Main

Trusted Identities in Cyberspace

Last week, the White House announced its official National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC is the largest-ever effort by the federal government and private sector partners (including Symantec) to develop a secure, standards-based and interoperable online identity system. The goal: Improve the security and privacy of online interactions and more effectively fight cybercrime. Today's announcement marks the culmination of two years of effort by VeriSign (first as an independent company and later as part of Symantec) to help bring this important initiative to life.

At the heart of NSTIC is the concept of an Identity Ecosystem based on trusted identity frameworks. Trusted identity frameworks are the lynchpin to trusted interactions online, for everything from e-commerce to electronic health records to online voting. These frameworks will require all participating service providers to ensure the credentials they offer adhere to the same standards for identification, authentication, security and privacy. This wouldn't be a "national online identity" setup, but rather interoperability among many market offerings.

The initiative recognizes that public-private partnerships are essential for success. Symantec and other private sector companies have already created the technology for strengthening and sharing high assurance identities. Government leadership will promote, facilitate and coordinate industry to further NSTIC goals.
The government can also help overcome the three big impediments this kind of initiative faces:

1. Privacy concerns: The government can define and deploy standardized trust frameworks that help ensure citizens privacy (e.g. by working through the private sector, leveraging organizations such as the Online Identity Exchange).

2. Liability concerns: Data breaches involving personally identifiable information (PII) can easily run into the tens or hundreds of millions of dollars, depending on the number and kind of records affected. Once trust frameworks are in place, Congress can pass legislation to cap liability for organizations certified under those frameworks.

3. Business concerns: The federal government can create business incentive for trusted identity providers to join the eco-system by becoming the initial customer. That would basically prime the pump for a trusted identity service business model.

NSTIC's goals for FY11 include:

• Convene the private sector by hosting workshops on governance, privacy and technology
• Establish a governance model, standards and models for addressing liability
• Develop criteria, assess potential programs and prepare for formal funded pilot launches in FY12

These plans are ambitious, certainly, but are necessary given the escalating data breach and cybercrime threats people face every day. NSTIC will provide the means to dramatically improve online authentication and the security, privacy and business benefits it provides.

04/20/11 | permalink | comments [0]

And the Oscar goes to

I could not resist the temptation. Trust Seal, the Trilogy is now on Youtube.

The first act is strictly business, but you may not want to miss act II and act III with Snikko the hacker. Rest assured. I have already promised the marketing team that there would not be a sequel.

03/16/10 | permalink | comments [0]

Rethinking Internet Trust and Reputation

Today, we are launching the VeriSign Trust Seal, a new service for small and medium businesses with an online presence. It is a big day for everyone at VeriSign who has been working really hard on the new service the last 15 months. It is always a thrill to release a new product. It is even more exciting when there is a compelling and long term vision behind the initial release of a new Internet service.

Setting the standard for websites trust
The goal behind this new trust service is as simple as it is lofty. Is it possible to create a blueprint for trust on the Internet? Can we increase safety and trust on the web by raising the bar of security best-practices? Can we communicate trust in such simple visual way that any consumer would understand? Can we promote trust between consumers and websites as an engine for economic growth?

Trust brokering as a network service

From the late 13th century Italian Renaissance, to the early 21rst century global economy, trust has always been a fundamental tenet in the development of commerce and trade. In a world that is increasingly leveraging the web as a channel for customer acquisition, transaction and fulfillment, trust brokering is a critical yet missing network primitive. For enterprises to embrace SAAS applications, suppliers to join Internet marketplaces or consumers to select businesses on the web, the network needs trust brokering services that can certify and assert trust among parties with little prior knowledge of each other.

A pragmatic starting point for website trust
Web site trust is a multi-faceted problem. Authenticity, security, reliability, assurance, privacy and reputation are all important dimensions to ensuring trust. Therefore, setting the initial bar for Web trust is a significant challenge. Set the bar too low and the lack of substance in the attestation of trust make it irrelevant to consumers. Set the bar too high and the economic barrier to entry makes the standard irrelevant for websites. Unless a pragmatic balance is achieved, the end goal of a complete standard for trust can never be achieved. Trust Seal is VeriSign's initial step to providing an end to end solution to this challenge. We hope to have achieved such initial balance of pragmatic relevance to continuously raise the bar for trust on the Web in the years to come. So, on February 24th 2010, what does it mean for a website to be VeriSign trusted?

