[OpenID] 7 suggested OpenID sessions at IIW next week

[Eric Sachs]

At the last IIW confernece, the OpenID community came up with a suggested
list of sessions ahead of time.  While we changed it a bit during the IIW
event, it still helped us coordinate an OpenID "track" that led to a lot of
important discussions.  In the hope of doing something similar, I thought I
would throw out an initial list of 7 potential sessions (and potential
leaders) based on some of the discussions on the list.  I would love to get
feedback on whether people think these are the right sessions, or have other
ideas.  And for the "leaders" that I volunteered, I'd like to see if they
would really be willing to lead some of these topics.

Title: Evolution of Discovery & OpenID
Leaders: "Dirk Balfanz" <balfanz at google.com>, "Eran Hammer-Lahav" <
blade at yahoo-inc.com>
Topic: Have Eran give an update on the evolution of discovery standards.
Then have Dirk Balfanz give a specific example of how Google is using those
standards to help RPs support scenarios where an enterprise has outsourced
their IDP to a service-provider such as Google Apps.  Also discuss the
reverse where a website has outsourced their RP to a service-provider such
as Janrain's RPX.

Title: Best practices for very-secure RP/IDP interaction
Leader: "John Bradley" <jbradley at mac.com>,
Topic: Describe some of the current suggested best practices for increasing
the security of RP/IDP interaction, and then try to create a community
document of best practices.  Look at NIST & PCI compliance as example
targets.

Title: How RPs can handle phishing of a user's IDP account
Leader: "Breno de Medeiros" <breno at google.com>, "Luke Shepard" <
lshepard at facebook.com>
Topic: Many websites that are not RPs have mechanisms to detect that a user
might have been phished, and if so they try to help the actual user recover
their account just as by requiring that the password on the account be
changed.  Once a website becomes an RP, its recovery mechanisms have to
change.  Breno/Dirk will discuss how to address this need using some OpenID
extensions that can allow the RP to detect things such as the last time the
user changed their password, or entered it on the computer, as well as more
advanced methods to enable the RP to redirect the user to the IDP to
automatically route the user into the change password flow (or re-enter
password, or require the user to manually re-approve the identity assertion)

Title: Best practices for using CAPTCHAs, such as to meet NIST/PCI type
compliance
Leader: "Eric Sachs" <sachse at google.com>
Topic: Some RPs require that IDPs comply with guidelines such as NIST/PCI,
and in particular the sections about reducing hackers ability to do online
attacks to guess a user's password.  Many major consumer oriented websites
protect against those types of attacks using CAPTCHAs as well as temporary
time-out mechanisms.  Eric will describe some of the current suggested best
practices for preventing these attacks, and then try to create a community
document of best practices.

Title: RPs who DONT want any PII (personally identifiable information)
Leader: "John Bradley" <jbradley at mac.com>, "Dirk Balfanz" <
balfanz at google.com>
Topic: Some websites are especially privacy sensistive and would like to
avoid collecting any PII from user's, including global IDs such as Email
address, blog URLs, or OpenID URLs that are sent to multiple RPs.  John will
lead a discussion about potential best practices for how an RP/IDP can
interact without exchanging PII, and then try to create a community document
of best practices.  Dirk will then lead a discussion about how an RP can
indicate what type of URL (or URLs) it wants such as these non-PII URLs, or
a blog/profile URL, or a global URL which won't necessarily have any
interesting information about the user.

Title: Invisible detection by RP of user's login state at IDPs
Leader: "Luke Shepard" <lshepard at facebook.com>, "Brian Eaton" <
beaton at google.com>,
Topic: The OpenID community still does not have a solid best practice for
how RPs can determine a user's IDP without the usability problems of lots of
buttons or a raw URL entry box.  Another possible option is for the RP to
try to invisibly detect whether the user is logged into an IDP, and then
promote that IDP option to the user.  Luke will discuss his ideas on how an
RP might do this with an IDP today.  Brian will discuss how we might build
upon that model to let the RP check the login state at a few shared-domains
that could return a list of IDPs where the user is logged in.  For example,
Google hosts many enterprise/school's E-mail, and could potentially provide
a way for an RP to get a list of which such domain(s) a user is currently
logged into.

Title: Bronze/Silver certifications for OpenID IDPs
Leader: "John Bradley" <jbradley at mac.com>
Topic: Some identity communities such as InCommon have defined some optional
mechanisms for IDPs to show they meet specific requirements, especially
around security.  For example, InCommon has their Bronze/Silver
certification as described at http://www.incommonfederation.org/assurance.
How might we package some of the OpenID communitie's best practices into
some levels like this, and if we did so, what form might certification take
against those levels?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090512/c2d00f24/attachment.htm>