.Nat Zone

Re: OpenID provider imploding, chaos coming?

Yet another OpenID provider is going under. On Sept. 30 when Six Apart officially shuts down VOX, a blogging site and an OpenID provider.

I have been dealing with this issue for many years, and have been blogging, speaking etc. for many years. (e.g., Identity 2.0 and Mydentity, Identity Loss with OpenID 2.0 ).

This is not a problem that technology alone can solve. It neither is a problem unique to OpenID. Any third party provided identity have this “feature.”

XDI.org has been dealing with it for many years. Last year, several OpenID provider shut down its services. However, some classes of OpenIDs survived it. They were members of XDI.org, where they escrowed user data etc. so that the transition from one …

Is expressing Levels enough for LoA2+?

LoA stands for Level of Assurance.

Most popular reference to this idea may be OMB M04-04 and NIST SP800-63.

Essentially, it classifies the identities into four categories from Level 1 to Level 4, where Level 4 stands for higher assurance. For internet commerce, generally, Level 2 or so is required. This can be applied to third party provided identities as well, but the use of such identities over Level 2 seems to be quite rare yet. Some of the notable exceptions in the field of OpenID are Japan Airlines (JAL), Rakuten, and KDDI in Japan.

Part of the reason for the market for third party provided identity failing is information asymmetry. This can be addressed by such efforts like Open …

How to Set Up OpenID on Your Own Domain with fallback proivder

Saw Gina Tripani’s followup post to Chriss Messina’s comments on This Week in Google.

http://smarterware.org/6286/how-to-set-up-openid-on-your-own-domain/

It is very good to hear that people turns out to like the “delegation[1]” feature.

In the article Gina says:

I’m not sure yet how to set Idproxy as my “fallback” provider just yet; if you know how to do that, post it up in the comments.

John Bradley posted a reply there, but the sanitization of the comment system seem to be eating up important portions and making it hard to use. So, here is my attempt to explain it.

How to set up OpenID for your domain with fallback provider

(1) Create an XRDS file like this:

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
…

OAuth 2.0: Scope Params and access_token format

Current draft of OAuth 2.0 http://datatracker.ietf.org/doc/draft-ietf-oauth-v2/ does not seem to define a standard way of defining “scopes”. It is totally Authorization Server dependent. If it were to act as a distributed system, this has to be standardized.

Also, the scope may require dynamic input parameters. The current spec draft does not specify it either. In fact, scope is nothing but the input parameter for the access_token right now.

The better approach, IMHO, is to define a generic way of what has been requested, instead of just defining proprietary “scope” strings.

For example, instead of defining an Authorization Server specific scope string for “Contact/Home”, define it as a generic registered string, such as “og”, so that one can specify it as …

OAuth 2.0 Extension Mechanism Proposal

Defining an Extension Mechanism for both request and response would generally be useful.

Some basic design principles:

No name space through type URI: fixed registered string for extensions.
e.g., for Open Graph, perhaps use og:variable_names OR og_variable names
where either “og:” or “og_” is the type prefix. (I kind of prefer ”:” over “_” as
a separator since in CGI “-” and “_” will be identical, and in PHP GPC parameters
”.” and “_” are identical. Also, we are using “_” in the variable names already. )

No cross interactions with other extensions

I think it should be added as Chapter 7 or so, which means Security …

OAuth 2.0 Mobile WebApp Flow

In February, I have posted an article about oauth_wrap mobile webapp profile.
Now that it is unified to OAuth 2.0 drafts, here is another shot:

I have further simplified the flow by talking to Breno and John.

Here it is:

(Fig. XX)
How is that?!

The major difference between Web App Profile is that it creates a request file that captures all the parameters in JSON format at “request_url”. Then, instead of sending parameters over the redirect, it sends this “request_url” over the redirect. The rest is more or less the same.

Here is a suggested text:

3.11 Mobile Web App Flow

The moble web app flow is a user delegation flow suitable for clients
capable of interacting with the end-user’s user-agent …

OpenID AB and Attributes - OpenID Connect?

So, when the sun rises, it is the 10th IIW day.

I hoped to prepare more, but with the current ill-health, this probably is the most I could.

