Infrablog

As one of the world's leading security vendors, VeriSign has been asked to discuss the top 10 most important security areas for 2010. So, ahead of my new year's resolution, I decided to indulge (after a year working heads down on a single product, it is a fun exercise to think of all the things that you have been missing out on). Although the list is far from complete, it is clear to me that there is no recession for the bad guys. In fact, it has probably never been a more interesting time to be in the security business.

Security Prediction #1:
Cloud Security (Securing the Next IT Infrastructure)

Call it cloudmania or software as a service (SaaS) hype, data, applications, or networks: The whole IT infrastructure is shifting to the cloud. With it, a large chunk of today's IT budgets will be redistributed to the next Google of the cloud. In 2010, SaaS security will be in the forefront as chief information officers ponder their increasing reliance on external business applications: "Is my data safe? Is my security policy enforced? Am I still compliant?" Federated identity and access management services across SaaS will start providing some answers, and strong authentication will bolster identity services. Cloud platforms such as Microsoft Corp.® Azure and Rackspace will lead the industry to redefine key and certificate management within cloud environments.

Security Prediction #2:
Website Security (the Growing Threat of Web Malware)

The Web is a growing channel for malware distribution. From February to August 2009, the Google search blacklist grew by 65%. It is now very clear: Bad guys want to infect popular Web sites with malware to silently take over your desktop as you browse the Web. Their weaponry is as effective as it is diverse: hidden IFrames, obfuscated JavaScript, and malicious browser add-on objects. The arsenal and sophistication of these exploits is growing daily. Even with anti-virus running on your machine, your odds of being infected while visiting a drive-by download site may be more than 1 in 2. Let us face it: Web pages have become sophisticated programs. They increasingly become a dominant attack vectors for all the world's hackers who are seeking home computers for their botnet and consumer identities for their piggy banks. As the threat increases over time, drive-by malware protection will become an important check for any commercial Web sites.

Security Prediction #3:
Virtualization Security (Protecting the Cloud Operating System)

Securing virtualized environments is an absolute necessity. After all, virtualization is to the cloud what the browser is to the Web. Some see the hypervisor as the ultimate rootkit. We see virtualization as an opportunity to improve security through end-to-end automation. Combined, virtualization and the shift to the cloud provide a unique opportunity to transform the way we do security today. Virtualization enables security automation. Automation will streamline security deployment and ongoing management, taking us to levels that we simply could not achieve before. As virtualized switches reduce networking cost and complexity, virtualized security appliances and virtualized component certification will reduce the difficulty of deploying secure environments. For now, many questions remain: How do I secure my virtual images? How do I ensure the integrity and confidentiality of my enterprise servers, my employee desktops, and mobile phones templates and images? How do I make sure that all the data that these edge-deployed images consume and produce are protected by keys to which no one else has access? As end-point deployment converges to an automated assembly of virtualized software components (operating system, applications, firewalls, anti-virus, intrusion prevention system, intrusion detection system, load-balancer, policy servers, etc.), how do I make sure that these elements are authentic, patched, and selected according to my security policies? For many years, we have been securing code for Active X and Java applications. The next generation of trusted software may well be virtual images.

Security Prediction #4:
Mobile Security (From Mobile Phone to "Security Remote")

Thieves steal a laptop every 53 seconds, and authorities never recover approximately 97% of these devices, according to the FBI. Worse, thieves will steal one out of every 10 laptops within 12 months of purchase. With the explosion of smart phones around the world, the new mobile platforms are about to become a hacker's dream and a corporate IT nightmare. It is no coincidence that 2009 saw the first iPhone worm. In a world of untethered devices (laptops, net books, smart phones, tablets), personal and corporate data must be encrypted, remote mobile access must be strengthened, and mobile end-point security must be deployed. Over time, mobile devices and the alternate digital channel that they enable will turn into a "personal security remote control". Indeed, we all need the choice of stronger security that does not impact the convenience of our digital lives.

Security Prediction #5:
Social Networks Security (Bringing Trust to Social Communities)

There are clear and obvious dangers associated with social networking including personal data theft,malware, and scams. The most prevalent threats often involve online predators or individuals who claim to be someone that they are not. A December 2009 study from Sophos Plc. showed that 41% to 46% of contacted users "blindly accepted" friend requests from fake Facebook users created by the security firm. As businesses increasingly start leveraging social media to interact with consumers, business authentication, reputation, and trust marks should have an important role to play in the social neighborhood. Because trust is essential to any form of business, in 2010, social applications and games may seek trusted third parties to identify, certify, and signal legitimate business that comply with industry best practices.

Security Prediction #6:
Safe Navigation & Search (Surfing with Peace of Mind)

On today's Internet, clicking on a hyperlink may end up being the riskiest decisions for millions of Internet users. In a Web of phishing, drive-by malware and scams, what lies behind the link can indeed be deceiving. In 2010, Web navigation will need to get safer. Already, we are working with bity.ly to identify malicious shortened URLs. More global and impactful is the announcement to deploy DNSSEC across.COM and .Net in 2011. Because DNS is at the heart of Web navigation, the introduction of DNSSEC within the Internet infrastructure should have a profound effect on bolstering security across Web browsers, directories and search engines. Less obvious, DNSSEC could also change the way developers create secure APIs on the Web. DNS is a powerful directory protocol. Yet, most Web platform uses REST APIs over HTTP/HTTPS, and not DNS. This is due in part to the extra security and trustworthiness provided by HTTPS over DNS that is subject to MIM attacks. However, when it comes to scale and operational costs, large data lookup systems based on DNSSEC APIs could be more cost-effective than those based on HTTPS. As DNSSEC becomes ubiquitous, across the Internet fabrics, trust services, new directories and large dataset lookup systems based on DNSSEC could emerge. Someone just needs to invent the equivalent of JSON to encode key-value pairs over DNS. So could DNSSEC change the way Internet architects design open secure Internet systems tomorrow? Certainly, it will be up to the developer's community to decide, but 2010 may be the year when DNS becomes a viable alternative.

Security Prediction #7:
Network Security (Elastic DDOS Protection)

With Facebook and twitter in the bad guys cross-hair the increasing threat of distributed denial of service (DDOS) has reached unprecedented notoriety. Across the world, DDOS attacks have risen to unprecedented levels. Looking forward, our increasing reliance on public networks to support commerce, IT mission-critical applications, and communication will continue to drive the need for DDOS protection. Because DDOS protection is a game of scale, DDOS monitoring and mitigation cloud services should play a pivotal role in keeping public and private networks safe in 2010.

Security Prediction #8:
Consumer Identity Trust (the Emergence of User-Centric Policies)

The evolution of the world wide wed into a user-centric, real-time and distributed information system has never been so evident. In less than 15 years, our center of attention on the Web has already shifted from the highly centralized portals to the more distributed blogosphere, the more personal Facebook pages of our friends, and the more real-time Twitter streams of our specialized interest. Increasingly, the content and data that truly matters to each of us has become de-centralized, personal and real-time. As the Web continues this inexorable mutation into a user-centric, distributed and real-time information system, the imperative for a new identity system becomes blatantly clear. The necessity for each of us to control and protect our content and data across multiple service providers eventually drives the emergence of an open identity order that goes beyond the artificial locks imposed by large user and social communities. If the data and content that matter to us are personal, distributed and real-time, surely, these new identity services will need to ensure that they remain authentic, safe and private. In 2010, open identity systems will continue to garner momentum. Governments will begin deployment. Because Interoperability cannot be achieved with technology alone, an open policy framework emerges as a foundation for identity privacy security and trust will emerge.