Authenticity with business authentication
First it means that we have verified that the web site is authentic. Basically, we verify that the website is really who they say they are. We call this process business authentication. We make sure that the business owner owns the domain name and that the business is a legitimate business. Because bad guys can easily hide between the façade of a professional web site, this is a very important step to establishing Web trust. By verifying the true identity of the website and the business behind it, accountability can be achieved. This is similar to what certificate authorities (the good ones) do when they validate an organization before issuing an SSL certificate for e-commerce. What we have done is extend a fundamental principle for trust in ecommerce to any Web domain, to any web site on the World Wide Web.

Safety with malware detection in the cloud
The second check is to evaluate how safe it is for a consumer to visit the website. We contemplated many different approaches. However, the last two years have taught us that the most dangerous thing that can happen to consumers on the Web is to be infected with malware. For that reason, we decided to tackle this significant safety issue of web malware first. The new VeriSign trust seal is dependent on a successful drive-by download malware scan. Each website is scanned daily. The seal display is automatically turned off when malware is detected. Remediation instructions are provided to the website to remove identified exploits.

Trust Signaling for the Web
consumers, we are reducing the trust signal to its simpler expression. The seal displayed on the site web pages attests that the site is authentic and safe. This is where the VeriSign heritage comes into play. Millions of consumers are already familiar with the VeriSign Secured seal for SSL. We are maintaining the brand, but extending the scope and meaning of our trust mark. The VeriSign seal becomes a simple yet powerful visual cue for consumers to assess whether a website meets transparent criteria for authenticity and safety. Trust marks for ecommerce web sites are not new. However, we believe that any commercial website, transactional, non-transactional or social Web outlets of small and medium businesses could greatly benefit from trust marks moving forward.

Beyond the web site: trust signaling in search and directories
In the long run, trust and reputation assessment should become part of the discovery process of online businesses. Popularity and page ranks are one dimension of search. How much a site can be trusted ("trust rank") is important measure as well. In fact, in the last years, safe search has emerged as an important feature for search engines and end-point security clients. Both have already integrated features to detect, signal and block drive-by malware infected websites. "White lists" of trusted sites should prove an important complement to black lists for search and navigation. Therefore, we have been working to integrate the new seal as a trust indicator in search and directory services (more on that in a future post).

As you can see, the VeriSign trust Trust seal encompasses many new features and the roadmap should keep the product and development teams busy for a while. We are thrilled to tackle one of the most critical and challenging Internet issue. So, give the new service a test run and let us know what you think.

02/23/10 | permalink | comments [0]

Top 10 Security "Predictions" for 2010

As one of the world's leading security vendors, VeriSign has been asked to discuss the top 10 most important security areas for 2010. So, ahead of my new year's resolution, I decided to indulge (after a year working heads down on a single product, it is a fun exercise to think of all the things that you have been missing out on). Although the list is far from complete, it is clear to me that there is no recession for the bad guys. In fact, it has probably never been a more interesting time to be in the security business.

Security Prediction #1:
Cloud Security (Securing the Next IT Infrastructure)

Call it cloudmania or software as a service (SaaS) hype, data, applications, or networks: The whole IT infrastructure is shifting to the cloud. With it, a large chunk of today's IT budgets will be redistributed to the next Google of the cloud. In 2010, SaaS security will be in the forefront as chief information officers ponder their increasing reliance on external business applications: "Is my data safe? Is my security policy enforced? Am I still compliant?" Federated identity and access management services across SaaS will start providing some answers, and strong authentication will bolster identity services. Cloud platforms such as Microsoft Corp.® Azure and Rackspace will lead the industry to redefine key and certificate management within cloud environments.

Security Prediction #2:
Website Security (the Growing Threat of Web Malware)

The Web is a growing channel for malware distribution. From February to August 2009, the Google search blacklist grew by 65%. It is now very clear: Bad guys want to infect popular Web sites with malware to silently take over your desktop as you browse the Web. Their weaponry is as effective as it is diverse: hidden IFrames, obfuscated JavaScript, and malicious browser add-on objects. The arsenal and sophistication of these exploits is growing daily. Even with anti-virus running on your machine, your odds of being infected while visiting a drive-by download site may be more than 1 in 2. Let us face it: Web pages have become sophisticated programs. They increasingly become a dominant attack vectors for all the world's hackers who are seeking home computers for their botnet and consumer identities for their piggy banks. As the threat increases over time, drive-by malware protection will become an important check for any commercial Web sites.

