[OpenID board] Vivek Kundra's remarks about the US Government identity initiative

[Mike Jones]

US Federal CIO Vivek Kundra spoke about the US government identity initiative 
during the O'Reilly Gov 2.0 conference this morning.  His remarks were in the 
context of things he is doing to make government's IT investments more 
efficient.

He gave the example of making campground reservations at recreation.gov, which 
currently requires you to create an account that you're unlikely to use again 
soon.  He said that since you already have identities from Google or Yahoo or 
Microsoft, wouldn't it be better to let you use those identities at the 
government site?  He then said that they were working with the OpenID 
Foundation to make that happen.

-- Mike


___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] [board-private] IPR and Bylaws Documents for Review

[Mike Jones]

I had a mixed reaction when I read your comments, David.  On one hand, your 
comments obviously have merit.  On the other hand, incorporating them now would 
incur another round of legal review, with the associate costs and delay in 
approving a revised set of Bylaws.  (For one thing, you only made comments -- 
rather than proposing specific alternate wording that all of our lawyers could 
review before the votes on Wednesday.)

With that in mind, I'd advocate that at the board meeting on Wednesday, the 
board votes to approve either the version circulated by John Ehrig, or the 
version with the one sentence correction that I sent out over a week before the 
board meeting (so the members' legal staffs would have a week's time to review 
the changes, per the agreement on the executive committee call).

Given that the board can change the bylaws at any time with just a board vote, 
I think it's more important to approve something that's good enough on 
Wednesday, bringing the bylaws up to date with the present reality, than to 
continue to tweak them before approval until they're perfect.

I hope others will agree so that we can approve a set of vastly-improved 
bylaws, even if we may choose to fine-tune them again at some future date.

My two cents worth,
-- Mike

-Original Message-
From: David Recordon [mailto:record...@gmail.com] 
Sent: Saturday, October 03, 2009 5:06 AM
To: openid-board@lists.openid.net; Mike Jones
Cc: John Ehrig; Don Thibeau (OIDF ED); board-priv...@openid.net
Subject: Re: [board-private] IPR and Bylaws Documents for Review

Thanks for the red line versions Mike!  Another red-line attached after digging 
back into this and I'm including the public list since this isn't private. :)

5.2a - seems to allow consultants of a sustaining member to serve on the board 
of directors.  Does the board care that this has changed?  I worry that in most 
organizations a consultant would not have access to the same resources as an 
employee.  Given that we really count on sustaining member participation, this 
could be an issue depending on the organization.

5.2b - why can't this section just refer to 5.4 (vacancies) when discussing how 
new community directors are elected upon the addition of a sustaining director?

5.15 - should this section include a new sub-section about removal by 
non-participation?  Snorri is the example who comes to mind who has not 
participated in a single board meeting (except for one via proxy) and has been 
unreachable for quite some time.

5.15 b and c - I thought we decided that both community directors and 
sustaining members could be removed by vote of the membership?
Currently these sections allow for the removal of a community director but 
provide no provision for the removal of a sustaining director.
(See http://lists.openid.net/pipermail/openid-board/2009-August/004253.html
for prior discussion.)

7.4a - do we also want to explicitly call out that the other two EC roles are 
to represent the community and to represent international interests?  I'd 
actually rather see these two additional roles be an European representative 
and an Asian representative, but that affects board composition overall in 
terms of needing members who can appropriately represent these continents.

7.4a - why does this section ensure one of the two additional members of the 
executive committee is a sustaining director while not ensuring that any of the 
members are community directors?  Might it be easier to instead require that 
out of the four main officers (chair, vice-chair, secretary, and treasurer) 
that two are sustaining and two are community and then leave the two other EC 
roles up to the board to elect?  This matches our current organization of 
Brian, Nat, Mike J, and Mike O holding the four main officer roles.

Thanks,
--David

On Wed, Sep 30, 2009 at 5:44 AM, Mike Jones michael.jo...@microsoft.com wrote:
 I've attached two versions of the bylaws doc.  The first contains my 
 proposed change below as a tracked change.  The second contains diffs 
 between the approved 2007 version and this version, to hopefully help 
 others with their legal review.  (Our lawyers asked for this, so I 
 figured I'd send it on to the rest of you as well.)



 Glad this is all happening.



     -- 
 Mike



 From: Mike Jones
 Sent: Tuesday, September 29, 2009 3:10 PM
 To: John Ehrig; Don Thibeau (OIDF ED)
 Cc: openid-board-priv...@lists.openid.net; board-priv...@openid.net
 Subject: RE: IPR and Bylaws Documents for Review



 Hi John.  Thanks for getting these out to us.  Unfortunately, while 
 you attached the original version of the process document, the revised 
 version of the process document was not attached.  Among other 
 changes, this should have included the working group process changes 
 proposed by Nat that the board approved in January, plus the change

Re: [OpenID board] Fwd: [OpenID Foundation] New Poll Opened

[Mike Jones]

It's a re-vote because the previous member vote failed to reach quorum.

-- Mike

From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of David Recordon
Sent: Wednesday, November 18, 2009 5:57 PM
To: bo...@openid.net
Subject: [OpenID board] Fwd: [OpenID Foundation] New Poll Opened

There seems to be a duplicate poll here.
-- Forwarded message --
From: h...@oidf.orgmailto:h...@oidf.org
Date: Wed, Nov 18, 2009 at 5:49 PM
Subject: [OpenID Foundation] New Poll Opened
To: record...@gmail.commailto:record...@gmail.com


Hello David Recordon ,

Voting has opened on the following poll -- please register your vote before 
2009-12-04.

Link:
https://openid.net/foundation/members/polls/19

Title:
Revised IPR Process Document

Description:
On October 7, 2009 the Board of Directors voted to revise the OIDF IPR
Process document. The revisions are primarily being made to help
streamline the formation of work groups. A vote of the full membership
is required to formally adopt the revised process. Marked and clean
versions of the revised process document are viewable here:
http://openid.net/wordpress-content/uploads/2009/10/OpenID_Process_Document__Modified_Edit_20090312_-clean1.pdf
http://openid.net/wordpress-content/uploads/2009/10/OpenID_Process_Document__Modified_Edit_20090312_.pdf

Thank you for your participation!

Available Choices:
* Approve
* Reject
* Abstain

Thank you for your participation!

---
The OpenID Foundation
http://openid.net/foundation/

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] Fwd: [OpenID Foundation] New Poll Opened

[Mike Jones]

The board should have the authority to correct typos that don't change the 
obvious meaning of the document without restarting the process.  Unless there 
are objections, I believe that we should post corrected versions and proceed.

Anyone opposed to this course of action?

-- Mike

From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of Chris Messina
Sent: Wednesday, November 18, 2009 6:06 PM
To: openid-board@lists.openid.net
Subject: Re: [OpenID board] Fwd: [OpenID Foundation] New Poll Opened

Indeed, there are two.

And, as Eddy pointed out, there's a typo on Page 6.

Only after if is ratified should be Only after if it is ratified

Should we vote to reject on the basis of this typo?

Chris
On Wed, Nov 18, 2009 at 6:03 PM, David Recordon 
record...@gmail.commailto:record...@gmail.com wrote:
Yes, but right now there are two polls open.  Go and look in the voting tool. :)
On Wed, Nov 18, 2009 at 6:01 PM, Mike Jones 
michael.jo...@microsoft.commailto:michael.jo...@microsoft.com wrote:
It's a re-vote because the previous member vote failed to reach quorum.

-- Mike

From: 
openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net
 
[mailto:openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net]
 On Behalf Of David Recordon
Sent: Wednesday, November 18, 2009 5:57 PM
To: bo...@openid.netmailto:bo...@openid.net
Subject: [OpenID board] Fwd: [OpenID Foundation] New Poll Opened

There seems to be a duplicate poll here.
-- Forwarded message --
From: h...@oidf.orgmailto:h...@oidf.org
Date: Wed, Nov 18, 2009 at 5:49 PM
Subject: [OpenID Foundation] New Poll Opened
To: record...@gmail.commailto:record...@gmail.com


Hello David Recordon ,

Voting has opened on the following poll -- please register your vote before 
2009-12-04.

Link:
https://openid.net/foundation/members/polls/19

Title:
Revised IPR Process Document

Description:
On October 7, 2009 the Board of Directors voted to revise the OIDF IPR
Process document. The revisions are primarily being made to help
streamline the formation of work groups. A vote of the full membership
is required to formally adopt the revised process. Marked and clean
versions of the revised process document are viewable here:
http://openid.net/wordpress-content/uploads/2009/10/OpenID_Process_Document__Modified_Edit_20090312_-clean1.pdf
http://openid.net/wordpress-content/uploads/2009/10/OpenID_Process_Document__Modified_Edit_20090312_.pdf

Thank you for your participation!

Available Choices:
* Approve
* Reject
* Abstain

Thank you for your participation!

---
The OpenID Foundation
http://openid.net/foundation/


___
board mailing list
bo...@lists.openid.netmailto:bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board


___
board mailing list
bo...@lists.openid.netmailto:bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board



--
Chris Messina
Open Web Advocate

Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina

Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net

This email is:   [ ] shareable[X] ask first   [ ] private
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] IPR Process Document Poll Duplicate has been Deleted

[Mike Jones]

Thanks, John and Darin!

-- Mike

From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of John Ehrig
Sent: Wednesday, November 18, 2009 7:56 PM
To: openid-board@lists.openid.net
Subject: [OpenID board] IPR Process Document Poll Duplicate has been Deleted

Darin at Refresh Media very quickly fixed the duplicate poll.  The first poll 
is closed and the votes from the first poll are moved to the second (open) 
poll.  All the links in the email will take members the second (open) poll.

Thank you, Darin!

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] OpenID Update: Orientation Briefing Feedback

[Mike Jones]

With respect to the executive committee, I'm surprised that you're not listing 
a third option:  Let the executive committee remain as is.  I for one, I don't 
see it as broken, so I don't see a need to fix it.