Security Prediction #9:
Securing the Smart Grid (Safe Clean Tech)

Saving energy and improving management of energy is high in today's political agenda. With millions of individual homes, building apartments, offices, the network of things may will likely be larger than the World Wide Web. Securing the smart energy grid cannot be an after thought. The interconnection of consumer devices, meters, distribution transmission infrastructure, and energy providers into an intelligent network may not only be of country largest growth and innovation opportunity, it could also be its greatest liability. The network of things will have to be trusted from day one. This worthy endeavor will drive the deployment of next generation cryptography, embedded certificates and trusted computing for smart grid elements. It is still early, but there is no alternative: the smart grid will have to be secure or it won't be.

Security Prediction #10:
Browser Security (Stopping the Man in the Browser)

Browser security seems to be as much art as it is a science. As anti-virus companies and hackers keep on playing the cat and mouse game, new approaches for protecting users against malware are starting to emerge. Browser sandboxing is a promising area. Cloud based AV provides another innovative approach. Most corporate users are already familiar with AV web proxy. They process web page in real-time and filter based on signatures and blacklists. Real time updates and shared threat intelligence are some of the key advantages of cloud-base malware detection. The approach has merit since signatures can take days to be written while malware can morph in hours. Browser and plug-in vulnerabilities will keep on driving desktop threats in 2010. The VeriSign iDefense team will keep on publishing zero-day exploits and vulnerabilities ahead of attackers. If last year's trends are any indication of what the next year will look like, they have their work cut out for them.

Posted by Nico Popp at 2:41 PM
Permalink | Comments (0)

Concerns for the security of application run in the cloud are running high. The perceived lack of security of cloud platforms is often cited as the primary obstacle to adoption. Whether "cloud" is defined as infrastructure as a service (storage and compute services ala Amazon), platform as a service (application deployment environment ala Google App Engine), or simply as application outsourcing (SAAS ala SuccessFactor), almost everyone is lamenting at the security inadequacies of these new computing platforms.

This raises the question whether cloud providers should envision becoming security companies. After all, why would CIOs ever shift their entire IT infrastructure to the cloud unless the cloud came with strong security, compliance assurance and operational risk management? Conversely, should security companies rapidly transform themselves into cloud providers? After all, why would an enterprise that has crossed the Rubicon of moving the IT infrastructure to the cloud ever want to keep on buying security from a security company? Instead, would not enterprises customers expect cloud service providers to bake in security as part of the cloud offering? Despite the need for secure clouds, security companies are not yet focusing on IT infrastructure as a service. Instead, most security vendors are exploring security as a service, that is the cloud as a delivery mechanism for traditional security services. The MessageLabs acquisitions by Symantec, the MX Logic acquisition by McAfee and the recent acquisition of ScanSafe by Cisco gives credence to the popularity of the cloud as the savior for all enterprise security companies faced with the spectrum of contracting software licenses revenue and profit margins.

Interestingly, the so-called insecurity of the cloud does not need to be a perennial curse. The shift of IT to the cloud actually provides a significant opportunity to improve the way we do IT security today. In the same way as the cloud is transforming IT deployment and management, it will transform security. Consider for example, vulnerability and patch management. From a security standpoint, the most tangible risk is the failure to keep up with the constant, labor-intensive process of patching, maintaining and securing each server in a company. Although vulnerability assessment can be automated through external network and application penetration testing, there is still a lot of labor-intensive process and extreme customer pain in patching networks, servers and software: ports must be closed, networks must be segmented, patches must be installed installed, application code needs to be changed, etc.

Contrast this to what the cloud can enable. If an application is running in the cloud, the cloud provider takes responsibility for the hardware, OS, network, and third party software, making sure they are hardened and certified. A choice of infrastructure elements with varying security assurance levels is offered, but the customer internal security policies govern deployment. All infrastructure elements are periodically pen-tested for known and zero-day exploits. As new vulnerabilities are identified, an automated patch process is implemented. New virtual images are built and automatically deployed across the virtualized infrastructure. Virtual switch segments and firewall rules are updated in real-time. When vulnerabilities are found in the custom IT application code, a virtual Web Application firewall automatically blocks them. Virtual IPS and IDS capture, correlate and log all security events. Compliance logs, reports and scan results are automatically sent to customers and auditors whilst being securely archived. An end to end managed security model, orchestrated by a pool of specialized and over-trained security administrators becomes possible; a far cry from today's reality of patching and software security maintenance.

Therefore, far from being a security liability, the shift to the cloud is an opportunity to streamline, automate and strengthen IT security. For progressive security companies, this could be game changing. For those unable to renounce their addiction to an aging licensing business model, it could be doomsday. In the same way that the cloud is challenging software platform vendors and ISVs, the cloud is about to disrupt the world of security. The quest for security differentiation in cloud platforms may even drive industry consolidation. Of course, skeptics will assert that the cloud is a fad and that nothing is really changing (watch Larry Ellison at the Churchill Club exposing the hype). Denying the transformational nature of virtualization (the genuine cloud OS) and multi-core computing technologies may be shortsighted. Ignoring the business model disruption of pay-as-you-go over software licensing may prove unwise. Personally, after a year of contracting GDP and anemic recovery forecast, I find it invigorating to believe that one in a decade technology disruptor and market breaker lies right in front of our industry. Displeases Mr Elisson, for once, keeping your head in the cloud may be the smartest IT business strategy for the many years to come.

Posted by Nico Popp at 8:03 AM
Permalink | Comments (0)

One of key challenges in federated authentication network is the establishment of trust between an identity provider (IDP or OP) and relying party websites (RP). In the real world, contractual agreements provide a simple out-of-band mechanism to effectively bind two parties into a trust relationship. When it comes to federated identity networks, peer to peer contracts between many identity providers and a myriad of relying party websites do not provide for a scalable process. Therefore, open federated networks need a trust assurance framework to bootstrap trust between the three parties (the user, the OP and the RP).

The basic idea is that if an OP can be certified to comply with a set of industry best practices, the RP should be able to enter into open identity exchange where both the websites and the consumers are reasonably protected. Of course, a pragmatic trust assurance framework should be flexible enough to support different levels of assurance based on the transaction risk and value. For low assurance Web federation where large brands such as email providers and major social networks dominate as OPs, certification may seem overkill, unless of course, the federation is built on open principles stating that any OP meeting the standard should be able to participate. For high assurance identity, such as payment networks, financial networks or eHealth record exchanges, certification is primordial. In fact, in such environments, both the OP(s) and the RPs need to be certified.

The NIST guideline for electronic authentication is often referenced in the community as a good model for any identity trust framework. The NIST guideline defines four levels of insurance for e-authentication. Each level is deemed appropriate
Depending on transactional risks. Tiered levels of identity assurance are essential to any pragmatic trust framework. Set the bar too high and deployment becomes impractical. Set the bar too low, and the bad guys will have a ball. Justifiably, the NIST guideline provides a solid starting point. Nevertheless, one needs to observe that the framework may be too narrowly focused on user credentialing and credentials strength to provide a complete answer. Open Identity systems cannot ignore the reality of today's Web vulnerabilities, threats and exploits that feed identity theft around the globes such as man in the browser exploits, session hijacking or Web vulnerability driven exploits like mass SQL injections. A trust standard also needs to go beyond security and address the major consumer concerns and political challenges of privacy. When it comes to trusting identities, security, privacy and anonymity are intricately intertwined. Trust in a federated identity Web mandates a holistic approach that looks not only at user authentication but also takes into account the current state of desktop exploits, Web site compromises and most importantly establishes clear and enforceable privacy protection guidelines.

Trusting the OP/RP Websites: web security & business authentication

For low and medium assurance identity transactions, it seems to be that both the OP and RP website security would need to be asserted. There I think, one can learn from Internet security standard such as PCI. Even though the standard is far from being perfect (a euphemism, perhaps), it provides a shared base of security requirements for all websites to engage into ecommerce and securely handle credit card information. If one believes that consumers will require for their personal identity the same level of security as for their credit card, the parallel can be useful. The OP website should then be scanned for network security vulnerabilities; Ports should be closed. Network services should not run outdated or un-patched software; the OP should not be vulnerable to common Web exploits such SQL injections, cross-site scripting (XSS), or Cross-Site Forgery requests (CSRF). For web application vulnerabilities, the OWASP standard that identifies the top 10 Web vulnerabilities provides a useful reference. In addition to security assessment, a set of security best practices should be required. For example, the OpenID profile retained by the federal pilot already specifies that SSL should be part of the deployment profile. Verifying the authenticity and legitimacy of the organization behind the OP is as important as verifying the security of its website. There, a proven model that the industry could re-use is the EV business authentication standard. EV certification already defines a strong process for vetting organizations and it is already widely used across the industry.

