Internet Identity Workshop #11

I sampled the program of the 11th Internet Identity Workshop (unconference) held at the Computer Museum in Mountain View (the 2nd this year, see my notes from IIW10, also in MTV).

OAuth 2.0:

  • The spec still needs work on the Security Considerations section before it can be finally approved. Contributors sought
  • Some early adopters have voiced issues around endpoints supporting both 1.0 and 2.0 profiles at once
  • Mike Jones has taken over part of the spec process (bearer token), which will be packaged as a different profile (and RFC)
  • JSON Web Token (JWT) defines a specific token format. The claims in a JWT are encoded as a JSON (digitally signed)
  • Are the lessons learned from SAML usage being properly leveraged?
  • What would it take for OAuth to be adopted in the enterprise (Kerberos being the obvious benchmark). What’s missing in OAuth to pass enterprise or DoD vetting (e.g., what’s the minimal entropy for the verification code?)


  • Several reports on user experience testing
  • PayPal described its experience as OpenID provider. They contribute high-quality identity datapoints like verified/certified shipping address. A client can override shipping address but doing so bears an impact to the risk rating
  • There’s now an OpenID retail advisory committee (RAC)
  • OpenID Connect (OpenID redux atop of OAuth 2.0) is a WIP to extend OpenID by bringing profile, data, etc. (like portable contacts and activity streams) along across sites

Microsoft’s U-prove certificates:

  • The intellectual properties stem from the acquisition 2 years back
  • Protocols specification was published in March 2010 (RSA conference). There exists an open source SDK
  • It’s a new kind of certificate which permits thinning of the claims therein, while preserving the capability to crypto verify
  • Value props include: minimal disclosure, derived claims (e.g., from DOB to 21-or-older claims), unlinkable claims (like coins, unlike bills), negation claims (I’m not in that list)
  • Proponents anticipate an ecosystem that works for gov agencies (e.g., DMV), enterprises, consumer, devices

Personal data stores (PDS):

  • It’s the utopian place where I could manage all web data concerning yours truly, whether it’s stored by value or by reference
  • Example: my search results going back 1 or 3 years
  • Value props include: empower consumer to manage data value chain (or purposely delegate the same); centralize and enforce a permission regimen (e.g., mint nonce to access my PDS); find like consumers; data portability and exchange across multiple PDS; high-quality and quicker scoring

Email is not dead just yet:

  • Idea: use it as the pervasive, common denominator transport (SMTP) and repository (folders) for seamless federation of social networks
  • Key concepts demonstrated in the Mr. Privacy research effort by the MobiSocial team at Stanford
  • Webfinger resolves an email address into a set of machine-friendly service endpoints
  • Inbound email can result in an extensible set of action handlers (like calendaring or Xobni already leverage)
  • Potential use of OAuth for folder-level access

Comments are closed.