OpenID Technology Summit Recap April 6, 2010 by admin Yesterday Google and Microsoft co-hosted an OpenID Technical Summit at Microsoft’s campus in Mt. View, CA. This was a follow up to the OpenID User Experience Summit hosted by Sears in Chicago a few weeks ago. Who Attended: Companies represented included Yahoo, Google, AOL, Microsoft, PayPal, Facebook, JanRain, Gamestop, Universal Music Group, Verizon, Salesforce.com, NRI, Digg, LinkedIn, Netflix, Amazon, Meebo, Mozilla Foundation, Ping Identity, and Protiviti. Objectives: The objective of this two day session was to: Day 1: highlight areas where the technical community (OpenID Foundation, Identity Providers, technical platform providers) could continue to evolve and expand the functionality and benefits of User Managed Identity (UMID) to facilitate broader adoption and usage. Day 2: provide a forum for technical collaboration to address specific requests from the market. Recommendations: Presenters during the first day included folks from Google, Digg, Facebook, Microsoft, Yahoo, LinkedIn, Netflix, PayPal, Amazon, Protivity, Meebo, NRI, Gamestop, and Universal Music Group. Eric Sachs from Google created a summary of the high level requests and recommendations coming collectively from the presenters. Simpler protocol for simpler use-cases. OpenID is an extensible, robust technology that has a range of deployment models and application areas. To facilitate broader adoption and usage, we need to make sure that entry level applications and deployments can be as simple and straightforward as possible. IDP whitelist/certification. There are applications and market segments where the organization accepting OpenID for registration and login has specific requirements, not all of which can be delivered by all ID providers. For those segments, it’s becoming apparent that there needs to be mechanisms for certification and/or whitelisting ID providers. The OpenID Foundation and Infocard Foundation have collaborated to form the Open Identity Exchange as a mechanism to certify ID providers to specific standards. The first application that OIX is pursuing is for Federal Government websites and the GSA/ICAM standards. Non-browser app support. The “connected web” extends well beyond browsers on PCs to mobile phones, game consoles, TVs, set top boxes, etc. For example, at the Sears UX Summit, NPR reported that 30% of their traffic came from mobile access. OpenID and UMID needs to have solutions that need to span the entire connected web. Netflix in particular discussed the need for this. Email as identifier. While picking from a visual matrix of ID provider logo buttons (Yahoo, Google, AOL, etc.) works well for many users and applications, there should be support for other UI paradigms like using an email address. Additional attributes (Billing/Address/sex/gender/location/basic-reputation). Good progress has been made with Simple Registration (SREG) and Attribute Exchange (AX) to deliver a standard demographic data set including name, nickname, email address, gender, age, time zone, zip code, language, etc. However, not all ID providers support the key data fields yet, and some organizations would like to get additional data including billing/shipping address, some measure of reputation, etc. ID providers should look at ways to deliver more data (with explicit end user approval) to websites to increase the value proposition both to websites and their end users. Consider other forms of UI enabled by a central discovery mechanism. There was discussion about how the UI/UX could be improved if websites could “discover” the preferred or enabled ID providers for website visitors. This central discovery mechanism doesn’t currently exist, but research and discussions are progressing to evaluate how this approach might work. Related to item #4, it’s worth looking at any approaches that can make the login interface more intuitive and scalable. One interesting example from Lee Hammond at Universal Music Group was that they are getting 89% of logins on the Lady Gaga website using UMID by an optimized Nascar approach that is more explicit about how users leverage existing accounts to login to the Lady Gaga website. Best practices for sign-out, and quick switch between identities. Today most of OpenID workflow is focused on single sign-on, more thought should be put into optimizing workflows for single sign-out as well. For example, today logging out of Facebook Connect logs the user out of all websites that the user logged into with Facebook. Is this an optimal user experience, and if not, what should it be? Whitelist/Certifying Relying Parties. While not on Eric’s summary list, another request was for the ability to white list and/or certify websites consuming data and services from the ID providers. ID providers like PayPal and LinkedIn who manage rich and possibly sensitive user data want mechanisms to ensure that websites consuming OpenID data are complying with certain standards with regard to privacy and security. For example, today PayPal is using a whitelist approach to the federal government websites that can use its ID services. The good news for JanRain customers is that our products and services are already managing several of these requests and we’re working closely with standards bodies (OpenID, OAuth, Portable Contacts, Open Social, etc.) and ID providers to integrate these requests into future offerings as the services and infrastructure enhancements become available. Thanks again to Microsoft and Google for sponsoring this great event.