Trusting the user: beyond identity verification and credentials

As mentioned, NIST will provide the foundation for user trust assurance (both for runtime and initial authentication of end users). Equally important, however, is to consider that Internet threats have significantly evolved since the NIST framework was initially published. In particular, we need to recognize that one of the main threat vector for identity theft is now malware. An identity trust framework can no longer ignore the potential of a man-in-the browser attacks (Trojans, key-loggers, worms, etc). Knowing whether the end user has any end-point protection (and maybe encouraging websites to introduce out-of-band messages into high assurance identity transactions when such protection is lacking) could be of consideration.

Trusting the transaction: from activity to security streams

Believing that the OP can provide strong identity assurance by simply checking credentials and abandoning the user at the RP front door is a dangerous over-simplification. Because modern exploits often let the user authenticate to commit fraud further down the session, it is important to enable OPs to leverage the knowledge of the end-user and her transaction patterns to identify high-risk conditions. Since we cannot assume the existence of adequate desktop protection (Internet security that exclusively relies on the presence of a client on the user desktop is no more than an academic exercise), high assurance federation models need to enable the use of fraud engines techniques across RPs (most logically, run at the OP although it could be a separate). The ability to create an effective user risk profile across transactions is what has made the credit card networks work. High assurance identity networks are going to need an equivalent (think VISA of identity). An interesting idea could to leverage the concept of activity stream as a real-time fraud detection primitive. A security stream back to the OP (under complete user consent and strict privacy protection) would allow RPs to feed transactional information back to the OP, allowing it to build a complete risk profile of the user across her Internet activities (fraud detection is often based on clustering techniques that measure abnormal deviation from normal behavior). Even without a risk-engine running at the OP, a security activity stream could have tremendous security value if used as a simple identity alert system to notify the user of all ongoing transactions. In high risk cases, the activity stream could trigger an out-of-band consent for the transaction (think of Visa calling you to confirm and authorize a suspicious transaction); it is interesting to think that the social concept of activity stream that is today missing from OpenID (not from Facebook Connect) could actually be used to drive better identity theft protection. With such transactional feedback loop, a security minded OP would be able return a transaction score and possibly a liability guarantee based on the user risk and behavioral profile built over time. Incidentally, interesting new OP business models could emerge (VISA-like: "I will take a cut of the transaction", Credit-Bureau-like: "I will charge you for the score", Insurance-like: "I will take the liability risk").

Ensuring trust across these three dimensions (the organization, the website and the user) is non-trivial. Yet, it is critical to enable consumers worldwide to engage into shared identity interactions with peace of mind across the Internet. Very much like PCI vendors emerged from the existence of a commercial PCI standard, one would hope that Identity trust assurance services could emerge as well since security companies need economic drivers to build great services. One of the key challenges of the standard will be to strike a balance between where to set the security bar to permit a high level of automation for accreditation. Such balance is always hard to strike, but it is also what makes the challenge worthwhile.

Posted by Nico Popp at 11:13 AM
Permalink | Comments (0)

Two weeks ago, I had the privilege to join the OpenID foundation and Information Card boards for a meeting with CIO, Vivek Kundra and his staff at the Whitehouse. The goal was to discuss the forthcoming OpenID pilot and better understand the government commitment to enabling distributed identity on the Web. Undeniably, this was a very interesting and spirited discussion.

A key take home for me was the recognition of identity as the lynchpin to new citizen-centric services, governmental IT cost reduction, and stronger cyber security. For key Obama initiatives such as citizen participation or electronic health records, identity management was described as foundational. Equally impressive was the sense of a holistic and consensual approach towards the broad deployment of trusted digital services across federal, state and local Web sites.

In particular, there is a clear view that the deployment of low level assurance identities is only a critical first step, not an end in itself. With the initial OpenID pilot, the administration is seeking to teach Internet users how to conveniently and confidently re-use their identities across multiple sites. Federation is a new behavior and as such, it requires training. Federal and State web sites will provide an important training ground of relying parties. The government endorsement of OpenID is likely to prove significant. After all, if OpenID is good and secure enough for the government, it should be good and secure enough for most Web sites. Beside, once consumers are comfortable using distributed identities, it becomes possible to alter the login experience by introducing stronger security and identity assurance. This is the ultimate end game since high assurance identity services are pre-conditions to new strategic initiatives.

Consider health care reforms for example. To counter balance the $900B expense that the new Obama plan calls for, electronic health records must come to reality. However, eHealth requires access control across a large and complex ecosystem. Users must be able to register, login and access private data across physicians, hospital, pharmacies, labs, insurance, and employers Web sites. Privacy and security concerns are high on the list. Without high assurance, clear liability models and robust shared identity services, eHealth is a non-starter.

The crawl, walk run approach to identity services that our federal government is taking may prove insightful. By restricting initial interaction to pseudonymous and low assurance level identities, federal web sites instantly provides the industry with a simple test bed to iron out the trust and privacy frameworks necessary to the deployment of large federated identity networks. User experience, privacy policy and security approach that can work for millions of consumers will have to be standardized. The liability elephant that has been haunting the identity discussion rooms will have to be tamed. No doubt that the OpenID foundation, the Information Card foundation and many other have their work cut out for the next few months.

So, keep an eye on the pilot. If all the planets keep aligning, and federated identity can prove to significantly increase user registration, an important chapter in the book of distributed identity systems may be just about to open in front of us.

Posted by Nico Popp at 11:37 AM
Permalink | Comments (1)

In the coming years, many websites will contemplate adding strong authentication to accounts login. So far, early adopters for strong authentication have mostly been financial institutions. Since 2005, banks and brokerage firms have had had little choice than following the FFIEC guidance. This 2005 regulated mandated a move to stronger credentials than just name and passwords. Today, SAAS providers and large consumer Web sites are increasingly suffering brand exposure and public scrutiny following high visibility attacks (here and there). With increasing reliance on the cloud to host mission critical applications and sensitive data for enterprises and consumers, I would expect many large online services to begin offering stronger login options to their user base.

Interestingly, the FFIEC deployment of multi-factor solutions such as chase.com or bankofamerica.com give us some insight into the type of technology that are likely to be adopted by non financial service providers. Multi factor authentication essentially relies on a cookie as the second factor (the cookie is "what you have"). Coupled with a backend anomaly engine, the client side cookie is used as a "persistent" device identifier. Cookies as device IDs are alluring because they work across all browsers; they do not require any new client install on the user desktop; cookies are transparent to the end user, and most importantly, they do not cost anything. Since cookies could become prevalent as a "second factor" for web login, it is important to be aware of the security limitations and risk that they represent.

The first issue with cookies is their lack of persistence. Statistics show that users very often reset their cookie. This leads to the challenge of "cookie re-issuance" or cookie reset. This problem is roughly equivalent to password reset which, as many recognize, is the Achilles' heel of login. The alternative is not pretty. Either you make the reset process stringent and secure and it becomes a hassle to the end-user; or you make the process relatively easy, and it leads to very simple attacks. In short, the lack of persistence of cookie as device ID will trigger many cookie re-issuance events. Since high frequency life-cycle events cannot be made too complex without frustrating customers, the high frequency of cookie reset will inexorably lead to simple procedures. In turn, these simple procedures will inevitably open the door to a broad range of attacks.