Security Prediction #3:
Virtualization Security (Protecting the Cloud Operating System)

Securing virtualized environments is an absolute necessity. After all, virtualization is to the cloud what the browser is to the Web. Some see the hypervisor as the ultimate rootkit. We see virtualization as an opportunity to improve security through end-to-end automation. Combined, virtualization and the shift to the cloud provide a unique opportunity to transform the way we do security today. Virtualization enables security automation. Automation will streamline security deployment and ongoing management, taking us to levels that we simply could not achieve before. As virtualized switches reduce networking cost and complexity, virtualized security appliances and virtualized component certification will reduce the difficulty of deploying secure environments. For now, many questions remain: How do I secure my virtual images? How do I ensure the integrity and confidentiality of my enterprise servers, my employee desktops, and mobile phones templates and images? How do I make sure that all the data that these edge-deployed images consume and produce are protected by keys to which no one else has access? As end-point deployment converges to an automated assembly of virtualized software components (operating system, applications, firewalls, anti-virus, intrusion prevention system, intrusion detection system, load-balancer, policy servers, etc.), how do I make sure that these elements are authentic, patched, and selected according to my security policies? For many years, we have been securing code for Active X and Java applications. The next generation of trusted software may well be virtual images.

Security Prediction #4:
Mobile Security (From Mobile Phone to "Security Remote")

Thieves steal a laptop every 53 seconds, and authorities never recover approximately 97% of these devices, according to the FBI. Worse, thieves will steal one out of every 10 laptops within 12 months of purchase. With the explosion of smart phones around the world, the new mobile platforms are about to become a hacker's dream and a corporate IT nightmare. It is no coincidence that 2009 saw the first iPhone worm. In a world of untethered devices (laptops, net books, smart phones, tablets), personal and corporate data must be encrypted, remote mobile access must be strengthened, and mobile end-point security must be deployed. Over time, mobile devices and the alternate digital channel that they enable will turn into a "personal security remote control". Indeed, we all need the choice of stronger security that does not impact the convenience of our digital lives.

Security Prediction #5:
Social Networks Security (Bringing Trust to Social Communities)

There are clear and obvious dangers associated with social networking including personal data theft,malware, and scams. The most prevalent threats often involve online predators or individuals who claim to be someone that they are not. A December 2009 study from Sophos Plc. showed that 41% to 46% of contacted users "blindly accepted" friend requests from fake Facebook users created by the security firm. As businesses increasingly start leveraging social media to interact with consumers, business authentication, reputation, and trust marks should have an important role to play in the social neighborhood. Because trust is essential to any form of business, in 2010, social applications and games may seek trusted third parties to identify, certify, and signal legitimate business that comply with industry best practices.

Security Prediction #6:
Safe Navigation & Search (Surfing with Peace of Mind)

On today's Internet, clicking on a hyperlink may end up being the riskiest decisions for millions of Internet users. In a Web of phishing, drive-by malware and scams, what lies behind the link can indeed be deceiving. In 2010, Web navigation will need to get safer. Already, we are working with bity.ly to identify malicious shortened URLs. More global and impactful is the announcement to deploy DNSSEC across.COM and .Net in 2011. Because DNS is at the heart of Web navigation, the introduction of DNSSEC within the Internet infrastructure should have a profound effect on bolstering security across Web browsers, directories and search engines. Less obvious, DNSSEC could also change the way developers create secure APIs on the Web. DNS is a powerful directory protocol. Yet, most Web platform uses REST APIs over HTTP/HTTPS, and not DNS. This is due in part to the extra security and trustworthiness provided by HTTPS over DNS that is subject to MIM attacks. However, when it comes to scale and operational costs, large data lookup systems based on DNSSEC APIs could be more cost-effective than those based on HTTPS. As DNSSEC becomes ubiquitous, across the Internet fabrics, trust services, new directories and large dataset lookup systems based on DNSSEC could emerge. Someone just needs to invent the equivalent of JSON to encode key-value pairs over DNS. So could DNSSEC change the way Internet architects design open secure Internet systems tomorrow? Certainly, it will be up to the developer's community to decide, but 2010 may be the year when DNS becomes a viable alternative.

