You are viewing thread_safe

New blog location


My new blog posts are going to http://thread-safe.net.  Same URL pointed to Blogger.



I just find livejournal too annoying.

The project I have been working on for the last 6 months is no longer a secret.

Secret Government Project

Today the OpenID Foundation, Information Card Foundation, and the US General Services Administation (GSA) are announcing the pilot proram for US gov sites accepting Information Cards, openID, and SAML.

InCommon has been working with the GSA and NIH for a while now so may be less news worthy, but they are no less a participant.

We have ten Identity Providers who are announcing today there participation in the pilot, and there intention to follow through with certification by one of the "Trust Framework Providers".

GSA Pilot information
Infocard Pilot information
OpenID Pilot information

Chris Messina post

The GSA Information card profile is in the final approval process.
The GSA OpenID profile was approved and released today.

I have been working closely with the Identity providers and the initial government RPs.

Testing has been going on for a while on Test-ID where there are example endpoints for IdP to test against.

Participation for Identity Providers is not limited to the ten announced today.

The Foundations will be accepting applications from interested IdP from around the world.
For those of us who arn't American the US Government is not restricting this to only US IdP.

Government agencies colaberate internationaly. The NIH is very interested in supporting people from around the world having access to it's resources.

I expect that we will see European and other IdP joining the program shortly.

I have also had conversations with other governments from around the world who are very intrested in this model. I expect some of them to develop there own trust frameworks for access to there resources as well.

I am hoping this is a turning point for the adoption of all federated identiy technology.

John B.

GSA opens up to open Identity


The GSA held a privacy conference in DC today to discuss the work it has been doing with the OpenID Foundation, Infocard Foundation and INCommon.

The intention is to open government web sites and services to identities provided by commercial providers using open technology.

The test-id.org site has a number of tests for the new profiles for Information Cards and openID.

The OIDF and ICF released a paper on open trust frameworks today.

Identity providers who are interested in participating in the program should contact the respective foundations for more information.

People interested can read the Trust Provider Adoption Process

I am hoping that GSA/ICAM releases the profiles soon so that we can have a full discussion.

John B.

Directed Identity vs Identifier Select


Will Norris has a good post on the difference between Directed Identity and Identifier Select.

I expect more OP's to be supporting pairwise identifiers later this year.

Updates on this in the September timeframe.

John B.

Tags:

Ruby openID 2.0 library


JanRain posted an update to there popular openID 2.0 library for Ruby today.

I strongly recommend that anyone using this library update to the latest version as soon as possible.

The page to download the latest version is:

http://openidenabled.com/ruby-openid/

John Bradley

The document named identity-1.0-spec-ed-04.pdf
(identity-1.0-spec-ed-04.pdf) has been submitted by Dr. Michael Jones to
the OASIS Identity Metasystem Interoperability (IMI) TC document
repository.

Document Description:
This document is intended for developers and architects who wish to design
identity systems and applications that interoperate using the Identity
Metasystem Interoperability specification.

An Identity Selector and the associated identity system components allow
users to manage their Digital Identities from different Identity Providers,
and employ them in various contexts to access online services. In this
specification, identities are represented to users as Information Cards.
Information Cards can be used both at applications hosted on Web sites
accessed through Web browsers and rich client applications directly
employing Web services.

This specification also provides a related mechanism to describe
security-verifiable identity for endpoints by leveraging extensibility of
the WS-Addressing specification. This is achieved via XML [XML 1.0]
elements for identity provided as part of WS-Addressing Endpoint
References. This mechanism enables messaging systems to support multiple
trust models across networks that include processing nodes such as endpoint
managers, firewalls, and gateways in a transport-neutral manner.


View Document Details:
http://www.oasis-open.org/committees/document.php?document_id=30663

Download Document:
http://www.oasis-open.org/committees/download.php/30663/identity-1.0-spec-ed-04.pdf


PLEASE NOTE: If the above links do not work for you, your email application
may be breaking the link into two pieces. You may be able to copy and paste
the entire link address into the address field of your web browser.

-OASIS Open Administration

openID Board Results


I want to congratulate the new board.

I look forward to working with you.

http://openid.net/2008/12/

John Bradley

PAPE 60 Day Public Review ending Dec 21st


A reminder to all those interested in PAPE to get there coments back to the Working Group by Dec 21.

If no changes are required from the comments we receve the voting for PAPE should start next week.

=jbradley

The OpenID Provider Authentication Policy Extension (PAPE) Working Group recommends approval of PAPE Draft 7 as an OpenID Specification. The draft is available at these locations:

http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-07.html

http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-07.txt



This note starts the 60 day public review period for the specification draft in accordance with the OpenID Foundation IPR policies and procedures. This review period will end on Sunday, December 21st. Unless issues are identified during the review that the working group believes must be addressed by revising the draft, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve this draft as an OpenID Specification.



As background, the proposal to create the working group, which the membership approved, is available at http://openid.net/pipermail/specs/2008-May/002323.html. The specifications council report on the creation of the working group is available at http://openid.net/pipermail/specs/2008-May/002326.html.

Cooler XRI


Not that XRI themselves are not cool in the conventional sense.  Well as cool as an OASIS TC can make them.

What I am refering to is a property of XRI that has been there all along but we are now seeing in a new light thanks to our cooperative efforts with the W3C TAG.

The W3C has created a document Cool URIs for the Semantic Web

In yet another case of great minds thinking alike: XRIs in the form of HXRI meet all the qualifications of "Cool URI" if we change from a 302 redirect to a 303 redirect.

Givein that there is no reason for us not to change the redirect type based on the TAGs advice , we are getting closer to a common understanding.

We all now understand that:

* If an "http" resource responds to a GET request with a 2xx response, then the resource identified by that URI is an information resource;
* If an "http" resource responds to a GET request with a 303 (See Other) response, then the resource identified by that URI could be any resource;
* If an "http" resource responds to a GET request with a 4xx (error) response, then the nature of the resource is unknown.

Givin this understanding the "Cool URI" document shows us how to construct URI for "real-world objects or things".

As it happens every XRI is also about a "thing".  We have attempted to come up with better language than "thing".

I quite like the description used by Stuart Williams of "Platonic ideal" in that when I the XRI =jbradley to refer to me I am not literally refering to me but to an ideal of me that can be descibed by meta-data in the same way that a mathmatician describes a circle via a formula.
Both myself and any phisical circle are crude appoximations of the ideal.

Givin that the XRI =jbradley names the PI(Platonic ideal) me how do I use that as a URI?

I can use the proposed sub scheme for a http: XRI and put the relative XRI on a base http: URI:

http://xri.net/=jbradley

Now if this URI returns a 303 and link header information about where to retreve meta data about =jbradley and perhaps alternate resources relating to =jbradley based on content negotiation it is by the W3C's definition  a cool URI.

The cooler part is that we now have the XRI shared semantics that can be applied to any XRI subsceme URI to describe =jbradley.

This is achieved through a mechanism simmilar to the one that the W3C recommends near the end of "Cool URI".  They cite D2R Server as an example of using SPARQL and 303 redirects to serve RDF documents about "Platonic ideals".

XRI has and is proposing to do the same thing with some diffrences:
1. Using XRDS instead of RDF documents. (Yes we may add a RDF format for XRI meta-data)
2. Using a global scope for XRI like ARK
3. Using a http sub scheme to define the shared semantics per David Booth's recomendations
4. Use multiple schemes as base URI for the same XRI for shared semantics i.e. http: and https:

I am hoping we can now make rapid progress on resolving our differences with the TAG to remove there objections to XRI.

=jbradley