The second class of problem with cookies is that they can easily be stolen using remote attacks such as cross-site scripting (XSS). XSS is a vulnerability that lets the attacker overcome the same origin policy enforced by all modern browsers. The policy circumvents scripts loaded from one domain to access content from another domain. XSS vulnerabilities effectively allow an attacker to execute scripts in the context of the vulnerable domain, hence overcoming the same origin safeguard in the browser. All the attacker needs to do is to exploit this vulnerability by crafting a request parameter value along the lines of . Since this gives the attacker unlimited access to any cookies of the website, DOM content, etc., this is considered one of the most serious vulnerabilities out there. The key about this type of cookie attack is that it can be launched remotely. In other words, an attacker can get to a user cookie without the user machine being compromised by malware. Add malware on the user machine, and cookies as a device ID become a recipe for disaster. In that case, cookies and machines fingerprints can be harvested and sent to the bad guys without the user ever noticing anything.

The increasing reliance on a silent device ID that does not impact the user experience is a logical approach to strengthening authentication on the Web. It is only the absence of alternative to cookies that is leading web engineers to leveraging them for authentication. Cookies were not invented for such purpose. As my sweet-tooth daughter would eloquently put it: the world need better cookies. Eventually, we do need stronger, more persistent devices ID that can be deployed across fixed and mobile devices, competing operating systems and browser platforms. These strong device IDs can be shared secrets, asymmetric key pairs or device certificates. The technology clearly exists but we lack a common deployment framework for device IDs (open client, common user experience, shared ID security stack, hardware protection too) .That is typically where the industry does it best work. Everyone needs it. Everyone will benefit from it. No one can do it alone.

The common need for open standard, open stack and open policies to deal with strong, persistent and privacy-conscious device IDs will inevitably lead to a joint effort. As cookies start crumbling across websites, security experts will get together and the urgency for collaboration will come to bear. In the meantime, when access security really matters, I will keep using my one time password token. If only, I could remember where I left it.

Posted by Nico Popp at 8:22 AM
Permalink | Comments (0)

There is no doubt that mashups will be an important construct of the next Internet. The ability to "compose" distributed Web services into one single aggregate service or view is a significant enabler. The lightweightness of HTML and JavaScript speak to the simplicity of a successful programming model. Add to this the emergence of open standards like OAuth, and the need to distribute functionality across screen boundaries (PC, mobile and IP TV), and the picture becomes very clear; mashups and widgets are likely lead the componentization of the Web and become an important distribution mechanism.

For mashups to become ubiquitous, a trust infrastructure is needed. To establish trust between a widget aggregator (a consumer portal, the enterprise portal or your homepage or TV screen), and a widget provider, protocols like OAuth essentially rely on the exchange of shared secrets. This works well when there are only a few big portals serving as aggregators. However, because they require pair-wise trust relationships, the approach does not scale to a truly distributed environment. In particular, the model breaks very quickly in the enterprise as the number of network end-points (enterprise portals and SAAS) explodes.

Ravi Ganesan and his new company SafeMashup may have found the answer to this thorny problem. Ravis' answer is brilliantly simple: reuse the existing and proven trust infrastructure of the Web. Indeed, SafeMashup enables existing CAs to issue credentials to mashers and mashees. These credentials are identical to the one they issue to Web sites today. Because Web 2.0 protocols such as OAuth require a shared secret, Ravi uses the SSL handshake and the issued SSL certificate as a secure method to establish a shared secret between the masher and the mashee. This approach allows him to layer SSL and certificates on top of the Web 2.0 protocols without requiring any change to these protocols. Brilliant!

There is no doubt that broad deployment of mashups requires an open, standard-based scalable trust infrastructure. Reusing the existing PKI infrastructures and its rugged SSL cousin strikes me as a very good idea! After all, when the wheel works, why reinvent the wheel. So, "bonne chance" to Ravi and SafeMashup. Indeed, there is something truly exciting brewing in San Antonio, Texas.

Posted by Nico Popp at 5:07 PM
Permalink | Comments (0)

There have been a few very insightful discussions from Chris Messina and other regarding the PIP as a secure file, so I thought I would share some of our longer-term product goals.

Today, the PIP file vault is a personal digital locker for our users to manually upload their most personal files. That by itself is not an innovation. In fact, the Web is full of personal storage services like Gmail. Online storage provides immediate and useful value, yet its usefulness is limited by the amount of work an end-user is willing to commit (uploading takes work!).

Now it is interesting to consider how this simple Web 1.0 model of personal digital storage evolves when combined with an OpenID provider. Together, can these technologies allow us to transfer and store in one single place under our control the personal files, private data and rich media content that is today spread throughout the Internet? In short, can a simple file vault become the in-cloud "time machine" of our distributed digital lifestyle?

A SAAS and device-centric view of cloud storage:

A lot has happened with network storage in the last few years. One of the most notorious disruptions is Amazon S3. I would characterize Amazon S3 as a SAAS-centric view of storage. Web applications can outsource the storage function to a highly cost-effective network that already has reached economy of scale. Obviously, it fits the Amazon economic model perfectly. Closer to the end user, we find Microsoft and Apple storage services. Their approach is similar in concept. To them, cloud storage is merely a device enhancement and synchronization is their lingua Franca (iSynch for Apple, Live Mesh for Microsoft). The concept certainly has merit for users with data spread across multiple devices. However, this is a very device-centric view of the world. It fails to realize that increasingly, our critical data resides across many Internet Web Sites with no ability to synch.

A user-centric viewpoint: centralized storage for distributed private data

So, what happens now when one looks at storage with a Web 2.0 user-centric view instead of the cloud-centric view of Amazon, and the device-centric view of Microsoft and Apple? One sees independent, distributed and sometime competing Web services. Through these services, users store personal information, create new data, and acquire digital content. Some of that content is low value and can be left behind. Some of his data is social in nature and is probably best shared with our Facebook friends. However, some of this data is also highly confidential and personal in nature. In that case, we, the end user, should be able to request its safe transfer, and backup to a digital locker that we fully control (the OP).

Towards a "Locker Connect" mechanism

Using the OpenID and OAuth models, such private data transfer can be authenticated and authorized by the end-user (although the data flows from the RP to the OP). The locker network end point address can be discovered as any identity attribute would. Finally, a user interface ala Facebook Connect can provide a friendly user experience while ensuring a user-centric control point (the user controls what, where, when and if the data is being sent).

The "wow" effect

The use cases certainly sound unlimited. Think digital health care and the $20B stimulus package: whether I am accessing my doctor, hospital, lab or pharmacy Web sites, I can now authenticate across all health service providers and authorize the audited transfer of personal health records back to my locker. Think rich media content: I can now purchase digital music, movies, or books across multiple e-tailers and have the bits (or maybe just the digital rights) sent back to my locker. Think payment and billing: please, send all my purchase and online statements back to my digital locker.

Yes, we can! With data portability and OpenID, a simple file vault can grow into a much more compelling personal identity service. And who knows. With security and private storage, we may even have a real business model!

Posted by Nico Popp at 9:45 AM
Permalink | Comments (0)

The PIP team just released a new feature on Friday: a secure digital vault to store your most personal documents online. Think of it as a digital lock box in the cloud to store copies of your most important documents online (deed of trust, will, passport, property pictures for insurance, etc).

Since, these documents are your secrets, all files are encrypted using key management best practices. To increase security, access to the vault requires two-factor authentication. If you already have a VIP token, simply link it to your PIP account. For our most cost conscious PIP users, we offer a free mobile version of the VIP OTP token. It can be downloaded to your phone here (I use the iPhone Beta version that will be available soon). Once strongly authenticated, the vault opens (Flash is your friend) and you can begin to upload files.

The activation process is really straightforward, and our usability team has done a lot of work on the user interface. Moreover, it is free to all PIP users. So, try the new features and tell us what you think. By combining OpenID, strong authentication, password vault and secure storage, the PIP is getting one step closer to realizing VeriSign's long term vision of a user-centric identity service that will enable and protect our digital self.