Security Prediction #7:
Network Security (Elastic DDOS Protection)

With Facebook and twitter in the bad guys cross-hair the increasing threat of distributed denial of service (DDOS) has reached unprecedented notoriety. Across the world, DDOS attacks have risen to unprecedented levels. Looking forward, our increasing reliance on public networks to support commerce, IT mission-critical applications, and communication will continue to drive the need for DDOS protection. Because DDOS protection is a game of scale, DDOS monitoring and mitigation cloud services should play a pivotal role in keeping public and private networks safe in 2010.

Security Prediction #8:
Consumer Identity Trust (the Emergence of User-Centric Policies)

The evolution of the world wide wed into a user-centric, real-time and distributed information system has never been so evident. In less than 15 years, our center of attention on the Web has already shifted from the highly centralized portals to the more distributed blogosphere, the more personal Facebook pages of our friends, and the more real-time Twitter streams of our specialized interest. Increasingly, the content and data that truly matters to each of us has become de-centralized, personal and real-time. As the Web continues this inexorable mutation into a user-centric, distributed and real-time information system, the imperative for a new identity system becomes blatantly clear. The necessity for each of us to control and protect our content and data across multiple service providers eventually drives the emergence of an open identity order that goes beyond the artificial locks imposed by large user and social communities. If the data and content that matter to us are personal, distributed and real-time, surely, these new identity services will need to ensure that they remain authentic, safe and private. In 2010, open identity systems will continue to garner momentum. Governments will begin deployment. Because Interoperability cannot be achieved with technology alone, an open policy framework emerges as a foundation for identity privacy security and trust will emerge.

Security Prediction #9:
Securing the Smart Grid (Safe Clean Tech)

Saving energy and improving management of energy is high in today's political agenda. With millions of individual homes, building apartments, offices, the network of things may will likely be larger than the World Wide Web. Securing the smart energy grid cannot be an after thought. The interconnection of consumer devices, meters, distribution transmission infrastructure, and energy providers into an intelligent network may not only be of country largest growth and innovation opportunity, it could also be its greatest liability. The network of things will have to be trusted from day one. This worthy endeavor will drive the deployment of next generation cryptography, embedded certificates and trusted computing for smart grid elements. It is still early, but there is no alternative: the smart grid will have to be secure or it won't be.

Security Prediction #10:
Browser Security (Stopping the Man in the Browser)

Browser security seems to be as much art as it is a science. As anti-virus companies and hackers keep on playing the cat and mouse game, new approaches for protecting users against malware are starting to emerge. Browser sandboxing is a promising area. Cloud based AV provides another innovative approach. Most corporate users are already familiar with AV web proxy. They process web page in real-time and filter based on signatures and blacklists. Real time updates and shared threat intelligence are some of the key advantages of cloud-base malware detection. The approach has merit since signatures can take days to be written while malware can morph in hours. Browser and plug-in vulnerabilities will keep on driving desktop threats in 2010. The VeriSign iDefense team will keep on publishing zero-day exploits and vulnerabilities ahead of attackers. If last year's trends are any indication of what the next year will look like, they have their work cut out for them.

01/11/10 | permalink | comments [0]

OpenID and the User-Centric Time Machine

There have been a few very insightful discussions from Chris Messina and other regarding the PIP as a secure file, so I thought I would share some of our longer-term product goals.

Today, the PIP file vault is a personal digital locker for our users to manually upload their most personal files. That by itself is not an innovation. In fact, the Web is full of personal storage services like Gmail. Online storage provides immediate and useful value, yet its usefulness is limited by the amount of work an end-user is willing to commit (uploading takes work!).

Now it is interesting to consider how this simple Web 1.0 model of personal digital storage evolves when combined with an OpenID provider. Together, can these technologies allow us to transfer and store in one single place under our control the personal files, private data and rich media content that is today spread throughout the Internet? In short, can a simple file vault become the in-cloud "time machine" of our distributed digital lifestyle?