Herewith, I believe that the executive committee should remain the four 
officers, plus an international liaison and a technical liaison.

I *do* agree that the other committees should operate in a more accountable 
fashion and report on their progress to the board more often.  But doing that 
seems independent of the EC to me.  (The EC is the one committee that *has* 
operated effectively and regularly reported on its results to the full board -- 
a model that the other committees should emulate.)

Covering all bases, I believe that the full board should meet about every 6-8 
weeks.  3 months is far too long between meetings at this stage of the game.  
(I do believe that these meetings should be in person whenever possible.)

-- Mike

-Original Message-
From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of David Recordon
Sent: Friday, January 15, 2010 8:04 PM
To: openid-board@lists.openid.net
Subject: Re: [OpenID board] OpenID Update: Orientation Briefing Feedback

Hey Brian,
It sounds like I'm being slightly misunderstood.  I believe that
either of the two following scenarios are reasonable.

1) The Executive Committee is made up of the four officers and one
chair from each remaining Committee.  It's very likely that there will
be overlap between Officers and Committee chairs.  This means that the
Executive Committee is around ten people.  With strong leadership and
agenda setting these calls should be productive.

2) The Executive Committee is made up of the four officers and it
solely focuses on the logistics which go into keeping the organization
really moving forward.  (Things like Don's contract, the budget, and
that each Committee is making progress.)  We would then have a
Leadership Committee (insert better name here) which is made up of
the Executive Committee and one chair from each remaining Committee.
This Committee would be empowered to tackle execution and coordination
issues across the organization; much like an executive team at a
company.

Part of my goal is ensuring that there is both regular accountability
of each Committee to a group smaller than the Board itself and that
each Committee has a meaningful forum to raise organizational needs on
a regular basis.

I imagine that the full board then meets only once a quarter and each
Committee (including the Executive and/or Leadership) meets at least
monthly with the majority of their work occurring between meetings via
mailing lists.

--David

On Fri, Jan 15, 2010 at 4:54 PM, Brian Kissel bkis...@janrain.com wrote:
 So its sounding like most people would prefer or at least be comfortable
 with keeping the EC small as long as we ensure that:



 · we have the right committees (i.e. make sure we add/have one
 focused on adoption with good representation by RPs)

 · the Committees have strong leadership (including board members as
 co-chairs) and are communicating with the full board on a timely basis

 · the board and EC make sure that the OIDF is properly supporting
 the Committees and managing any cross committee functional issues that may
 be relevant

 If that's the case, then the EC elections coming up next week will only be
 for the Chair, Vice-Chair, Secretary, and Treasurer's positions.  Don
 Thibeau as Executive Director is also a member ex-officio.



 In addition to the 6 committees that David has proposed at
 http://wiki.openid.net/2010-Planning, are there any other committees that we
 collectively feel we should start out the year with?  We can always add and
 retire committees as necessary, but want to make sure we have the right ones
 to start out the year.



 · Adoption.  Charter: Develop OpenID as a product and largely
 working with relying parties to bring the voice of the customer while
 looking at branding, usability, and delivered value.

 · Government. Charter: Support the needs of the US Federal
 Government and other governments looking to deploy OpenID.

 · Security.  Charter: Working with the Technology Committee and
 various Working Groups, ensure that OpenID's security model is appropriate
 for how it is being deployed.

 · Technology. Charter: Oversee the technical Working Groups'
 progress and liase between them and the Adoption, Government, and Security
 Committees.

 · Legal.  Charter: Oversee, protect, and develop the
 Foundation's bylaws and IP it is responsible for such as copyrights and
 trademarks World-wide.

 · International Outreach.  Charter: Coordinate and support the work
 of OpenID communities primarily outside of North America. Collaborate with
 OpenID Europe and Japan.



 Cheers,



 Brian

 ___



 Brian Kissel

 

Re: [OpenID board] OpenID Update: Orientation Briefing Feedback

[Mike Jones]

I'm not proposing to add roles to the EC (although I realize that that's how 
this thread started).  I think it's the *one* committee that's working fine 
as-is, so I don't think we should change it.

I strongly agree with you that we need well-organized and accountable 
committees.  Those committees should meet regularly and report to the full 
board periodically, (preferably usually by e-mail status reports), just like 
the EC does.

Adding lots of additional members to the EC, in my mind, is a formula to break 
the one well-functioning committee we presently have.  (Apparently GI agrees 
with that assessment as well.)  Instead, we should be focusing our efforts on 
fixing the behaviors of the *other* committees.

-- Mike


From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of David Recordon
Sent: Saturday, January 16, 2010 12:42 AM
To: openid-board@lists.openid.net
Subject: Re: [OpenID board] OpenID Update: Orientation Briefing Feedback

This thread started as a proposal to add a relying party liaison to the 
executive committee.  Why does the Executive Committee have technical and 
international liaisons, but not a marketing liaison?  Why not a legal liaison?  
My proposals both create a more formulaic method as to the organization's 
structure rather than adding roles to the Executive Committee in an ad hoc 
fashion.

And with respect, I see fairly fundamental issues with how the Foundation is 
currently organized.  A board of twenty people is ineffective except in face to 
face meetings.  We must shift work into well organized and accountable 
Committees and provide an organizational structure that appropriately supports 
them.  We must find a way to represent each Committee in a regular fashion 
within a core execution driven group of the Foundation.

--David
On Sat, Jan 16, 2010 at 12:26 AM, Mike Jones 
michael.jo...@microsoft.commailto:michael.jo...@microsoft.com wrote:
With respect to the executive committee, I'm surprised that you're not listing 
a third option:  Let the executive committee remain as is.  I for one, I don't 
see it as broken, so I don't see a need to fix it.

Herewith, I believe that the executive committee should remain the four 
officers, plus an international liaison and a technical liaison.

I *do* agree that the other committees should operate in a more accountable 
fashion and report on their progress to the board more often.  But doing that 
seems independent of the EC to me.  (The EC is the one committee that *has* 
operated effectively and regularly reported on its results to the full board -- 
a model that the other committees should emulate.)

Covering all bases, I believe that the full board should meet about every 6-8 
weeks.  3 months is far too long between meetings at this stage of the game.  
(I do believe that these meetings should be in person whenever possible.)

   -- Mike

-Original Message-
From: 
openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net
 
[mailto:openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net]
 On Behalf Of David Recordon
Sent: Friday, January 15, 2010 8:04 PM
To: openid-board@lists.openid.netmailto:openid-board@lists.openid.net
Subject: Re: [OpenID board] OpenID Update: Orientation Briefing Feedback

Hey Brian,
It sounds like I'm being slightly misunderstood.  I believe that
either of the two following scenarios are reasonable.

1) The Executive Committee is made up of the four officers and one
chair from each remaining Committee.  It's very likely that there will
be overlap between Officers and Committee chairs.  This means that the
Executive Committee is around ten people.  With strong leadership and
agenda setting these calls should be productive.

2) The Executive Committee is made up of the four officers and it
solely focuses on the logistics which go into keeping the organization
really moving forward.  (Things like Don's contract, the budget, and
that each Committee is making progress.)  We would then have a
Leadership Committee (insert better name here) which is made up of
the Executive Committee and one chair from each remaining Committee.
This Committee would be empowered to tackle execution and coordination
issues across the organization; much like an executive team at a
company.

Part of my goal is ensuring that there is both regular accountability
of each Committee to a group smaller than the Board itself and that
each Committee has a meaningful forum to raise organizational needs on
a regular basis.

I imagine that the full board then meets only once a quarter and each
Committee (including the Executive and/or Leadership) meets at least
monthly with the majority of their work occurring between meetings via
mailing lists.

--David

On Fri, Jan 15, 2010 at 4:54 PM, Brian Kissel 
bkis

[OpenID board] Logistics for UX usability summit

[Mike Jones]

What is the address of the usability summit location and what hotel are people 
staying in?  Is there a room block we should use to reserve our rooms?

Thanks,
-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] OIDF Privacy Policy

[Mike Jones]

It would be fine to post digital images with the signatures and address 
information redacted - possibly by overlaying them with Information on file 
with OIDF or something of that sort.  (Sort of how elevators often contain 
messages about the elevator license being on file at such-and-such place.)

-- Mike

From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of David Recordon
Sent: Wednesday, January 27, 2010 9:40 AM
To: openid-board@lists.openid.net
Subject: Re: [OpenID board] OIDF Privacy Policy

Hey John,
I'm happy to have us reconsider the policy.

The idea is to make it incredibly transparent around who has signed what (when 
it comes to IP).  So far you're the first person in three years to say anything 
about it.

Considering that there can be different versions of documents and some 
documents with options, scanning them as PDFs seemed like the easiest and most 
accurate method.  99% of the time it's also companies signing the agreements 
and using corporate addresses versus personal.

If Global Inventures is able to manage these agreements and keep up to date 
online records, I'm less worried about each agreement being available online.

That said, they should be made available upon request.

--David
On Wed, Jan 27, 2010 at 7:07 AM, John Bradley 
jbrad...@mac.commailto:jbrad...@mac.com wrote:
In the process of setting up the AX 1.1 WG a number of things have come to 
light.

One is some confusion around who needs to submit what sort of agreement, 
Personal or Company.
Perhaps our new Secretary can have a look at that.

The more important one is that the OIDF has a practice of positing scanned 
documents publicly including peoples signature.

A number of us don't think publicly posting our address info with a scan of our 
signature is such a good idea.

I think everyone agrees that who has signed contribution agreements and what WG 
they apply to should be public.

However there are ways to do that are less subject to identity theft and other 
issues.

I would like to recommend that one of our committees (perhaps the legal one) or 
a sub committee.

Review and publish the OIDF privacy policy and specifically if practices like 
posting members PII publicly are appropriate.

The board can then consider those recommendations.

In the interim I would like GlobalInventures to redact my signature from any 
and all of the IPR agreements they publish.