Posted by Nico Popp at 9:54 AM
Permalink | Comments (0)

Great news for OpenID aficionados, the largest identity social network is embracing OpenID. With 221M users, one could easily conclude that OpenID has just received the stimulus package that it needed to finally achieve critical mass. But, what does it really mean for OpenID? While we are all looking forward to the day FaceBook becomes both an OpenID provider and relying party, the initial impact is more likely to be a significant change in the OpenID user interface. As shown, here and there, is clear that from a UI standpoint, Google and FaceBook are converging in terms of how to achieve login and exchange of personal data across relying parties and social networks.

While FaceBook will likely integrate OpenID as the "alternate" login method for FaceBook Connect, Google and its followers will do the same with Open Social and Google Friends Connect (in the case of Google, you may also get the friendly Yahoo!, MySpace and AOL followers). By becoming the alternate login method (but a more obscure one), the risk for OpenID is to be relegated to the level of OAuth and SAML as authentication protocols without any consumer brand recognition. Alternatively, OpenID may rise above the "open stack" plumbing to become the network mark that ensures interoperability across the FaceBook and Google networks. That my friend, is of course politics, but with a Facebook on board, it would appear that this week, this old chimera of federated Internet identity may have made a significant leap forward.

Posted by Nico Popp at 2:15 PM
Permalink | Comments (0)

This week, the PIP team is releasing an improved version of the 1-click sign in. The great news is that PIP users are no longer restricted to our small initial list of supported sites. Indeed, you can now add any of your favorite sites to your 1-click list (with a few caveats such as pure flash sites). Over time, we will monitor the most popular sites being added and we will include them to the default 1-click list.

This is great news for PIP users, especially for the non-US community who is no longer limited to our choice of sites (I must confess that our initial list was very US-centric). By the way, kudos to the PIP engineering team: doing all this in JavaScript without any browser plug-in is a real engineering "tour de force". Also, the team also improved the UI and performance of the bookmarklet window. Note that you will be prompted to re-install the 1-click bookmarklet.

The Internet is getting easier. Happy 1-click navigation!

Posted by Nico Popp at 6:13 PM
Permalink | Comments (0)

2009 promise to be a pivotal year for OpenID. So far, industry adoption has been strong with consumer powerhouses such as Google, Yahoo!, Microsoft and MySpace backing up the technology. At the same time, consumer adoption remains limited to early adopters. Meanwhile, FaceBook, the identity provider of choice for 160M consumers is promoting its own alternative in the form of Friends Connect, creating the risk of balkanization. With a new year beginning, a recently augmented leadership, and high competitive stakes, the moment felt opportune to put together my 2009 wish list for OpenID.

Execution: The Separation of Concerns

My first wish is organizational. The OpenID foundation board host really bright and passionate people. Folks are committed to the success of OpenID. Across the board, there is also a strong willingness to do what is right. Nevertheless, execution on key priorities appears to remain sluggish at times. Perhaps, the foundation needs a more effective way to drive execution. There, it could borrow a page from what larger corporations do extremely well. They separate governance from execution. The OpenID board is governance. It needs to articulate priorities, but create focused committees around these priorities. Then, it needs to empower the best elements in the board and the community to drive the outcome. Sounds obvious, but by enforcing that separation of concern and empowering people to work in parallel, I think the OpenID foundation could gain tremendously effectiveness in 2009.

Identifier: Email Address as OpenID, at Last!

In the last two years, I have been regularly in a position to explain and pitch OpenID to Financial Institutions, Mobile Network Operators and MSOs. By experience, I have learned that OpenID detractors and alternate technology providers will always bring two detrimental arguments against OpenID: user experience and security. The usability argument can be summarized as follows: "How much marketing dollars do you plan on spending to teach consumers to type a URL instead of a user name?". The answer is simple and usually reminiscent of Omer Simpson's catch phrase. So, in 2009, let us do ourselves a favor. Let us remove the leading argument against OpenID. Let us make email addresses first class OpenID identifiers. It is not about alienating URLs as identifiers, it is about enabling email addresses alongside URLs, because millions of consumers already regard email as their primary online identity and an email address is already their user name across so many sites.

Security: OpenID Security Analysis and Best Practices

The second argument that OpenID detractors will always bring up is security. In fact, there is a lot of confusion around the security of OpenID as a protocol and its propensity to phishing as a user experience. There again, detractors and naysayers are having a ball. What we need there is a neutral third party study that explains why OpenID is a sound protocol, and describes the best security practices to deploy the technology. None of the companies involved in the foundation should be responsible for such study. Instead, the board should sponsor an independent and reputable third party security lab to lead the security review. Once it is complete, the foundation should publish the results of the security analysis, alongside the recommended deployment best practices.

Branding: Establishing the "OpenID Network Mark"

Everyone agrees that OpenID needs to emerge as a brand that consumers can recognize. Similarly to Visa for payment, Dolby for music and Gore-Tex for rainwear, OpenID ought to become the "ingredient brand" for identity. The reason the OpenID brand needs to emerge is that we need a "network mark" that transcends all the identity silos. Very much like consumers know that their bank card will work when they see the Cirrus network logo on an ATM machine, consumers need to know that their identity will work on a Web site that carries the OpenID network logo. A network mark has a simple yet powerful meaning. It does not matter whether the card is from Bank of America, Wells Fargo or WAMU, it just works with this ATM machine. It does not matter whether the identity is from Google, Yahoo! or MySpace, it just works with this Web site.

In the OpenID brand lies the one big problem. Although a strong OpenID brand will prove to be good for everyone in the long run (by creating ubiquitous interoperability, Visa helped card issuing banks make more money than they would made on their own), at this time, none of the large consumer companies involved in the OpenID foundation have any incentive to promote another brand than their own. Therefore, the foundation needs to create a forcing function. My recommendation would be to leverage its ownership of the OpenID intellectual property to enforce the network mark. Let us keep OpenID free to all, but let us require everyone who uses the technology and benefit from the free IP to display the OpenID logo.

Avoiding the balkanization of identity to achieve the broadest possible user-centric federation network is what is at stakes in 2009. Undeniably, this is the year when OpenID can get from good to great. The OpenID network will rise or OpenID will become another commodity protocol encapsulated in the stacks of more fragmented identity networks (such as Google Open Connect or FaceBook Connect). It is up to us the OpenID community to make things right by seizing the opportunity. As we say in the valley, it is all about mere and simple execution. Yes, indeed, this coming year ought to be a critical and exciting year for Internet identity and OpenID.

Posted by Nico Popp at 10:34 PM
Permalink | Comments (0)

There has been a lot of buzz around Google's OpenID announcement last week. First, because Google awkwardly decided to change the service end point discovery part of the protocol. The good news is that Google fixed their faux-pas fairly quickly. In fact, they had no reason not too follow the spec and alienate the OpenID community.

More significant and more interesting however, was Google OpenID departure from requiring users to use URL as OpenID identifiers. Instead Google wants to let users use their GMail address as an OpenID identifier. Using GMail addresses as OpenID is not only a justifiable way to improve the OpenID user experience; it is also a very smart move by Google in their quest to become the dominant Internet identity provider (IDP).

As a consumer, there is no doubt that using an email address is the obvious identifier. Email is to consumers what domain names and URL are to businesses: a natural identifier. After all, email is already my Amazon, Apple and many other sites login. It is the intuitive OpenID that any consumer will expect to type in any relying party login box. In the long run, not having to teach millions of consumers that they should type a URL instead of an email address will prove a huge win for OpenID. Too bad it took though it took the weight of one to move an entire community forward.