Here is the new version of OpenID Artifact Binding (AB) .

Repository: http://bitbucket.org/openid/ab/

Browser Friendly Cache: HERE

For those of you who do not know, OpenID/AB is a chartered Working Group at the OpenID Foundation, and aims to create another binding for OpenID, so that it is

More Secure so that it can go all the way up.
Browser URL length limit friendly.

In addition, we have been targeting to make it

Very easy to write libraries, only with standard libraries
Very easy to implement for RP. For lower assurance RPs, …

Re: XAuth: First Take

Since the site did not accept the comment…

This is a reply to: http://eternallyoptimistic.com/2010/04/20/xauth-first-take/

XAuth seems to be nothing but a shared cookie, so it may not be a single point of failure. The RPs do not seem to communicate with the xauth.org so it should not be a critical problem even if the server was failing. At the very worst, the RP has to show all the NASCAR icons. That is all.

At the same time, it would have an interesting (not fun) security implications on a shared computer, but I have not done the analysis yet.

And right, I feel that it is taking user out of the cycle as well. It would have been much better if it just …

OASIS Open: Submission of requests for Reviews etc.

Just a personal memo on OASIS process as one of the TC chair, but OIDF should develop this kind of chart as well, I think.

Due to an ever-increasing workload I must ask that each request be sent in a separate e-mail message unless related to a single, multi-part specification. As a reminder, a chart showing exactly what needs to be included with each request can be seen here:
http://docs.oasis-open.org/templates/MindMaps/TCAdminRequestNotices/index.html

To ensure the quickest possible handling of your request, make sure to
1. review the checklist: http://docs.oasis-open.org/templates/QAChecklistV3.html
2. Include the requisite information in the request:
http://docs.oasis-open.org/templates/MindMaps/TCAdminRequestNotices/index.html
3. do not include more than 1 document in any single request.

Thank you for understanding.

Regards,

Mary

OAuth Wrap Mobile Web App Profile?

The wrap_scope, especially when it is determined dynamically using standard vocabulary such as something similar to OpenID AX, can become quite big. Under such circumstances, we may hit the browser/server constraint on URL and HTTP header. This is more acute in the mobile scenario.

Lucky thing is that it is trivial to create an Mobile friendly profile / binding of OAuth Wrap, since it is almost done. It suffices just to introduce a request artifact.

Here is the flow:

(fig.1) Wrap Mobile Web Profile

Of course, details need to be nailed down, but the basic flow should be it.

People may criticize that it introduce state in the AuthzServer. It may, but it is not necessarily so. Since the AuthzServer knows …

CX on OAuth WRAP

Like there can be OpenID GET/POST and Artifact Binding for CX, there can be WRAP binding as well. It is fairly trivial, arguably more trivial than to define OpenID bindings.

Send CX proposal as an additional parameter on the Verification Code Request. Use wrap_client_id as the proposer’s identifier.
On the PoP verification page, display the terms and conditions included in the proposal.
Create the Verification code from the signature of the proposal and some nonce and random.
Web App Client sends the proposal again as an additional parameter on Access Token Request.
Sign the proposal to create the contract, serialize it with Base64 without line end, and return it as the access token on Access Token Response.

That’s all.

Why is the Artifact 400 bytes?

In the current Artifact Binding manuscript, the artifact is being defined as a string shorter than 400 bytes. Some people asked why 400 and not 512, which is the limit of some mobile browsers?

The answer is that we use 80 bytes in the fixed string:

?openid.ns=http://specs.openid.net/auth/2.0&openid.mode=art_res&openid.artifact=

Suppose we use 400 bytes in Artifact. Then, the total is 480 bytes.
That leaves 32 bytes to the non-query portion of the URL.

Attribute Type URI and Script Type

There has been some talk around Attribute Type URI couple of months ago in OpenID mailing lists. Unless we define a set of widely agreed Type URIs, we will not be able to transfer attributes insuperably. Chris Messina’s summary document on various type URI is very helpful to compare these.

There however is one thing that these specs are missing. The Script types and the language.