I don't think we can be credible respecting peoples right to privacy on the 
internet if we don't do a credible job with our own members.

There may be other privacy issues I am not currently aware of as well.

I think being proactive about privacy can only increase participation from the 
community in general.

Regards
John B.
___
board mailing list
bo...@lists.openid.netmailto:bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] v.Next SOW

[Mike Jones]

For context for those of you that were not on the thread, what is being 
proposed is an hourly contract - not a fee for deliverables contract.  While 
some committee members expressed a wish for specific milestones and time 
estimates, others felt that this was not reasonable or possible, given that 
Dick's involvement is meant to supplement - not replace - community 
participation, and that progress will still be highly dependent upon the degree 
of community involvement (as indeed, we want it to be!).

There were several changes made to the original statement of work based upon 
input from the technology committee where there was clear committee consensus.  
In contrast, milestones were not added because of the reasons stated above and 
because there was not a consensus within the technology committee that they 
were possible or reasonable.


For transparency, I wrote back to Don's request saying I agree that this SOW 
incorporates the consensus feedback of the technology committee.  It does not 
incorporate some feedback for which there was not committee consensus.  Without 
consensus on particular points, it's reasonable to proceed to develop a 
contract which the full board will soon get to evaluate.



Also for context, the resolution that you voted for David, was to have the 
executive director and counsel produce term sheet by the end of May for up to 
$30,000 with input from the technical committee.  As I see it, the committee 
did give its input, resulting in several specific changes to the SOW.  The 
committee did its job in this process.  The technology committee was never a 
blocking reviewer, and the fact that there were some differences of opinion 
within the committee on one point does not block the ED and council from 
proceeding to carry out the board's wishes (which you also voted for).



Finally, I'll point out that in an hourly contract, the check-and-balance is 
that either party can terminate the contract without cause at any point.  
Instead of having specific milestones up front, instead, the board is free to 
terminate the contract if we're not satisfied with the actual progress.  This 
is a normal kind of consulting contract.



I'm sorry that you've chosen to resign because I value your perspectives.  I 
hope that you reconsider.



-- Mike

From: David Recordon [mailto:record...@gmail.com]
Sent: Friday, May 28, 2010 11:37 PM
To: Don Thibeau (OIDF ED); openid-board@lists.openid.net
Cc: tech-c...@openid.net; scott.da...@klgates.com
Subject: Re: v.Next SOW

(Adding the Board mailing list and trimming the non-public emails out of 
courtesy. This thread was a revised statement of work from Dick, Don asking if 
it represented a consensus view of the Technology Committee, and one of the 
Committee members replying that it did.)

While a lot of the feedback from the Technology Committee and Brian Kissel was 
incorporated into this statement of work, only two members of the committee 
replied affirmatively in regards to the revisions. I re-asked some of the 
original questions (which Dick replied to) and the remaining three members of 
the Committee have not replied. It's possible that silence is being interpreted 
as consensus.

I personally have a hard time fully evaluating this statement of work without 
understanding the timeline around the deliverables and overall cost. To help 
get us closer to consensus I've decided to resign as Vice Chair of the 
Technology Committee.

--David
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] Are you going to the Burton Catalyst San Diego?

[Mike Jones]

I'll be there.

-Original Message-
From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of Nat Sakimura
Sent: Sunday, July 11, 2010 11:58 PM
To: openid-board
Subject: [OpenID board] Are you going to the Burton Catalyst San Diego?

After much thinking, I have decided to go to Burton Catalyst instead
of i...@maastricht.

Is there any other board member attending it? (I know John B. is.)

Best,

-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] Unable to authenticate, therefore unable to nominate myself

[Mike Jones]

I've been trying to stay out of this because I'm a candidate but in the 
interest of clarity, mostly as a past election committee chair, I'm going to 
communicate only facts and then entirely recurse myself from any involvement in 
decisions made by the foundation based upon those facts.  As the past elections 
committee chair for the previous two elections, upon which this year's 
election's procedures were based, I do have some authoritative knowledge of the 
facts below.

Don's election announcement sent to the OpenID general list on November 9th 
with the subject line OIDF Board Election Announcement contained the 
following text:
Nominations open:  Monday, November 15
Nominations close:  Monday, November 29

Times for all dates are Noon, U.S. Pacific Time.

Thus, for this election, nominations opened at Noon Pacific Time on Monday, 
November 15th and closed at Noon Pacific Time on Monday, November 29th.  The 
election tool enforces the dates and times entered.  The Noon Pacific time 
starting and ending times were used for the 2008 and 2009 elections as well.

Those are the facts as I understand them.

-- Mike

From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of Joseph Smarr
Sent: Monday, November 29, 2010 7:40 PM
To: openid-board@lists.openid.net
Cc: OpenID Board (public)
Subject: Re: [OpenID board] Unable to authenticate, therefore unable to 
nominate myself

I was planning to nominate myself for the board tonight (was busy with family 
over the weekend), but the UI to nominate myself has gone away. I thought today 
(11/29) was the last day to nominate myself. Is that GMT or something weird? Or 
was it 11/29 meaning 11/28 11:59p?

I'd really like to nominate myself, and I don't think blocking that on a poorly 
communicated technicality is in the best interest of the foundation. :) Can 
somebody fix things and/or let me know how nominate myself?

Thanks, js
On Mon, Nov 29, 2010 at 5:58 PM, Chris Messina 
chris.mess...@gmail.commailto:chris.mess...@gmail.com wrote:

On Mon, Nov 29, 2010 at 5:10 PM, John Bradley 
ve7...@ve7jtb.commailto:ve7...@ve7jtb.com wrote:
I seem to recall that the web site is using UTC for running ballots etc.   I 
suppose that we had to pick a timezone and that is as good as any.

Though it would be a problem if you leave things to less than 8h to the 
deadline by west coast time.

I am concerned about Chris not being able to get in.   I didn't have a problem, 
 but I am not using a delegated openID.

I will see if I can replicate the problem.

Chris, did this just start,  or haven't you logged in for a while?

This started recently - and I may have had problems before which were 
addressed. I'm guessing it has to do with RPX's approach to discovering 
delegation on my site.

Here's a screencast of my experience:

http://dl.dropbox.com/u/18443/openid-fail.mov

FWIW, I'm able to login to disqus.nethttp://disqus.net using my OpenID 
(factoryjoe.comhttp://factoryjoe.com) without issue.

Chris


John B.

On 2010-11-29, at 7:34 PM, Dick Hardt wrote:


I just logged onto the site to self nominate, and I don't see the button/link 
there anymore. It is still the 11/29th is it not?

btw: I was able to login fine

-- Dick


From: 
openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net
 
[mailto:openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net]
 On Behalf Of Chris Messina
Sent: Monday, November 29, 2010 3:52 PM
To: OpenID Board (public)
Subject: [OpenID board] Unable to authenticate, therefore unable to nominate 
myself

I've been trying to authenticate on the foundation member site for the past two 
days and have had no luck. I've been in touch with both Janrain and Darin from 
Refresh to no avail. If I'm not the only one unable to authenticate with my 
delegated OpenID, I wonder who else has been unable to self-nominate themselves 
for the election?

This seems like a serious issue with our election proceedings.

Advise?

Chris

--
Chris Messina
Open Web Advocate, Google

Personal: http://factoryjoe.comhttp://factoryjoe.com/
Follow me on Buzz: http://buzz.google.com/chrismessina
...or Twitter: http://twitter.com/chrismessina

This email is:   [ ] shareable[X] ask first   [ ] private
___
board mailing list
bo...@lists.openid.netmailto:bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

___
board mailing list
bo...@lists.openid.netmailto:bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board


___
board mailing list
bo...@lists.openid.netmailto:bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board



--
Chris Messina
Open Web Advocate, Google

Personal: http://factoryjoe.com
Follow me on Buzz: 

Re: [OpenID board] Unable to authenticate, therefore unable to nominate myself

[Mike Jones]

Because I'm a candidate, I'm going to stay out of this other than to suggest 
that all people who are candidates or might be candidates should likewise 
recuse themselves from participating in any decisions about whether to alter 
the outcome of the nomination process or not.

I do believe that altering the outcome of the nomination process is a 
significant enough thing to do that any such decision should be undertaken only 
with a majority vote of the board, but again, I'll leave that up to those of 
you who are not candidates or potential candidates to decide.

-- Mike

From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of John Ehrig
Sent: Monday, November 29, 2010 8:27 PM
To: openid-board@lists.openid.net
Subject: Re: [OpenID board] Unable to authenticate, therefore unable to 
nominate myself

Mailman bounced this email  originated by Brian Kissel.  I'm forwarding to the 
list for Brian...

Don, can you please advise?  I don't think it's our desire to block folks due 
to confusion on the specific time the nominations were to close.  Also, I'd 
guess a number of folks would like time to second the nominations of 
individuals who nominated themselves late in the cycle.  To remove any 
confusion, can we keep nominations open through the end of the day PST tomorrow?

Mike, you've been great at advising all of us on our obligations per the 
bylaws, what do you suggest?

Cheers, Brian

Brian Kisselhttp://www.linkedin.com/in/briankkissel
Chairman, Janrain
e: bkis...@janrain.commailto:ka...@janrain.com  |  m: 503.342.2668  |  f: 
503-296-5502
Follow Us:  Facebookhttp://bit.ly/9CGHdf  |  Twitterhttp://bit.ly/9umxlK  | 
 LinkedInhttp://bit.ly/a7WZMC  |  Bloghttp://bit.ly/cv3WGH
519 SW 3rd Ave, Suite 600, Portland, Oregon 97204

Improve online ROI, engage your users, and build your brand with Janrain. Watch 
the Videohttp://bit.ly/99jJ1w.