But the consumer is not the only winner here. I think Google will prove to be the other beneficiary. By making email addresses, the de-facto OpenID identifier, guess who is now more likely to become the identity provider of choice for millions of consumers? I would venture that those IDPs who are already providing millions of Web mailboxes to consumers, have just gained a position of strength. Coincidentally, Google, Yahoo! and Microsoft have quite a few of those under management! Of course, Yahoo! and MSN are well tame rivals as far as Google is concerned. No, to appreciate this chess move, we ought to look at the other guardians of our Web identity: the social networks.

So, by changing the OpenID user interface, Google is now in a position of strength vis-à-vis OpenID, forcing FaceBook further into a dead-end proprietary identity APIs strategy. The beauty is that Google did not even have to force a button or any branding on relying party web sites. The choice of identifier alone will make it easier for consumers to choose Google over FaceBook. I would now expect to see Google drive OpenID integration across all APIs related to social networks and mobile (we already know that OAuth/OpenID integration is next) at full speed.

So, for sure, with Google and email, OpenID has gained a lot this week. At the same time, the idea of a federated Web identity network dominated by the three large Web mail providers is becoming more real. Nevertheless, consumers should rejoice. This week was a big step towards less name and passwords, and in the end, more convenience is certainly no evil.

Posted by Nico Popp at 4:42 PM
Permalink | Comments (0)

For almost 18 months, we have been working with the Movie studios on creating a blueprint architecture for rich digital media (a fancy name for digital movies). The concept falls in what I like to call the "big idea" category. The goal is to create an Internet eco-system that re-creates the user experience and commercial success of the DVD: an industry standard shared across all content providers, all retailers, and all device manufacturers.

Like the brick and mortar DVD, this new Internet DVD will share a common brand recognized by consumers worldwide; it will provide a common format with interoperable digital rights protection technology; The Internet DVD will be backed by a common usage policy that is consistent across movie studios and will provide a simple user experience for consumers. Believe it or not, we all believe that these lofty goals are achievable and we even have a proof of concept to support our irrational exuberance. You will just have to wait for this effort to become consumer facing to see it.

If successful, this "Internet DVD" standard, will allow any consumer to purchase and download movies from any online store (pick your favorite ecommerce store), and view it on any device (a PC, an IP TV, a mobile device). From the studios standpoint, the concept of the Internet DVD arises from witnessing the Internet speed transformation of the music industry: loss of sales driven by pirated content, emergence of music distribution silos where the lack of interoperability eventually leads to the elimination of rights protection altogether, a risk that the movie industry is not willing to accept without a good fight.

A key requirement of the "Internet DVD" is to enable DRM interoperability, which is timely considering the focus of regulatory instances, such as the European government. Of course, many will argue that the easiest way to achieve DRM interoperability is to get rid of DRM altogether. My theory (a lonely one in the blogosphere) is that a cloud-based approach is not only technically viable to create DRM interoperability. It is also the only possible approach to creating a user experience that resonates with consumers.

Indeed, the key to making the Internet DVD an insanely great consumer product is both open standards and a cloud approach. The cloud services (including OpenID-based identity services, of course,) are essential to mask the complexity of dealing with multiple DRM systems, multiple content formats and multiple retailers. The other trick is to leverage the cloud to provide additional functionality that the silos dismiss today: rights locker, perpetual ownership and the separation of the purchase from download experience. That last one is likely to resonate with marketers as the Internet DVD will encourage impulse by without forcing consumers to be tethered to a 10GB pipe.

Of course, the proof is in the pudding. We still have a few challenges ahead. We need to prove that the industry can come together and create a compelling joint offering for digital entertainment. We also need to prove that the hereditary vices of DRM can be hidden from consumers by using a cloud-based approach. The immensity of such challenge aside, the immediate lesson to me is that the cloud can be a disruptive force when it comes to new product design. The cloud creates new dimension that can challenge common thinking and alter the status quo, like the well-established thinking that DRM is a dead end. One thing is sure. The movie industry is a fascinating world and it will be fun to see how the cloud allows it to reinvent its biggest commercial success. So, say hi to the Internet DVD, it may be coming to a computer near you very soon now.

Posted by Nico Popp at 8:06 AM
Permalink | Comments (0)

Today, we are releasing a brand new version of the Personal Identity Portal (PIP). With support for two-factor authentication, the PIP remains a strong OpenID provider as VeriSign remains committed to the broad deployment of OpenID across the Internet. Beyond OpenID, the new PIP also includes some unique identity management features. As the user-centric identity movement reaches beyond authentication and attribute exchange, we wanted to evolve the PIP into an identity aggregation service that enhances control, convenience and security over personal data even when the data is scattered across non-interoperable Web sites.This theme of identity aggregation is going to remain an important product philosophy for us moving forward. Our first implementation focuses on personalization, convenience and security. This post provides a brief overview of the new features. For those of you who never read product description, you can sign up for a free PIP account here. For the more curious minds, please, read on, and let us know what you think.

Personalization and the Personal Identity Page
The Personal Identity Page allows you to aggregate public identities and presence across multiple Web sites under your OpenID. In my case, my personal identity page can be found at nico.pip.verisignlabs.com. You can see that I have chosen to aggregate my Blog, my Flickr pictures, my YouTube videos, and other personal links to provide a complete reflection of my public Web persona. With a Personal identity page, my OpenID URL now provides a simple way for people to find and discover my "aggregate me". Think of it as a modern version of public white pages. We have tried to keep it simple enough that it can be built within a few minutes, but rich enough to keep it interesting.
Of course, for many, the logical place to share their identity is their social network. For that reason, we have also created a FaceBook application. As shown below, the PIP FaceBook application lets you embed your "identity carrousel" into your FaceBook profile to share it with your friends.

Convenience and 1-Click Sign-in across any Web site
The PIP 1-click sign-in service may be one of the most interesting new features. The service aims at enabling single sign on across all popular Web 1.0 and Web 2.0 sites (whether they support OpenID or not). We have devised a client-less authentication solution that only requires one single click for you to log in across your social sites (FaceBook, Yahoo!, Google, MySpace...), your travel sites (TripIt, Expedia, United...), your financial site (Wells Fargo, E*Trade, ....), almost any of your sites, really! Think of it as a password vault in the cloud. Think of it as a universal single single-sign-on Web service. Since, we did not think you wanted to give all your names and passwords to VeriSign, we have designed it in such a way that VeriSign never sees your actual names and passwords (we only receive and store an encrypted form of them and you keep the secret key for yourself). Of course, you still need to log into the PIP (that is the one required login). Unlike most existing solutions out there, there is no client to install, only an optional bookmarklet to save in your browser (the install is drag and drop in Firefox and Safari and we have an automated install script for IE6 and IE7 users). It works on Windows, and the MAC. It will work in your 3G iPhone too, making OpenID and general login really user-friendly in a mobile environment (more in my next post). Note that the Beta 1-click service only supports 70 popular Web sites at this point. If your feedback is positive, we will add many more, so once again, let us know what you like and what you dislike.The bookmarklet is also a nifty navigation tool. When you are not on the login page of a Web site, it triggers a small navigation window (see above). The window displays the list of all the Web sites that you have registered with the 1-click sing-in service. Simply click any of these links; you will navigate to the site and be logged in automatically. No more URL to enter, no more name and passwords to remember or type, only your PIP OpenID!

Security and Free Digital certificates
Since the 1-click vault security hinges on the PIP authentication, we wanted to offer you a broad choice of strong authentication solutions. Last year, we enabled VIP credentials (OTP tokens) within the PIP. This year we added a free layer of security that does not require any hardware. Indeed, we are giving our PIP users a free VeriSign certificate to secure their PIP account. Certificates and PKI have often been blamed for poor user experience. Therefore, we decided to create a new user interface for logging in with a certificate. Instead of issuing an identity certificate, we are issuing what we call a "browser certificate. A browser certificate is anonymous. It does not contain any information about you. Think of it as an opaque token that you link against you PIP account to protect it (it provides a second authentication factor: "something you have". Your PIP login name and passwords remains your first authentication factor: "something you know"). You can install these certificates on Mac and Windows (as many as you need). The certificates are free. We are still working on the iPhone (we have encountered a few challenges with certificates with the iPhone Safari, but with a little help from Apple, we will get there).