Unlike most Western language, some language like Japanese have many scripts within itself. For example, we use “Kanji”, “Katakana”, “Hiragana”, “Romaji (alphabet)” as four distinctive scripts. Often, we are required to supply name and address both in Kanji and Katakana or Hiragana, because without Katakana or Hiragana, you really do not know how to …

Essence of Contract Exchange

Abstract
This article describes the concept of (abstract) Contract Exchange, and then discusses the OpenID Binding and Use of the Contracts as Access Tokens. At the end, it also provides a mapping table to User Managed Access (UMA) Terminologies.

About Contract Exchange

Contract Exchange (CX) is a protocol to exchange the signed contract dynamically among the entities in the network. It uses Public Key based signature, so it achieves certain degree of the non-repudiation and ability to prove. Thus, e-commerce etc. should benefit from it. In addition, since it can capture the purpose of the use, condition of the use, provisioning method etc. for the data/attributes, it can be used to achieve the server to server exchange of the data.

Draft OpenID …

OAuth Wrap Web App Profile Summary

Here is the Sequence Diagram of OAuth Wrap Web App Profile (Section 5.4).

Hope the spec to include such instead of legacy ascii diagram…
websequencediagrams.com source would do.

Notes:

wrap_client_id and wrap_client_secret are provisioned from the AuthzServer to the WebAppClient in advance.
An Access Token is an opaque string whose format is agreed upon between the Resource and AuthzServer. It acts as a Bearer Token.
All the communication is done over HTTPS so signatures are said to be unnecessary. (I am skeptical on it though. [*1])

[*1] Security Questions

It might be because I have not spent too much time on this protocol, and I was writing this (original Japanese version) at 2:00AM, I have some questions on the security characteristics.

UA …

OpenID Provider Selection Protocol?

In case when the site want to use OP Identifier, the site typically shows list of icons of the OPs. This list grows quickly and results in User Interface Nightmare a.k.a. “Nascar Problem”.

Various people have been working on this, such as IDIB efforts and some Infocard integration, but to me, there seems to be even simpler solution.

I have been wondering why nobody proposes this.
It is extremely simple.

Simply add your OP Identifier to the end of User Agent string, separated by semi-colon. For example, if you are using Safari, and if your OP is mixi.jp, then it would be like:

Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9.1;op=mixi.jp

Creating custom header in IE …

Sequence Diagram for Artifact Binding

Based on https://openid.pbworks.com/OpenIDwithArtifactBinding

OpenID Process Change

Finally!

I am glad to write that OpenID Foundation Board has approved the change in the OpenID Process document so that a working group can be started without membership vote.

The change itself requires membership vote, so the notice will go out soon, and it is a month or more away for the new process to get effective, but once that is done, we can spin up WGs pretty quickly. That would certainly help AX 2.0, Auth 2.1 etc.

Re: Is OpenID User Centric?

As I was not able to login to comment on Johannes’s blog…

It is about this entry “Is OpenID User Centric?”.

Johannes’s comment that OpenID being “http://netmesh.info/jernst/digital_identity/is-openid-still-user-centric” is very apt. This is one use case that OpenID is supposed to serve.

The other use case that it is serving right now is the Web SSO.

As a “personal/business card”, you do not need privacy. You do not want privacy. You want to reveal that it was you, and you want to be tracked.

In Web SSO case, you might or might not want to be tracked.

For User Centric thing, I believe that the user should control one’s XRD. Then, I can use Yahoo! or Google as authentication service that provide …

OpenID BizDay #4

I have not been reporting this, but apart from TechNight and BizDay, we are having several discussion groups going on and meetings are getting more like “weekly” than “monthly”. OK. That is not an excuse not writing them here. I will try to be more timely.

Today, I want to report the following:

OpenID BizDay #4

Date: Sept. 25, 2009 (Fri) 14:30 - 16:30
Venue: Vila Fontaine Shiodome Meeting room 2,3
1-9-2 Shinbashi, Minato-ku, Tokyo 105-0021
JAPAN
http://www.sumitomo-rd.co.jp/vf/shiodome/conference/map.html

Program:
“Application of OpenID at NTTCom”
Kazuhiro Kitamura, General Manager, Net Business Div.
NTT Communications Corp.

“gooID that grows with customers”
Yasushi Tsuruki, Manager, Service Dept., Media Div.
NTT Resonant Inc.