From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of Joseph Smarr
Sent: Monday, November 29, 2010 7:40 PM
To: openid-board@lists.openid.net
Cc: OpenID Board (public)
Subject: Re: [OpenID board] Unable to authenticate, therefore unable to 
nominate myself

I was planning to nominate myself for the board tonight (was busy with family 
over the weekend), but the UI to nominate myself has gone away. I thought today 
(11/29) was the last day to nominate myself. Is that GMT or something weird? Or 
was it 11/29 meaning 11/28 11:59p?

I'd really like to nominate myself, and I don't think blocking that on a poorly 
communicated technicality is in the best interest of the foundation. :) Can 
somebody fix things and/or let me know how nominate myself?

Thanks, js
On Mon, Nov 29, 2010 at 5:58 PM, Chris Messina 
chris.mess...@gmail.commailto:chris.mess...@gmail.com wrote:

On Mon, Nov 29, 2010 at 5:10 PM, John Bradley 
ve7...@ve7jtb.commailto:ve7...@ve7jtb.com wrote:
I seem to recall that the web site is using UTC for running ballots etc.   I 
suppose that we had to pick a timezone and that is as good as any.

Though it would be a problem if you leave things to less than 8h to the 
deadline by west coast time.

I am concerned about Chris not being able to get in.   I didn't have a problem, 
 but I am not using a delegated openID.

I will see if I can replicate the problem.

Chris, did this just start,  or haven't you logged in for a while?

This started recently - and I may have had problems before which were 
addressed. I'm guessing it has to do with RPX's approach to discovering 
delegation on my site.

Here's a screencast of my experience:

http://dl.dropbox.com/u/18443/openid-fail.mov

FWIW, I'm able to login to disqus.nethttp://disqus.net using my OpenID 
(factoryjoe.comhttp://factoryjoe.com) without issue.

Chris


John B.

On 2010-11-29, at 7:34 PM, Dick Hardt wrote:

I just logged onto the site to self nominate, and I don't see the button/link 
there anymore. It is still the 11/29th is it not?

btw: I was able to login fine

-- Dick


From: 
openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net
 
[mailto:openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net]
 On Behalf Of Chris Messina
Sent: Monday, November 29, 2010 3:52 PM
To: OpenID Board (public)
Subject: [OpenID board] Unable to authenticate, therefore unable to nominate 
myself

I've been trying to authenticate on the foundation member site for the past two 
days and have had no luck. I've been in touch with both Janrain and Darin from 
Refresh to no avail. If I'm not the only one unable to authenticate with my 
delegated OpenID, I wonder who else has been unable to self-nominate themselves 
for the election?

This seems like a serious issue with our election proceedings.

Advise?

Chris

--
Chris Messina
Open Web Advocate, Google

Personal: http://factoryjoe.comhttp://factoryjoe.com/
Follow me on Buzz: 

[OpenID board] Obama to hand Commerce Dept. authority over cybersecurity ID

[Mike Jones]

http://news.cnet.com/8301-31921_3-20027800-281.html

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] Closing inactive OpenID working groups

[Mike Jones]

At the latest OpenID board meeting, I took the action item to have the 
specifications close down inactive working groups.  This is to help eliminate 
confusion among the members about where work is occurring and focus people's 
efforts on the active working groups.

Per section 4.4 of the OpenID process 
documenthttp://openid.net/wordpress-content/uploads/2010/01/OpenID_Process_Document_December_2009_Final_Approved.pdf,
 The Specifications Council may recommend closure of a WG at any time that the 
WG has not had Minimum Membership for six consecutive months at the time of 
closure, and such recommendation will promptly be submitted to a vote of the 
OIDF membership, in accordance with the voting procedures in §3.  Minimum 
Membership is defined in section 1.6 as five contributors.

It's clear that all of these working groups meet this criteria in terms of lack 
of participation by 5 members within the last 6 months:

· v.Next Core

· v.Next Discovery

· v.Next Attributes

· v.Next Certification

· v.Next User Experience

Also, given the consensus to merge the Connect work into the Artifact Binding 
work, I would argue that we should close the Connect working group at the same 
time, so that it's clear that people wanting to contribute to it should join 
the Artifact Binding working group, where the work is actually proceeding.  
Formally, there have been 7 contributors on the Connect working group list in 
the last 6 months:  Breno de Medeiros, Chris Messina, Chuck Mortimore, David 
Recordon, John Bradley, Joseph Smarr, and Nat Sakimura.  The most recent 
contribution was 11/3/10.  So we could either wait a few months to close it, or 
if three of the above contributors agree that it should be closed, I believe we 
could proceed with the membership vote to close the working group at the same 
time.  (I'd rather not have two membership votes closing working groups.)

So after a discussion period, unless people form consensus around a different 
course of action, I'm going to propose a specs council vote that we close all 6 
of these working groups.

Thanks all,
-- Mike

P.S.  The present membership of the specifications council is:

· Johnny Bufu

· Breno de Medeiros

· Dick Hardt

· Mike Jones

· David Recordon

· Nat Sakimura

· Allen Tom

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] Date of OpenID Social Media Summit November hosted by FaceBook

[Mike Jones]

Thanks!

From: John Ehrig [mailto:jeh...@inventures.com]
Sent: Friday, May 20, 2011 2:53 PM
To: Mike Jones; bo...@lists.openid.net
Cc: d...@oidf.org
Subject: RE: Date of OpenID Social Media Summit November hosted by FaceBook

The calendar is now updated.

BTW, the IIW is 10/18-20

From: Mike Jones [mailto:michael.jo...@microsoft.com]
Sent: Tuesday, May 17, 2011 4:24 PM
To: OpenID Board (public) (bo...@lists.openid.net); John Ehrig
Subject: Date of OpenID Social Media Summit November hosted by FaceBook

What day is the Facebook-hosted OpenID summit?  The calendar 
http://wiki.openid.net/w/page/22834488/2011-Board-and-Summit-Calendar just says 
November.

Thanks,
-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] Minutes from November 16, 2011 Executive Committee Call

[Mike Jones]

Minutes from November 16, 2011 Executive Committee Call

Present:
Nat Sakimura
Mike Jones
John Bradley
Chris Messina
Nico Popp

Absent:
(none)

1.  Evaluation of Don Thibeau's bonuses for the second and third quarters

Nat made a proposal to pay the bonuses in full.  The amount is specified in his 
contract.

Mike stated that Don has a good job in a sometimes difficult situation, 
enabling us to get to a good situation.  Therefore, we should approve his full 
bonuses.  Nico agreed.

John moved that we pay Don the full bonuses.  Nico seconded.  The motion was 
unanimously approved.

2.  Discussion of fourth quarter priorities

The EC didn't feel that any short-term changes in priorities were needed.

The EC decided to reinforce that Don's top two priorities for this quarter are:
1.  OpenID Connect launch
2.  Prepare for the upcoming board election

The election should be promoted online and at the Japan summit.  Maintaining 
geographic and other diversity of the candidates would be a plus, but we 
understand that the candidates will self-select.

Before the election, we will need to know the current number of sponsoring 
members.

3.  Timely consideration of bonuses

The EC apologizes to Don for not considering his bonuses in a timely fashion.  
This in no way was a reflection of his performance.  The committee commits to 
considering future bonuses in a timely manner.


___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] OpenID Connect Implementer's Draft review under way

[Mike Jones]

We mailed the membership and legal contacts this morning and posted about the 
commencement of the Implementer's Draft review at 
http://openid.net/2011/12/23/review-of-proposed-openid-connect-implementer%e2%80%99s-drafts/.

I posted a personal message about this at http://self-issued.info/?p=619.  Nat 
Sakimura posted at 
http://nat.sakimura.org/2011/12/24/openid-connect-implementers-draft/.  John 
Bradley posted at 
http://www.thread-safe.com/#!/2011/12/connect-implementers-draft.html.  You're 
all encouraged to promote this accomplishment in your own ways as well.

This is a very significant day for the foundation!  Thanks for all that each of 
you did to get us to this point.

Coming next:  more deployments, feedback, and final specifications!

-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] Q4 bonus for Don Thibeau unanimously approved

[Mike Jones]

The following resolution was unanimously passed by the OpenID Foundation 
Executive Committee today:

Be it resolved that the fourth quarter 2011 bonus to Mr. Don Thibeau, the 
executive director of the OpenID Foundation, to be approved.

Thanks for all the hard work Don and for the achievements of the past year.  We 
eagerly look forward to all that the New Year will bring!

Merry Christmas to 
you and your family!
-- The OIDF 
Executive Committee

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] Correction needed to election announcement

[Mike Jones]

Thanks for getting the election announcement out, Don.  However, a correction 
may be needed.  Per the forwarded announcement below, Chris was not one of the 
people serving a two-year term.  Likewise, the announcement at 
http://openid.net/2010/11/08/oidf-board-election-announcement/ stated that 
there were four 2-year terms - not 5.

I realize that Chris was appointed to fill the remainder of Marc Frons 2-year 
term.   Marc's (now Chris's) term began in 2010.  Therefore, this term expires 
with the ending of the 2011 board.

If I'm right, this means that there are two open seats (both for 2-year terms) 
- not one.  And Chris will need to stand for election, should he wish to 
continue his board membership.

Best wishes,
-- Mike

From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of Don Thibeau
Sent: Thursday, December 16, 2010 5:29 AM
To: openid-board@lists.openid.net
Subject: [OpenID board] Introducing the 2011 OpenID Community Board 
Representatives

Dear Members,
Thank you for voting for those who will represent you at this pivotal time for 
OpenID. This is to introduce the newly elected community directors of the 
OpenID Foundation Board. In 2011 Brian Kissel and Allen Tom will be fulfilling 
the second year of their terms as community representatives.  Marc Frons has 
resigned from the second year of his service because of pressing business 
issues at the New York Times.
Mike Jones, Chris Messina, Nat Sakimura and John Bradley bring deep domain 
expertise in online identity to their board service.  I think it's fair to say 
their election reflects a community-wide acknowledgement of the consistency and 
quality of their contributions in recent years. The election of Kick Willemse 
and Axel Nennker signals an important shift towards more international 
leadership on the board. At last week's Identity Next Conference and at the 
Identity Summit in Geneva, Nat, John, Kick and Axel led discussions expanding a 
more global view of OpenID's adoption and updating its technology with our 
colleagues in the EU. Nat, Mike, Kick and John have been elected to two years 
terms. David Recordon will represent Facebook in 2011.
It's important to acknowledge the contributions of Luke Sheppard, Mike Ozburn, 
Dick Hardt, Joseph Smarr, Daniel Jacobson and Rob Harles. Each contributed the 
energy, talent and diversity of views that makes the foundation an occasionally 
frustrating, increasingly complex and unique resource in online identity.  
Because of their efforts, the 2011 board starts the new year with a mandate for 
building momentum around the merged AB/Connect working group and the 
restructuring the OIDF to be a more effective, more international organization.