Voila!
The whole PIP team has worked hard during the last 8 months to bring you all this new functionality. We are really excited to release this new version of the Personal Identity Portal to our growing PIP community. We hope you will enjoy using it as much as we enjoyed building it. Feel free to drop us a note, report bugs and make product suggestions. Our support email is support@verisignlabs.com. We are looking forward to your feedback!

Posted by Nico Popp at 9:45 AM
Permalink | Comments (0)

As referenced on Mike Jones's blog, Fun Commutations has deployed a service at: http://idtheft.fun.de/ that attempts to demonstrate a man-in-the-middle based phishing attack against a number of OpenID providers using Janrain's IDSelector. Since our Personal Identity Provider or "PiP" is one of the providers included in the Selector we naturally had a look.

The good news is that there are a couple of features specifically designed in the PiP to combat the attacks noted in the demonstration. The first is found within the PiP itself. The optional feature is called "Secure Sign-On" and the way it works is that if the user has enabled it, they must first be logged into the PiP *before* they attempt to login to a RP. If they are not logged in and they attempt to login they will be presented with this message:

The important point is that any PiP user who has enabled this knows that they must first login, so in the "Fun" case seeing a login screen while having the feature enabled would immediately flag the user that they were being phished.

Secondly, this feature combined with our SeatBelt being used in conjunction with the PiP beta product affords even more detection. With SeatBelt if a user is entering their identity URL we immediately detect whether or not the user is logged in and if they aren't we give them the option to login to their account. With SeatBelt installed Firefox 2 and 3 users can clearly see if they are on the "correct" login page through a visual indicator in their status bar. There are a number of checks SeatBelt performs to insure that the login page the user is entering their credentials into is correct for their configured OP. In addition to the PiP, SeatBelt is supported by 9 other providers some of which are listed in the selector (more on this in a follow-up post).

In addition to these features our PiP product also provides 2 factor authentication through our VeriSign Identity Protection ("VIP") Authentication Service so at the end of the day our view is balancing usability with the layering of functionality to thwart the very thing that Fun in their demo attempts to bring forward. "Secure Sign-In" backed with 2 factor authentication and SeatBelt we believe is a step to providing a level of comfort to the OpenID community in continuing to drive usage and adoption.

Posted by Gary Krall at 10:18 AM
Permalink | Comments (0)

The controversy around personal and social data portability is growing. For consumers, it is an important issue because it will determine how much ownership they will be able to enforce upon their "digital identity" that lives today across competing Internet silos. For the silos, the Google, FaceBook, Yahoo! and Microsoft of the world, a lot is at stakes since, ultimately, it is about whom consumers will entrust with their digital self.

Undoubtedly, data portability is the natural child of federated identity (more on that in a future post). Personal and social data are an important part of any consumer identity'. Like identifiers, credentials and profile attributes, social graphs, activity streams belong to the end user who created them in the first place. In the long run, consumers will require full control, privacy, security and portability over such personal information. Therefore, the identity technical community must engineer a new and comprehensive identity portability layer. The new layer needs to broaden the tradition notion of identity federation beyond names, passwords and profile to encompass the full gamet of personal and social data. Furthermore, this new layer must support a plurality of identity service providers who can compete and distinguish themselves by the quality of their service and the user experience that they provide. Freeing our data off Web portals and social networks by creating a new service layer dominated by one single service provider is hardly trading one master for another.

Incidentally, putting the user first and ensuring plurality of competing identity service providers strikes as the fundamental principle that OpenID places on identity providers. The OpenID foundation has always be the strong proponent of a user-centric approach to Internet identity. Unlike many organizations, it appears to have achieved a balanced representation across the grass-root technical community and large big Internet corporations. Moreover, because of the strategic stakes it represents, the quest for personal data portability is likely to become the main driving force behind OpenID deployment and maybe, even the necessary solution to the so-called "relying party problem".

As a neutral ground, I hope the foundation will quickly realize that it has the opportunity and responsibility to provide the necessary leadership that helps clearing the technical issues around personal information and data portability. Yes, more than large Internet companies proclaiming their own APIs as open standards, it seems to me that OpenID can be the right foundation (pun intended) to lead towards a true interoperable solution for Internet data portability.

Posted by Nico Popp at 1:36 PM
Permalink | Comments (0)

The issue of personal data portability is rapidly moving center stage. So, what is the big fuss about and what is really at stake here?

For us, as consumers, it is an important issue because eventually, it will determine how much ownership we will be able to enforce upon our personal data and content, including our social graph, that today, is dispersed across competing social networks and Web portals.

For Google, and FaceBook (FB), the stakes are equally high. Ultimately, the winner could take it all and be the one who really drives revenue from social networking. But to understand, we need to review the controversy first.

It really all started with OpenSocial. OpenSocial was Google's response to the rapid rise towards hegemony of FB APIs. To counter FB, Google created an alternative that it self-proclaimed an open standard by rallying a large number of FB competitors behind it.

Competitive response aside, Open Social also arises from our industry's realization that social network is much more than a destination. Social networking is really a new application dimension. It is a new form of interactions that can augment almost any application, or any web site. To add social networking capabilities to an application, you need APIs. OpenSocial fills that gap.

With OpenSocial, Google is also reducing social network to mere "containers". Google is turning the social networking portals into a set interoperable data sources that it can dip into. In fact, with the consent of the end-user, these social databases become instantly accessible to a whole new layer of identity services. The first generation of these new of services is now known. It is called Google Friend Connect.

It is clear that FB understand the threat of a layer above social networks dominated by Google. Its decision to block Friend Connect under the excuse of privacy control does not fool anyone. It is also likely that OpenSocial may have forced FB into exposing its own APis to third party Web sites. Friend Connect, on the other hand, is consistent with Google "social cloud" strategy. It simply extends OpenSocial by alleviating the need for site owners to write code. Although it remains to be seen whether an embedded widget can provide the right user interface, by putting itself, between Web sites and social networks, Google is moving fast to disintermediate the leading social network. If Google were to succeed, it would surely make a significant dent into FB's $15B valuation.

But what is the real prize here? What is really at stakes? Let me venture an explanation. How do you discover sites, products, music, videos on the Internet? You Google it,of course. Now, in the real world, how do you discover products, movies, or books? Very often, you discover them through your social connections. Social events are always full of "I love this new product, you should really buy it too", "you must see that movie", "I highly recommend reading that book", "this restaurant is unbelievable". So maybe, social discovery is the perfect complement to search when it comes to generate and monetize traffic to other sites.

So here may lie Google's bet on Open Social. The bet is that social networking capabilities integrated into a Web site can drive viral traffic (because your social feed will notify your friends of a site visit or of a transaction, because you will recommend a merchant by becoming a 'member of the site' or writing a review, because you will trust a site by finding people you know who have already experienced this site). Not withstanding the data mining and advertising intelligence opportunity that sitting between sites and social networks can present in the long run, the bet is that social interactions will drive more site visitors. Of course, for an ad network like Google that strives on monetizing new customer acquisition and traffic, it is a very rational bet.

So while FB seems initially more concerned about keeping interactions within the walled garden, Google is forcing all the social networks to embrace a deportalization strategy. Of course, it is a smart move for Google who, unlike social networks, has already strong customers relationship with most Web sites through its AdWords and AdSense programs. Without access to a direct channel to online merchants and .COM sites, FB is in a relatively weaker position but it had to respond and Facebook Connect is its current answer to Google. Will FB be more effective in driving revenue by deportalizing its APis and driving traffic outside FB instead of raising the walls of the garden day by day? That remains to be seen.