A SAAS and device-centric view of cloud storage:

A lot has happened with network storage in the last few years. One of the most notorious disruptions is Amazon S3. I would characterize Amazon S3 as a SAAS-centric view of storage. Web applications can outsource the storage function to a highly cost-effective network that already has reached economy of scale. Obviously, it fits the Amazon economic model perfectly. Closer to the end user, we find Microsoft and Apple storage services. Their approach is similar in concept. To them, cloud storage is merely a device enhancement and synchronization is their lingua Franca (iSynch for Apple, Live Mesh for Microsoft). The concept certainly has merit for users with data spread across multiple devices. However, this is a very device-centric view of the world. It fails to realize that increasingly, our critical data resides across many Internet Web Sites with no ability to synch.

A user-centric viewpoint: centralized storage for distributed private data

So, what happens now when one looks at storage with a Web 2.0 user-centric view instead of the cloud-centric view of Amazon, and the device-centric view of Microsoft and Apple? One sees independent, distributed and sometime competing Web services. Through these services, users store personal information, create new data, and acquire digital content. Some of that content is low value and can be left behind. Some of his data is social in nature and is probably best shared with our Facebook friends. However, some of this data is also highly confidential and personal in nature. In that case, we, the end user, should be able to request its safe transfer, and backup to a digital locker that we fully control (the OP).

Towards a "Locker Connect" mechanism

Using the OpenID and OAuth models, such private data transfer can be authenticated and authorized by the end-user (although the data flows from the RP to the OP). The locker network end point address can be discovered as any identity attribute would. Finally, a user interface ala Facebook Connect can provide a friendly user experience while ensuring a user-centric control point (the user controls what, where, when and if the data is being sent).

The "wow" effect

The use cases certainly sound unlimited. Think digital health care and the $20B stimulus package: whether I am accessing my doctor, hospital, lab or pharmacy Web sites, I can now authenticate across all health service providers and authorize the audited transfer of personal health records back to my locker. Think rich media content: I can now purchase digital music, movies, or books across multiple e-tailers and have the bits (or maybe just the digital rights) sent back to my locker. Think payment and billing: please, send all my purchase and online statements back to my digital locker.

Yes, we can! With data portability and OpenID, a simple file vault can grow into a much more compelling personal identity service. And who knows. With security and private storage, we may even have a real business model!

02/22/09 | permalink | comments [0]

Been a Busy Two Weeks!

Not too long ago I learned from my colleges in our Japanese office about things happening around OpenID in Asia. Working with Kentaro Sakamoto-san from VeriSign Japan, I managed to setup a trip coinciding with the ITU-T's Focus Group on Identity Management meeting, to Tokyo and Seoul. Working with Sakamoto-san and Andy Song from AhnLab, who I met at Web 2.0 Expo this year, we managed to setup a great trip where I spent about a week in Tokyo and 22 hours in Seoul. I had a lot of great meetings in Tokyo and in Seoul AhnLab hosted a wonderful half-day OpenID session. Slides from that are up on SlideShare at http://www.slideshare.net/daveman692/open-id-overview-seoul-july-2007 Thanks again to Sakamoto-san, everyone at VeriSign Japan, and Andy for being terrific hosts.

Last Saturday, we completed the upgrade of our Personal Identity Provider. All accounts have been automatically upgraded and the URL is the same at http://pip.verisignlabs.com. We definitely encourage everyone to come try it out as we believe it is the best OpenID Provider in existence! Not only does it have all of the features from the PIP we launched last May, but adds support for OpenID 2.0, the ability to manage multiple identities within one PIP account, integration with strong authentication via our VeriSign Identity Protection network, Information Card support as one way to help protect against phishing attacks, and our SeatBelt Firefox add-on which works with a variety of OpenID Providers.

This week I'm up in Portland OR at O'Reilly's Open Source Convention. Tuesday morning, Simon Willison and I gave a three-hour OpenID Bootcamp tutorial where we dove into many different aspects of OpenID from a basic introduction, to security concerns and solutions, to implementation details. Slides from the tutorial are also up on SlideShare at http://www.slideshare.net/daveman692/openid-bootcamp-tutorial. In the afternoon, Simon and I joined Tim O'Reilly during his Radar Executive Briefing where we gave an update on OpenID and discussed why as he said, "OpenID is taking the world by storm".