Technology development and board deliberations rarely follow a graceful upward 
curve. With the push / pull of competing business models and the cross 
jurisdictional impact of online identity, it's easy to underestimate the time 
and commitment required of directors to reconcile corporate, community and 
global interests in a rapidly changing identity ecosystem. The board has 
important work to do right from the start of 2011.  It must leverage and deploy 
the unique assets of the foundation, its leadership as a convener of OpenID 
Summits , its authoritative voice in standards development, and most 
importantly its growing worldwide community.
This is to you to engage with this new board from the start. We will soon 
publish a calendar of OpenID Summits, reorganize our governance and advance the 
utility of our product through the AB/Connect working group.  Blog your views 
at openid.net, serve on work groups and contribute to the development of one of 
the most important technologies of our time.
Don Thibeau
Executive Director
openid.nethttp://www.openid.net



___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] OpenID board election nominations closed

[Mike Jones]

All candidates received the required number of seconds.  Unless any 
irregularities are pointed out before then, voting should begin on Wednesday, 
January 25th at Noon and end on Wednesday, February 8th at Noon, per 
http://openid.net/2012/01/03/openid-foundation-2012-community-board-member-election/,
 with all times being US Pacific Time.

The seven candidates for the two open seats are:

Axel Nennker
George Fletcher
Greg Keegstra
David Marceau
Patrice Vuillard
Sébastien Brault
Yosef Vuillard

 Best of luck to all the candidates!
-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] Implementer’s Drafts posted with -ID1 version designations

[Mike Jones]

The approved Implementer’s Drafts are now also posted at these locations:

·http://openid.net/specs/openid-connect-basic-1_0-ID1.html

·http://openid.net/specs/openid-connect-discovery-1_0-ID1.html

·http://openid.net/specs/openid-connect-registration-1_0-ID1.html

·http://openid.net/specs/openid-connect-messages-1_0-ID1.html

·http://openid.net/specs/openid-connect-standard-1_0-ID1.html

·http://openid.net/specs/oauth-v2-multiple-response-types-1_0-ID1.html

The original versions with numeric version designations remain in place.

-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] OpenID brand page on Facebook

[Mike Jones]

Brian, is the Facebook page yours?

Also, Brian, do you own the LinkedIn OpenID Community Group page at 
http://www.linkedin.com/groups?gid=40144mostPopular=trk=tyah or the OpenID 
Community page at 
http://www.linkedin.com/groups/OpenID-Community-47654?gid=47654mostPopular=trk=tyah?

-- Mike

From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of David Recordon
Sent: Saturday, March 03, 2012 1:07 PM
To: openid-board@lists.openid.net
Subject: Re: [OpenID board] OpenID brand page on Facebook

Nope, it's not my page.
On Sat, Mar 3, 2012 at 12:47 PM, Mike Jones 
michael.jo...@microsoft.commailto:michael.jo...@microsoft.com wrote:
This isn't an automatically create page.  It has custom content like 
http://www.facebook.com/pages/OpenID/15157608236#!/pages/OpenID/15157608236?v=info.
  Eric, maybe you can ask David if it's his.  He owned the Twitter page and the 
content sounds like his writing to me.

-- Mike

From: 
openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net
 
[mailto:openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net]
 On Behalf Of Nat Sakimura
Sent: Saturday, March 03, 2012 9:38 AM
To: openid-board@lists.openid.netmailto:openid-board@lists.openid.net
Subject: Re: [OpenID board] OpenID brand page on Facebook

Not sure but from my experience, if someone presses facebook like button, it 
automatically creates a pages like that.

I just tested it with one of my page.

Example:  
https://www.facebook.com/pages/The-program-of-the-Congress/282789948456006

It says The program of the Congress joined Facebook, but there is no such 
user. It is just the artifact of somebody pressing like button.

Anyways, we might want to try to claim the pages as Brand for the former and 
Organization for the later.

Cheers,

Nat

On Fri, Mar 2, 2012 at 8:57 AM, Eric Sachs 
esa...@google.commailto:esa...@google.com wrote:
Does anyone know the owner of this Facebook page for OpenID:
http://www.facebook.com/pages/OpenID/15157608236
The OIDF Marketing Committee is tracking down logins for the different social 
pages so we can start using them for marketing.  We noticed that Facebook page 
already existed so we hoped to reuse it.  There is also a less popular one at
http://www.facebook.com/pages/OpenID-Foundation/19124593579

I have contacted David Recordon  Chris Messina as well.  David says he does 
not own it, and I am waiting to hear from Chris.

--
Eric Sachs | Senior Product Manager | 
esa...@google.commailto:esa...@google.com


___
board mailing list
bo...@lists.openid.netmailto:bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en


___
board mailing list
bo...@lists.openid.netmailto:bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] Implementer's Drafts posted with -ID1 version designations

[Mike Jones]

The specs are written in normative spec language, but they still describe a 
process that's very simple at it's core.  Have a look at 
http://nat.sakimura.org/2012/01/20/openid-connect-nutshell/, which is written 
as a primer, rather than in spec language.  After that, I think you'll agree 
that what's there is actually quite simple to use.

If you still disagree, then we'd be interested in hearing what specific changes 
you'd suggest that we make.

-- Mike

From: Paul E. Jones [mailto:pau...@packetizer.com]
Sent: Friday, March 30, 2012 10:17 AM
To: Mike Jones; sp...@openid.net
Cc: bo...@openid.net; gsalg...@cisco.com
Subject: RE: Implementer's Drafts posted with -ID1 version designations

Gee, guys... I think something has gone terribly wrong here.  I was really 
excited about OpenID, believing it was a very important technology.  Further, 
OpenID was fairly simple.  One part was complex: the client code for the RP had 
to deal with querying the user's ID, looking for a Yadis file, and possibly 
digging through an HTML document - all in an effort to find the URI for the 
user's OP.  The OP code, on the other hand, is fairly trivial.

OpenID 2.0 could have been simplified easily be removing the requirement for 
processing a Yadis file and HTML document and replacing that with a simple Link 
header in HTTP.  One could also use RFC 6415 (Host-Meta) to make it simple to 
advertise one's OpenID ID (a challenge for the average person to use) and 
even the OP URI (though perhaps not so beneficial).

I wanted to get engaged in the work, but getting Cisco to sign agreements, 
especially when this was not my core job function, was a bit of a challenge.  
So, the work proceeded without me.  It's unfortunate, because my initial 
reaction to what I've seen is ... what happened?!?!

OpenID Connect was supposed to be simple.  That was one of the claim made when 
it was introduced.  Looking at these drafts, I'd argue that simple has been 
thrown out the window, in spite of the claim simple in the abstract of these 
documents.  Perhaps it's just a false first impression, but these documents 
certainly appear to introduce a lot of procedure and make reference to number 
of required specifications that are not listed in the list below.

Do you really want to go down this path?  I would still be open to a 
simplification of OpenID 2.0 to remove the pain points.

Paul

From: 
openid-specs-boun...@lists.openid.netmailto:openid-specs-boun...@lists.openid.net
 
[mailto:openid-specs-boun...@lists.openid.net]mailto:[mailto:openid-specs-boun...@lists.openid.net]
 On Behalf Of Mike Jones
Sent: Monday, February 27, 2012 8:36 PM
To: sp...@openid.netmailto:sp...@openid.net
Cc: bo...@openid.netmailto:bo...@openid.net
Subject: Implementer's Drafts posted with -ID1 version designations

The approved Implementer's Drafts are now also posted at these locations:

*http://openid.net/specs/openid-connect-basic-1_0-ID1.html

*http://openid.net/specs/openid-connect-discovery-1_0-ID1.html

*http://openid.net/specs/openid-connect-registration-1_0-ID1.html

*http://openid.net/specs/openid-connect-messages-1_0-ID1.html

*http://openid.net/specs/openid-connect-standard-1_0-ID1.html

*http://openid.net/specs/oauth-v2-multiple-response-types-1_0-ID1.html

The original versions with numeric version designations remain in place.

-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] OpenID Connect Technology Meeting, April 30, 2012

[Mike Jones]

Thanks to Yahoo! for sponsoring this meeting!

From: openid-specs-ab-boun...@lists.openid.net 
[mailto:openid-specs-ab-boun...@lists.openid.net] On Behalf Of John Bradley
Sent: Tuesday, April 03, 2012 5:46 PM
To: openid-specs...@lists.openid.net
Subject: [Openid-specs-ab] Apr 30 Meeting before IIW registration

http://apr30-oidf-wg.eventbrite.com/

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] [OpenID] OpenID Connect Wins 2012 European Identity and Cloud Award

[Mike Jones]

Also announced at 
http://openid.net/2012/04/18/openid-connect-wins-2012-european-identity-and-cloud-award/.