At the end of the day, social traffic is still a theory in search of validation. For these merchants and Web site owners, that traffic may never materialize. To the non-believers, I can only oppose the success of Yelp whose sole purpose of its community is to drive traffic to local businesses. Considering the energy that Google is deploying around open Social and Friend Connect, we should have our final answer soon. One thing is almost certain, for the near future, the social cloud is likely to be the strongest market force driving internet-scale identity services, and that is very good news for OpenID.

Posted by Nico Popp at 11:52 AM
Permalink | Comments (0)

With the increasing visibility of OpenID, VeriSign gets often invited to conferences to discuss the implications of this new technology. One of the questions that I often get from the audience borrows a line from Jerry Mc Guire: "When technology is based on IP-free open standards, how do identity vendors and service providers make ends meet?" In other words: "Show me the money!" Broad question, so I thought I would get on the record to describe a few of the popular business theories around OpenID and discuss their respective merit.

The IDM Software Business Model:

The first answer is to observe that OpenID is a federation protocol and as such, it fits well within an identity management suite (very much like SAML, or WS-*). Vendors in that space are well known: CA, HP, IBM, Microsoft, Oracle, Sun, etc. IDM vendors derive revenue by licensing their identity management software to large enterprises. Single-Sign-On across enterprise applications still remains an unsolved problem within many enterprises. Because of it is ligthtweightness, OpenID carries the promise of simpler integration across many internal Web applications (enterprise portal, SAP, Oracle Web apps, etc...), making it an attractive IDM solution component and a must-have for most IDM software vendors.

The Service Aggregator Business Model:

OpenID is especially best suited for managing identities across consumer services. So, the natural early adopters will be consumer service aggregators, such as Mobile Network Operators and MSOs. Indeed, these companies view their millions of subscribers as an untapped strategic asset. The ability to leverage OpenID to more easily up-sell and cross-sell subscribers across a growing portfolio of services and channels (wireless, broadband and TV) has strong business appeal. In other words, federating within the walled garden makes good business sense: one unified identity, one converged brand experience, one view of the customer and the ability to subscribe existing customers across new services in one single click, whilst charging them on one single bill.

The Security Business Model:

As a consumer, if you have one consolidated identity for use across many Web services, you are more likely to want to protect that unique identity. It is also easier to do so, since only the identity provider needs to deal with the complexity of any additional security technology. In a shared identity eco-system, security solutions such as strong authentication become more cost-effective since the price of securing identities can now be shared across all the relying parties. In other words, economies of scale can be realized. This is exactly the VeriSign identity protection model that we introduced in early 2006. At that time, OpenID did not exist, so the chances of sharing a complete identity were pretty slim. Therefore, we decided to adopt a simpler sharing model where only the security (the second authentication factor) is shared across sites. Authentication services such as VIP are a good fit for OpenID as they make it relatively easy to turn any IDP into a strong IDP. Beside, if accepting a name and a password from a third party may not provide much additional value over a self-issued name and password, the idea that an identity provider will provide a more secure and stronger identity could well be a compelling value proposition for sites to start accepting OpenID as relying parties.

The Insurance Policy Model:

Building on the idea that what makes accepting a third-party as an identity provider is a stronger identity, arises the identity assurance model. In that model, the identity provider becomes a risk underwriter. Basically, the IDP "insures" the relying party on the validity and knowledge that it has about a given identity. The identity risk profile allows the IDP to make some explicit guarantees (e.g. "no charge back") and be compensated for it. For example, a bank who knows a lot about a consumer identity and purchase behavior could vouch for a consumer transaction to be trustworthy and underwrite the risk based on the consumer risk-profile that it has accumulated over time.

The Lead Generation and Advertising Model:

In OpenID everyone is focused on Single-Sign-On. The truth is that the real money-maker may be more about attribute exchange than simpler login. By attribute exchange, I mean the ability to seamlessly transmit a subscriber's registration profile and payment information in real-time. In that context, I can see OpenID become an enabler for CPA-based advertising. In the CPA model, the publisher and the ad network (IDP) get paid when the user registers with the advertiser (lead acquisition) or purchases from the advertiser (impulse buy). By removing the typing, OpenID can enable a much more effective CPA model where the user only needs to login into their identity provider to authorize a registration or a purchase. The ability to register a new customer and allow them to pay from any device within 1-click could prove a significant enabler for direct response advertising.

Of course, all these business models remain somewhat theoretical and unproven. However, the intuition is that there are many angles to consider when approaching OpenID from a business perspective. Interestingly, the breadth of opportunities should make the emerging standard more relevant to many leading Internet companies. This may explain the broad and growing attraction for federated identity, and OpenID in particular. That is all good news for the technology, as without business drivers, it will remain a technology construct that makes conferences headlines but is ignored by business minded leaders. That would be a shame of course as the best ideas are the one that can seduce consumers, technologist and those who follow the same three directives day after day: "Show me the money, show me the money, show me the money!"

Posted by at 1:30 PM
Permalink | Comments (0)

Not too long ago I learned from my colleges in our Japanese office about things happening around OpenID in Asia. Working with Kentaro Sakamoto-san from VeriSign Japan, I managed to setup a trip coinciding with the ITU-T's Focus Group on Identity Management meeting, to Tokyo and Seoul. Working with Sakamoto-san and Andy Song from AhnLab, who I met at Web 2.0 Expo this year, we managed to setup a great trip where I spent about a week in Tokyo and 22 hours in Seoul. I had a lot of great meetings in Tokyo and in Seoul AhnLab hosted a wonderful half-day OpenID session. Slides from that are up on SlideShare at http://www.slideshare.net/daveman692/open-id-overview-seoul-july-2007 Thanks again to Sakamoto-san, everyone at VeriSign Japan, and Andy for being terrific hosts.

Last Saturday, we completed the upgrade of our Personal Identity Provider. All accounts have been automatically upgraded and the URL is the same at http://pip.verisignlabs.com. We definitely encourage everyone to come try it out as we believe it is the best OpenID Provider in existence! Not only does it have all of the features from the PIP we launched last May, but adds support for OpenID 2.0, the ability to manage multiple identities within one PIP account, integration with strong authentication via our VeriSign Identity Protection network, Information Card support as one way to help protect against phishing attacks, and our SeatBelt Firefox add-on which works with a variety of OpenID Providers.

This week I'm up in Portland OR at O'Reilly's Open Source Convention. Tuesday morning, Simon Willison and I gave a three-hour OpenID Bootcamp tutorial where we dove into many different aspects of OpenID from a basic introduction, to security concerns and solutions, to implementation details. Slides from the tutorial are also up on SlideShare at http://www.slideshare.net/daveman692/openid-bootcamp-tutorial. In the afternoon, Simon and I joined Tim O'Reilly during his Radar Executive Briefing where we gave an update on OpenID and discussed why as he said, "OpenID is taking the world by storm".

Ending the day Tuesday, I was awarded a Google-O'Reilly Open Source award which I posted more about on my personal blog. The award I won was for Best Strategist which refers to the work I've done over this past year at VeriSign within the wider OpenID community. Am certainly really honored to have been recognized, though am guessing I now need to work on raising my hacker geek cred again. :P

Posted by at 11:08 AM
Permalink | Comments (0)

• Completely redesigned interface to make the PIP easier to use
• Support for OpenID 1.1 and 2.0
• Ability to create multiple identities managed from within a single user account
• New "tag based" profile data management interface making it easier to view and sort all of your profile data
• Ability to download managed Information Cards for each of your created identities to use with technology such as Microsoft's Cardspace
• Strong authentication support via second-factor credentials from the VeriSign Identity Protection network, along with the ability to have a one-time PIN sent via SMS or email if you've forgotten your credential
• Phishing-resistant logins using both VIP credentials and managed Information Cards
• Full activity logging so you can have a complete picture of where you've used your identities
• Integration with our own "OpenID SeatBelt" FireFox add-on to provide additional convenience and security protections when using OpenID identities from the PIP, AOL, Xlogon and MyOpenID.com

Posted by at 8:03 PM
Permalink | Comments (0)