GSM sim card.
The service is provided from open.id.ee and the service will be expanded to other EU eID-s (Belgium, Finland, Spain, Portugal).
For details, see: https://open.id.ee/about/english

Talk with Drummond

Talked with Drummond this morning at iiw2007 . Finally getting to know the problem space that he is tackling. I have always been very vague on what he talks on Subject-predicate etc. and graph model etc.
Identifier usually is a pointer to an object and nothing more, but what he is trying to do is to build the relationship expression into the identifier itself.
To illustrate it, he was using

has
has a
is
is a
relationship. The example that he was drawing on was something like this.
=drummond/$is/=drummond.reed=drummond/$is$a/+person=drummond/$has/+name+first/(someref)=drummond/$has/+name+first//"Drummond"=drummond/$has$a/+car
Then he went on to the smplification of later two like
=drumond/+name+first//"Drummond”
According to him, $has and $has$a can be shortcut.
Looks like when “=” and “@” is the first segment, then “/” means “has” or “has …