From: openid-general-boun...@lists.openid.net 
[mailto:openid-general-boun...@lists.openid.net] On Behalf Of Don Thibeau
Sent: Wednesday, April 18, 2012 10:34 AM
To: general OpenID.com
Subject: [OpenID] OpenID Connect Wins 2012 European Identity and Cloud Award


OpenID Connect Wins 2012 European Identity and Cloud Award

Today at the European Identity and Cloud 
Conferencehttp://www.id-conf.com/events/eic2012 it was announced that OpenID 
Connecthttp://openid.net/connect/ has won the 2012 European Identity and 
Cloud Award for Best Innovation / New Standard. The OpenID Foundation and the 
Connect working group members want to thank Kuppinger 
Colehttp://www.kuppingercole.com/ for this prestigious award and their vote 
of confidence in the significance of OpenID Connect.

Dave Kearns of Kuppinger Cole said this about the award:

I'm pleased that Kuppinger Cole has granted OpenID Connect the award for Best 
Innovation/New Standard this year. What's most impressive is that this 
elegantly simple design resulted from the cooperation of such a diverse global 
set of contributors. I expect OpenID Connect to have a substantial positive 
impact on usable, secure identity solutions both for traditional computing 
platforms and mobile devices. My congratulations to the OpenID Foundation!

The application presented by the OpenID Foundation that resulted in the award 
follows.

European Identity  Cloud Awards 2012
Project company:

OpenID Foundation

Award category:

Best Innovation / New Standard in Information Security


1) Name of the Standard

OpenID Connect

2) Brief description of the Standard

OpenID Connect is a simple JSON/REST-based interoperable identity protocol 
built on top of the OAuth 2.0 family of specifications. Its design philosophy 
is make simple things simple and make complicated things possible.

While OAuth 2.0 is a generic access authorization delegation protocol, thus 
enabling the transfer of arbitrary data, it does not define ways to 
authenticate users or communicate information about them. OpenID Connect 
provides a secure, flexible, and interoperable identity layer on top of OAuth 
2.0 so that digital identities can be easily used across sites and 
applications. While enabling a default set of common claims about the user 
(such as name, e-mail address, and a user identifier enabling SSO) to be easily 
employed, OpenID Connect also enables participants to exchange any claims 
relevant to their application using simple JSON-based data structures.

As it is based in OAuth 2.0, OpenID Connect reaches beyond the Web. OpenID 
Connect brings identity interactions to apps and native applications on 
both smart phones and traditional computing devices, in addition to Web sites.

From a security perspective, OpenID Connect was built to be able to gracefully 
range from the low security levels typically employed for social networks to 
medium security levels needed for business applications to high security 
requirements needed for many government applications. OpenID Connect spans 
this wide range of applications by using JSON-based digital signature and 
encryption standards.

From a privacy perspective, OpenID Connect allows the selective sharing of 
attributes with user consent. It also enables the use of pairwise pseudonymous 
identifiers, thereby avoiding correlations as appropriate.

From a business perspective, OpenID Connect meets business needs for the use 
of claims from multiple Claims Providers in a single context (rather than a 
single Identity Provider being the source of all claims for any given 
interaction). It enables the use of Aggregated Claims, where signed claim 
values can be collected and passed on by OpenID Providers and the use of 
Distributed Claims, where claims are passed by reference, rather than by 
value, and dynamically retrieved by Relying Parties.

From a design perspective, OpenID Connect's modular design enables flexible 
deployments. Implementations can use only the components they need, while 
still remaining interoperable. For instance, Discovery and Dynamic Client 
Registration can used in deployments where OpenID Providers can be chosen 
dynamically, whereas they aren't needed if the site or application uses only a 
fixed set of OpenID Providers.

Unlike the previous version of OpenID, user identities can be e-mail addresses 
that people already have and know, rather than being URLs that most people have 
difficulty using.

3) Who is contributing to the standard?

OpenID Connect was developed in an OpenID Foundation working group. OpenID 
working groups are open to all free of charge who sign the IPR Contribution 
agreement. Contributors include a diverse international representation of 
industry and independent technology leaders: AOL, Deutsche Telecom, Facebook, 
Google, Microsoft, Mitre Corporation, mixi, Nomura Research Institute, PayPal, 

Re: [OpenID board] Infrastructure update

[Mike Jones]

My sense is that Darren spent sometime between 1-3 hours on the last election, 
doing things we asked him to do.  Don or John Ehrig should be able to find 
records of billed hours.

-- Mike

-Original Message-
From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of Nat Sakimura
Sent: Tuesday, September 04, 2012 8:24 AM
To: Don Thibeau
Cc: bo...@openid.net; openid-board@lists.openid.net
Subject: Re: [OpenID board] Infrastructure update

Then what is the likely amount in reality? Past track record would help.

Nat

On Tue, Sep 4, 2012 at 9:40 PM, Don Thibeau d...@oidf.org wrote:
 The $5k number was the upper range for a disputed election.

 Don Thibeau
 The OpenID Foundation



 On Sep 4, 2012, at 4:59 AM, Nat Sakimura wrote:

 My concern was the cost estimate that we previously had for each voting.
 The number quoted this May was in the range of 5000 dollars, which is 
 significant.
 We will have a series of elections and voting in the coming months, 
 and if they were $5000 a piece, we should seriously think about what 
 we can do to mitigate the problem.

 Nat


 On Tue, Sep 4, 2012 at 9:25 AM, Mike Jones michael.jo...@microsoft.com 
 wrote:
 As for voting, unless the proposed alternative voting system enables proxy 
 voting and voting using members registered OpenIDs, we can't use it without 
 a change to the IPR process (which requires a vote of the membership to do). 
  Also, for reasons of supporting our own technologies, I believe that we 
 want to continue having people vote with their registered OpenIDs.

 Having been on the elections committee as long as we've had elections, my 
 sense is that we've gotten the bugs out of the election system by now, and 
 it meets our needs.  Besides, it's paid for.  Integrating a new voting 
 system into our existing membership software (or creating new membership 
 software) would both be costs we would have to understand before undertaking 
 any changes in that regard.

 My sense is that the remaining costs of using it have to do with us 
 having Darren do things that we could do for ourselves.  (If there's 
 any reason we can't do them ourselves, we should remedy that before 
 or during this upcoming election.)

 I *do* think we should monitor the costs of running the 2013 election with 
 the current software so that we have data to base any decision to make a 
 change (or not make a change) on.

-- Mike

 -Original Message-
 From: openid-board-boun...@lists.openid.net 
 [mailto:openid-board-boun...@lists.openid.net] On Behalf Of Nat 
 Sakimura
 Sent: Monday, September 03, 2012 4:42 PM
 To: bo...@openid.net; Don Thibeau (OIDF ED)
 Subject: [OpenID board] Infrastructure update

 Don,

 Another issue that the board has to tackle is the infrastructure update.
 As I understand, the current infrastructure is very expensive to run an 
 election/membership voting.

 At the same time, you have been indicating the intension to move the current 
 web page infrastructure from Wordpress to Drupal.
 I suspect these two are dealt with together.

 I would appreciate any update on it in the next EC call so that we can 
 report it back to the board.

 FYI, I have built a Drupal site that copied most of the Wordpress content 
 with the URLs intact.
 Drupal also has a module called Advanced Voting, which seems to be capable 
 of doing the voting that does not reveal the result until it is closed.
 With a shopping card module, it seems it is capable to unify the copropate 
 website, membership, and the voting capability.

 --
 Nat Sakimura (=nat)
 Chairman, OpenID Foundation
 http://nat.sakimura.org/
 @_nat_en
 ___
 board mailing list
 bo...@lists.openid.net
 http://lists.openid.net/mailman/listinfo/openid-board


 ___
 board mailing list
 bo...@lists.openid.net
 http://lists.openid.net/mailman/listinfo/openid-board



 --
 Nat Sakimura (=nat)
 Chairman, OpenID Foundation
 http://nat.sakimura.org/
 @_nat_en




--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board


___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] FW: Another password leak

[Mike Jones]

From: oidf-marketing-commit...@googlegroups.com 
[mailto:oidf-marketing-commit...@googlegroups.com] On Behalf Of Eric Sachs
Sent: Tuesday, September 25, 2012 10:58 AM
To: oidf-marketing-committee
Subject: Another password leadk



-- Forwarded message --
From: Tim Bray twb...@google.commailto:twb...@google.com
Date: Tue, Sep 25, 2012 at 10:53 AM
Subject: Aaand another juicy password leak

http://ieeelog.com/


--
Eric Sachs | Senior Product Manager | 
esa...@google.commailto:esa...@google.com

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] FW: Links to Yadis protocol outdated

[Mike Jones]

I think that, rather than pointing off to another site not under control of the 
foundation, it would be better if the Foundation were to host a copy of the 
Yadis spec at openid.net/specs/.

-- Mike

-Original Message-
From: openid-specs-boun...@lists.openid.net 
[mailto:openid-specs-boun...@lists.openid.net] On Behalf Of Denis Washington
Sent: Thursday, April 25, 2013 12:26 PM
To: sp...@lists.openid.net
Subject: Links to Yadis protocol outdated

Hi,

It seems as if yadis.org changed its owner and does not host the Yadis protocol 
specification anymore. This means that the link to Yadis in the OpenID 
Authentication 2.0 spec now points to a 404 page. Instead, the Yadis links 
should probably link to http://infogrid.org/trac/wiki/Yadis .

Regards,
Denis Washington



smime.p7s
Description: S/MIME Kryptografische Unterschrift.p7s
___
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] FW: Second OpenID Connect Implementer’s Drafts Approved

[Mike Jones]

From: Mike Jones
Sent: Wednesday, July 31, 2013 1:32 AM
To: openid-specs...@lists.openid.net
Subject: Second OpenID Connect Implementer’s Drafts Approved

The results have been announced at 
http://openid.net/2013/07/30/second-openid-connect-implementers-drafts-approved/.

Congratulations all!

-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] OpenID Connect Specs Nearing Completion

[Mike Jones]

(I'm going to reply to this only on the working group list, since most of the 
detail isn't relevant to audiences other than working group members.)