Ending the day Tuesday, I was awarded a Google-O'Reilly Open Source award which I posted more about on my personal blog. The award I won was for Best Strategist which refers to the work I've done over this past year at VeriSign within the wider OpenID community. Am certainly really honored to have been recognized, though am guessing I now need to work on raising my hacker geek cred again. :P

07/26/07 | permalink | comments [0]

Updating the PIP

• Completely redesigned interface to make the PIP easier to use
• Support for OpenID 1.1 and 2.0
• Ability to create multiple identities managed from within a single user account
• New "tag based" profile data management interface making it easier to view and sort all of your profile data
• Ability to download managed Information Cards for each of your created identities to use with technology such as Microsoft's Cardspace
• Strong authentication support via second-factor credentials from the VeriSign Identity Protection network, along with the ability to have a one-time PIN sent via SMS or email if you've forgotten your credential
• Phishing-resistant logins using both VIP credentials and managed Information Cards
• Full activity logging so you can have a complete picture of where you've used your identities
• Integration with our own "OpenID SeatBelt" FireFox add-on to provide additional convenience and security protections when using OpenID identities from the PIP, AOL, Xlogon and MyOpenID.com

06/27/07 | permalink | comments [0]

VeriSign, Microsoft & Partners to Work together on OpenID + Cardspace

Microsoft to Work With the OpenID Community, Collaborating With JanRain, Sxip, and VeriSign

JanRain, Microsoft, Sxip, and VeriSign will collaborate on interoperability between OpenID and Windows CardSpace(TM) to make the Internet safer and easier to use. Specifically:

• As part of OpenID's security architecture, OpenID will be extended to allow relying parties to explicitly request and be informed of the use of phishing-resistant credentials.
• Microsoft recognizes the growth of the OpenID community and believes OpenID plays a significant role in the Internet identity infrastructure. Kim Cameron, Chief Architect of Identity at Microsoft, will work with the OpenID community on authentication and anti-phishing.
• JanRain, Sxip, and VeriSign recognize that Information Cards provide significant anti-phishing, privacy, and convenience benefits to users. Information Cards, based on the open WS-Trust standard, are available though Windows CardSpace™.
• JanRain and Sxip, leading providers of open source code libraries for blogging and web sites, are announcing they will add support for the Information Cards to their OpenID code bases.
• JanRain, Sxip and VeriSign plan to add Information Card support to future identity solutions.
• Microsoft plans to support OpenID in future Identity server products.

The four companies have agreed to work together on a "Using Information Cards with OpenID" profile that will make it possible for other developers and service providers to take advantage of these technology advancements.

Dick Hardt, Sxip Identity
Kim Cameron, Microsoft
Michael Graves, VeriSign
Scott Kveton, JanRain

See related posts on this subject:

• Kim's Cameron's post at Identity Blog
• Scott Kveton's post at his blog
• Dick Hardt's post over at Sxip
• Johannes Ernst's Comments on this a NetMesh

02/06/07 | permalink | comments [0]

Introducing Kiran Dandekar

I'm happy to welcome my VeriSign colleage Kiran Dandekar to the Infrablog. Kiran's working with me on the team here that is building infrastructure and tools around open identity. He's become increasingly central on our team and visible in the community in building technical consensus and business momemtum around OpenID and our Personal Information Provider. We'll be adding a handful of team members to the Infrablog in the next few weeks.

Kiran's just your run-of-the-mill-MIT-PhD Boston Red Sox fan and family man. He previously did some cool stuff over at MicroStrategy before coming to VeriSign a couple years ago to help build our supply chain business.

Welcome Kiran!

06/19/06 | permalink | comments [0]

Introducing the VeriSign Personal Identity Provider (PIP)

You're invited to visit and try out a beta version of an identity service we've provided. It's called the VeriSign Personal Identity Provider (“PIP” for short), and you can find it at http://pip.verisignlabs.com. The VeriSign PIP is designed to provide a “home base” for users who want use OpenID applications. Users who register with the VeriSign PIP get an OpenID – a URL they can use to login and authenticate at sites that accept OpenID. In addition, the VeriSign PIP lets you store profile information, and control how, when and with whom that information can be shared.

What Can I Do With The VeriSign PIP?