-- Mike

From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of Nat Sakimura
Sent: Sunday, October 13, 2013 11:13 AM
To: openid-connect-inte...@googlegroups.com
Cc: openid-specs...@lists.openid.net; bo...@openid.net
Subject: Re: [OpenID board] OpenID Connect Specs Nearing Completion

Thank you very much, Mike.
It is a great work. Having said that,

I have some comments on it.


  1.  The terminology section is not assuming the agreed upon structure as in 
http://nat.sakimura.org/wp-content/uploads/2013/08/openid-connect-all-1_0.html 
[1]. Note that the order of the terms in [1] is not alphabetical but in the 
semantic order: i.e., the term that is used in the text appears before it. 
Also, it is separating out the definition text and the notes. That is adding to 
the readability of the text greatly. It is also showing where it came from.
  2.  The agreed upon structure is much less deep. It was one of the main 
consideration in restructuring. It is adding to the ease for grasping the 
structure. For example, in your version, it is 
2.2.2.1.1.http://openid.net/specs/openid-connect-core-1_0-13.html#ImplicitRequestParameters
  Authorization Request Parameters while in [1], it is 3.1.1.  Request 
Parameters.
  3.  As to the order of the request parameters are concerned, I have placed 
'scope' at the top since it acts as the switch between OpenID call and pure 
OAuth call. This would definitely help the user when writing the code.
  4.  For the definition of 'scope', I change the text as follows to make it 
clear that it is stating about the value.

REQUIRED. The value MUST contain the openid. This scope value requests ID 
Token, which is a JWT that includes the Claims about the End-User 
Authentication event.

Your text is:

REQUIRED. Space delimited, case sensitive list of ASCII OAuth 2.0 scope values. 
OpenID Connect requests MUST contain the openid scope value. Other scope values 
MAY be present. See Sections 
4.1http://openid.net/specs/openid-connect-core-1_0-13.html#ScopeClaims and 
10http://openid.net/specs/openid-connect-core-1_0-13.html#OfflineAccess for 
additional scope values defined by this specification.

Here, at least Space delimited, case sensitive ...  is superfluous since it 
is already defined in RFC6749. The former also describes the effect of this 
scope, while the later does not.
  5.  This version still has claims authorization components in 2.1.2.4.
  6.  The 4. Claims is not describing only about what is claims but also how 
the claims are to be requested and received. That's why [1] is using the 
chapter name Claims Framework. I think this title is more appropriate, and 
has been agreed upon in the WG.
  7.  Accordingly, the description about this chapter should also be 
strengthend. Your version states:

 This section specifies how the Client can obtain Claims about the End-User 
and defines a
 standard set of basic profile Claims.

while [1] states:

This section defines a framework in which the client may obtain the claims 
about the End User. It can be done through the pre-defined scopes values or 
through more granular claims parameter. The claims can come from a single 
source or distributed sources as well.
The later, IMHO, is clearer.

  1.  Again, 4. Claims is not assuming the order of the agreed upon 
structure. 4.5 should be moved before 4.2.
Regards,

Nat

2013/10/13 Mike Jones 
michael.jo...@microsoft.commailto:michael.jo...@microsoft.com
I posted this note at http://self-issued.info/?p=1137 and on Twitter as 
@selfissued to raise awareness that the time to do a final review of the OpenID 
Connect specs is now.

-- Mike

OpenID Connect Specs Nearing Completion

Based on feedback from developers, the OpenID 
Connecthttp://openid.net/connect/ working group decided to replace the OpenID 
Connect Messageshttp://openid.net/specs/openid-connect-messages-1_0-20.html 
and OpenID Connect 
Standardhttp://openid.net/specs/openid-connect-standard-1_0-21.html 
specifications with a new OpenID Connect 
Corehttp://openid.net/specs/openid-connect-core-1_0-13.html specification 
that combines the contents from both of them before finishing OpenID Connect.  
The content has also been restructured to separate Authentication from other 
features such as Claims and to have separate Authentication sections for the 
different OAuth 2.0 flows.  No changes to the protocol were made.  The 
publication of this new spec is another major step towards finishing OpenID 
Connect.

Please review this and the other OpenID Connect specifications in the coming 
week.  While a few local changes will still be made this week to address issues 
that have been 
identifiedhttps

[OpenID board] First Release Candidates for final OpenID Connect specifications

[Mike Jones]

I'm pleased to announce that the first release candidate versions for final 
OpenID Connect specifications have been published.  The complete set of 
specifications has been updated to resolve all issues that had been filed 
against the specs being finished.

Please review these this week, in time for the in-person working group meeting 
on Mondayhttp://openid-wg-oct-2013.eventbrite.com/.  Besides publishing the 
specs in the usual formats, I've also created a Word version of the core spec 
with tracked changes turned on to facilitate people marking it up with specific 
proposed text changes.  If you're in the working group, please download 
ithttp://self-issued.info/docs/openid-connect-core-1_0-14.docx and make any 
corrections or changes you'd like to propose for the final specification.

The release candidate spec versions are:

*http://openid.net/specs/openid-connect-core-1_0-14.html

*http://openid.net/specs/openid-connect-discovery-1_0-18.html

*http://openid.net/specs/openid-connect-registration-1_0-20.html

*http://openid.net/specs/openid-connect-session-1_0-16.html

*http://openid.net/specs/oauth-v2-multiple-response-types-1_0-09.html

Also, two implementer's guides are also available to serve as self-contained 
references for implementers of basic Web-based Relying Parties:

*http://openid.net/specs/openid-connect-basic-1_0-29.html

*http://openid.net/specs/openid-connect-implicit-1_0-12.html

Thanks to Nat for the early feedback.  The structure of Core has been changed 
somewhat since -13 to adopt some of his suggestions.

-- Mike

P.S.  I also posted about this at http://self-issued.info/?p=1140 and as 
@selfissued.

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] FW: Third Release Candidates for final OpenID Connect specifications

[Mike Jones]

From: Mike Jones
Sent: Wednesday, December 18, 2013 11:23 PM
To: openid-specs...@lists.openid.net
Subject: Third Release Candidates for final OpenID Connect specifications

The third set of release candidates for final OpenID 
Connecthttp://openid.net/connect/ specifications is now available.  The 
changes since the second release candidateshttps://self-issued.info/?p=1148 
have mostly been to incorporate review comments on the Discovery, Dynamic 
Registration, and Multiple Response Types specifications.  All known review 
comments have now been applied to the specifications.

The release candidates for Final Specification status are:

*http://openid.net/specs/openid-connect-core-1_0-16.html

*http://openid.net/specs/openid-connect-discovery-1_0-20.html

*http://openid.net/specs/openid-connect-registration-1_0-22.html

*http://openid.net/specs/oauth-v2-multiple-response-types-1_0-11.html

Accompanying release candidates for Implementer's Draft status are:

*http://openid.net/specs/openid-connect-session-1_0-18.html

*http://openid.net/specs/oauth-v2-form-post-response-mode-1_0-02.html

Accompanying Implementer's Guides are:

*http://openid.net/specs/openid-connect-basic-1_0-31.html

*http://openid.net/specs/openid-connect-implicit-1_0-14.html

This announcement is also posted at http://self-issued.info/?p=1152 and on 
Twitter as @selfissued.

-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] FW: Fourth and possibly last Release Candidates for final OpenID Connect specifications and Notice of 24 hour review period

[Mike Jones]

From: Mike Jones
Sent: Thursday, December 19, 2013 10:17 PM
To: openid-specs...@lists.openid.net
Subject: Fourth and possibly last Release Candidates for final OpenID Connect 
specifications and Notice of 24 hour review period

The fourth and possibly last set of release candidates for final OpenID 
Connecthttp://openid.net/connect/ specifications is now available.  Per the 
decision on today's working group call, this message starts a 24 hour final 
working group review period before starting the 60 day public review period.  
Unless significant issues are raised during the 24 hour review period, we will 
announce that these specifications are being proposed as Final Specifications 
by the working group.

The release candidates for Final Specification status are:

*http://openid.net/specs/openid-connect-core-1_0-17.html

*http://openid.net/specs/openid-connect-discovery-1_0-21.html

*http://openid.net/specs/openid-connect-registration-1_0-23.html

*http://openid.net/specs/oauth-v2-multiple-response-types-1_0-11.html

Accompanying release candidates for Implementer's Draft status are:

*http://openid.net/specs/openid-connect-session-1_0-18.html

*http://openid.net/specs/oauth-v2-form-post-response-mode-1_0-02.html

Accompanying Implementer's Guides are:

*http://openid.net/specs/openid-connect-basic-1_0-32.html

*http://openid.net/specs/openid-connect-implicit-1_0-14.html

This notice was also published at http://self-issued.info/?p=1154 and on 
Twitter as @selfissued.

-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] FW: Review of Proposed Final OpenID Connect Specifications and Implementer’s Drafts

[Mike Jones]

Unless recall-class issues are found during the review, this means we’ll have 
final OpenID Connect specifications on Tuesday, February 25, 2014.

From: Mike Jones
Sent: Friday, December 20, 2013 9:57 PM
To: openid-sp...@lists.openid.net
Subject: Review of Proposed Final OpenID Connect Specifications and 
Implementer’s Drafts

The OpenID Connect Working Group recommends approval of the following 
specifications as Final OpenID Specifications:

·OpenID Connect 
Corehttp://openid.net/specs/openid-connect-core-1_0-17.html – Defines the 
core OpenID Connect functionality: authentication built on top of OAuth 2.0 and 
the use of Claims to communicate information about the End-User.

·OpenID Connect 
Discoveryhttp://openid.net/specs/openid-connect-discovery-1_0-21.html – 
Defines how Relying Parties dynamically discover information about OpenID 
Providers.

·OpenID Connect Dynamic Client 
Registrationhttp://openid.net/specs/openid-connect-registration-1_0-23.html – 
Defines how Relying Parties dynamically register with OpenID Providers.

·OAuth 2.0 Multiple Response Type 
Encodinghttp://openid.net/specs/oauth-v2-multiple-response-types-1_0-11.html 
– Defines several specific new OAuth 2.0 response types.