When you register at the VeriSign PIP, your user name is used to generate a unique URL for your profile. My username is “mgraves”, so my OpenID is “http://mgraves.pip.verisignlabs.com”. Now when you go to a site that supports OpenID, you can provide your OpenID, and use it instead of having to register separately for each site. For example, if you're reading a blog at LiveJournal.com, and want to leave a comment, you can go register for an account at LiveJournal, or just use your OpenID. Enter your OpenID URL, and the LiveJournal will authenticate you with the VeriSign PIP (or any other compatible OpenID server).

You can go to http://www.schtuff.com and create your own wiki with your OpenID. Zooomr is a photo-sharing site that will not only let you log in with OpenID, but will let you auto-register at the site based on information in your VeriSign PIP profile. The Zooomr sign up process is quick, easy, and based on a profile you control. OpenID is already enabled in MovableType 3.2, and plugins for Wordpress and other blogging tools are either available now, or imminent.

What Is Our Goal?

At VeriSign Labs, we see an opportunity to do what we do best – develop and deploy “intelligent infrastructure” -- for the blogosphere, the Web2.0 community and beyond. In the past months, we've noticed the growing energy and consensus around universal identity in general, and OpenID specifically. In addition to the pioneering applications that are available now for use with OpenID, there are a lot of exciting applications in the pipeline, from a wide variety of companies and developers.

The VeriSign PIP is a free service. So what's in it for us? We believe that providing free, quality infrastructure for the OpenID-enabled community – identity services that are friendly, secure and user-empowering – will help create an environment in which a rich variety of applications and services will appear and prosper. As this ecosystem evolves and matures, the free, basic services offered by the VeriSign PIP and other OpenID servers will be able to enable more complex trust relationships and higher value transactions. There's a need now for basic functions that will improve the quality of the blogosphere: authenticated blog comments, open reputation systems, personalized tagging, social media filtering, etc. Over time, as the installed base of enabled users grows and the application set available for OpenID-equipped users broadens and deepens, the VeriSign PIP will be able to validate credentials and claims for it users that facilitate “heavy duty” transactions: blog based auctions and payments, age-based verification for dating and social websites, verified residency for surveys, polls and voting, etc. In some cases, the credentials and claims VeriSign provides for its users will be a fee to the user. In other cases, the subscribing applications will pay us a fee for qualifying and enabling users to participate and transact in a trusted, reliable context.

Whats Next?

The goal of enabling user-centric identity is becoming more of a reality every day. But significant challenges remain; getting enough users and enabled applications spun up so that the ecosystem reaches critical mass is going to take a lot of work. We aren't application providers – we're all about infrastructure. What we can provide , and are providing, is a solid, safe, friendly resource for equipping users for the OpenID ecosystem. The VeriSign PIP is being opened up for use as a public beta now as a way to help encourage and accelerate development of OpenID-enabled applications and services.

The VeriSign PIP is not complete, by any means. As of this release, it's a good resource for getting an OpenID you can use and login to other sites with. The PIP provides a way to enter a lot of additional information to be stored in your profile, and some basic tools to organize and manage it. Applications that provide rich integration with the user's profile information are just coming available – they need identity servers like the VeriSign PIP to be available to make things work. I'll point these applications out here and discuss how they work as they are made available over the next weeks and months.

The VeriSign PIP joins a number of other OpenID servers that are available now to facilitate OpenID authentication. The next big step forward for the VeriSign PIP will be to provide smooth auto-registration and trusted profile exchange between users and applications. If you are interested in establishing your own online identity – one that you control, and one that works with an ever-increasing array of Web2.0 apps – I hope you'll check out the VeriSign PIP, and give it a try. If you are an application provider, we're taking our first steps on the infrastructure side of things, and hope that our service will become a enabling resource for your OpenID-enabled applications.

Resources

• The VeriSign PIP FAQ

• OpenIDEnabled.com – all sorts of good information about OpenID specs, servers, software and applications

• OpenID.net – the original and authoritative site for the OpenID specification

• YADIS.org – the discovery protocol used with OpenID

   

05/16/06 | permalink | comments [0]

Working Toward the Bang

05/12/06 | permalink | comments [0]

VNDS is now VIS

02/10/06 | permalink | comments [0]

Weblogs.com problem this morning...

10/25/05 | permalink | comments [0]

eBay-VRSN deal

10/11/05 | permalink | comments [0]