The working group also recommends approval of the following specifications as 
OpenID Implementer’s Drafts:

·OpenID Connect Session 
Managementhttp://openid.net/specs/openid-connect-session-1_0-18.html – 
Defines how to manage OpenID Connect sessions, including logout functionality.

·OAuth 2.0 Form Post Response 
Modehttp://openid.net/specs/oauth-v2-form-post-response-mode-1_0-02.html – 
Defines how to return OAuth 2.0 Authorization Response parameters (including 
OpenID Connect Authentication Response parameters) using HTML form values that 
are auto-submitted by the User Agent using HTTP POST.

A Final Specification provides intellectual property protections to 
implementers of the specification and is not subject to further revision.  An 
Implementer’s Draft is a stable version of a specification also providing 
intellectual property protections, but that is subject to further revision.

This note starts the 60 day public review period for the specification drafts 
in accordance with the OpenID Foundation IPR policies and procedures. This 
review period will end on Tuesday, February 18, 2014. Unless issues are 
identified during the review that the working group believes must be addressed 
by revising the drafts, this review period will be followed by a seven day 
voting period during which OpenID Foundation members will vote on whether to 
approve these drafts as Final Specifications and Implementer’s Drafts.  For the 
convenience of members, voting may begin up to two weeks before Tuesday, 
February 18th, with the voting period still ending on Tuesday, February 25, 
2014.

A description of OpenID Connect can be found at http://openid.net/connect/. The 
working group page is http://openid.net/wg/connect/. Information on joining the 
OpenID Foundation can be found at 
https://openid.net/foundation/members/registration. If you’re not already a 
member, please consider joining to participate in the approval vote.

You can send feedback on the specifications in a way that enables the working 
group to act upon your feedback by (1) signing the contribution agreement at 
http://openid.net/intellectual-property/ to join the working group (please 
specify that you are joining the “AB+Connect” working group on your 
contribution agreement), (2) joining the working group mailing list at 
http://lists.openid.net/mailman/listinfo/openid-specs-ab, and (3) sending your 
feedback to the list.

Locations for the proposed Final Specifications are:

·http://openid.net/specs/openid-connect-core-1_0-17.html

·http://openid.net/specs/openid-connect-discovery-1_0-21.html

·http://openid.net/specs/openid-connect-registration-1_0-23.html

·http://openid.net/specs/oauth-v2-multiple-response-types-1_0-11.html

Locations for the proposed Implementer’s Drafts are:

·http://openid.net/specs/openid-connect-session-1_0-18.html

·http://openid.net/specs/oauth-v2-form-post-response-mode-1_0-02.html

These informational Implementer’s Guides also accompany these specifications:

·OpenID Connect Basic Client Implementer’s 
Guidehttp://openid.net/specs/openid-connect-basic-1_0-32.html – Simple subset 
of the Core functionality for a web-based Relying Party using the OAuth code 
flow.

·OpenID Connect Implicit Client Implementer’s 
Guidehttp://openid.net/specs/openid-connect-implicit-1_0-14.html – Simple 
subset of the Core functionality for a web-based Relying Party using the OAuth 
implicit flow.

Locations for the accompanying Implementer’s Guides are:

·http://openid.net/specs/openid-connect-basic-1_0-32.html

·http://openid.net/specs/openid-connect-implicit-1_0-14.html

[OpenID board] FW: Vote for Final OpenID Connect Specifications and Implementer’s Drafts is Open

[Mike Jones]

From: Mike Jones
Sent: Tuesday, February 11, 2014 10:46 AM
To: 'gene...@openid.net'; 'sp...@openid.net'
Subject: Vote for Final OpenID Connect Specifications and Implementer’s Drafts 
is Open

The opening of the vote to approve four final OpenID Connect specifications and 
two Implementer’s Drafts has been announced at 
http://openid.net/2014/02/11/vote-for-final-openid-connect-specifications-and-implementers-drafts-is-open/.

Please vote now at https://openid.net/foundation/members/polls/80.

-- Michael B. Jones – OpenID Foundation Secretary
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] Site update (openid.net)

[Mike Jones]

Agreed - this looks much better!  Thanks!

One nit - could you change the words Work Groups to Working Groups in the 
top banner?  It reads more naturally, and is terminology that people are more 
familiar with.

Thanks,
-- Mike

From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of Nat Sakimura
Sent: Tuesday, February 18, 2014 5:36 AM
To: oidf-marketing-committee
Cc: bo...@openid.net
Subject: Re: [OpenID board] Site update (openid.net)

You are welcome.

I wanted to do it before the Connect launch.

Nat

2014-02-18 22:30 GMT+09:00 Don Thibeau d...@oidf.orgmailto:d...@oidf.org:
Thanks Nat

These are important and timely improvements.


Don Thibeau
The OpenID Foundationhttp://openid.net


2014-02-18 21:26 GMT+09:00 Nat Sakimura 
sakim...@gmail.commailto:sakim...@gmail.com:
Hi.

I have implemented the long overdue pre-approved update of the web site finally.
I have disabled featured pages for the time being as voting announcements are 
more important.
Otherwise, it is more or less exactly the same as what has been approved 
previously.

Please let me know if there is any discrepancy:

One note: I do not have any images and tag lines for Native Apps WG.
It would be great if someone could provide it.

Best,

--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

--
You received this message because you are subscribed to the Google Groups OIDF 
Marketing Committee group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
oidf-marketing-committee+unsubscr...@googlegroups.commailto:oidf-marketing-committee+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups OIDF 
Marketing Committee group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
oidf-marketing-committee+unsubscr...@googlegroups.commailto:oidf-marketing-committee%2bunsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] The OpenID Foundation Launches the OpenID Connect Standard

[Mike Jones]

See 
http://openid.net/2014/02/26/the-openid-foundation-launches-the-openid-connect-standard/
 and the tweet at @openid.

This was also already favorably covered by TechCrunch:  
http://techcrunch.com/2014/02/26/openid-foundation-launches-openid-connect-identity-protocol-with-support-from-google-microsoft-others/.

Cheers,
-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] Monday, May 5 OpenID Workshop at Yahoo! before IIW

[Mike Jones]

The OpenID Foundation 
Workshophttp://eventbrite.com/event/1174511997?utm_source=eb_emailutm_medium=emailutm_campaign=new_eventv2utm_term=eventname_text
 on Monday, May 5th before IIW has been announced.  Check it out here: 
http://www.eventbrite.com/e/openid-foundation-workshop-tickets-1174511997http://eventbrite.com/event/1174511997?utm_source=eb_emailutm_medium=emailutm_campaign=new_eventv2utm_term=eventurl_text.

Thanks to Yahoo! for hosting.

-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] [Board-ec] Fwd: JTC1_N13405-Proposal for a liaison C between Open ID Foundation and ISO/IEC JTC1 SC27 WG5

[Mike Jones]

Congratulations and thanks for making this happen, Nat!

-- Mike

From: board-ec-boun...@lists.openid.net 
[mailto:board-ec-boun...@lists.openid.net] On Behalf Of Nat Sakimura
Sent: Thursday, March 20, 2014 8:33 AM
To: board...@lists.openid.net; Board OpenID
Subject: [Board-ec] Fwd: JTC1_N13405-Proposal for a liaison C between Open ID 
Foundation and ISO/IEC JTC1 SC27 WG5

Dear fellow board members,

As attached, the ISO/IEC liaison has been approved.

Nat Sakimura

Begin forwarded message:
From: Blandine GARCIA garc...@iso.orgmailto:garc...@iso.org
Date: 2014年3月20日 13:51:12 GMT+1
To: n...@sakimura.orgmailto:n...@sakimura.org 
n...@sakimura.orgmailto:n...@sakimura.org
Cc: Passia Krystyna Mrs 
krystyna.pas...@din.demailto:krystyna.pas...@din.de, Blandine GARCIA 
garc...@iso.orgmailto:garc...@iso.org
Subject: JTC1_N13405-Proposal for a liaison C between Open ID Foundation and 
ISO/IEC JTC1 SC27 WG5
Establishment of Category C liaison between OIDF and ISO/IEC JTC1 SC27 WG5

Dear Sakimura-San,

With reference to your request to ISO/IEC JTC 1/SC 27 for the establishment of 
Category C liaison with SC 27/WG 5, after consulting ISO/IEC JTC 1 we can 
confirm that Category C liaison has now been officially established between 
ISO/IEC JTC 1/SC 27/WG 5 and your organization.

If you have any questions concerning this liaison please contact us.


Mrs Blandine GARCIA
ISO/IEC Information Technology Task Force
ISO Project Manager

ISO Central Secretariat
1, Ch. de la Voie-Creuse
Case Postale 56
CH-1211 Genève 20

Telephone: +41 22 749 01 11
Direct line:  +41 22 749 02 40
Fax:   +41 22 749 03 49
E-mail:garc...@iso.orgmailto:garc...@iso.org
Web:   www.iso.orghttp://www.iso.org/



___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] [Board-ec] Fwd: JTC1_N13405-Proposal for a liaison C between Open ID Foundation and ISO/IEC JTC1 SC27 WG5

[Mike Jones]

For context, as recorded in the just-posted board meeting minutes, this enables 
ITU-T to use OpenID specifications.  This is a big deal.

-- Mike

From: board-ec-boun...@lists.openid.net 
[mailto:board-ec-boun...@lists.openid.net] On Behalf Of Mike Jones
Sent: Thursday, March 20, 2014 10:43 AM
To: Nat Sakimura; board...@lists.openid.net; Board OpenID
Subject: Re: [Board-ec] Fwd: JTC1_N13405-Proposal for a liaison C between Open 
ID Foundation and ISO/IEC JTC1 SC27 WG5

Congratulations and thanks for making this happen, Nat!

-- Mike

From: 
board-ec-boun...@lists.openid.netmailto:board-ec-boun...@lists.openid.net 
[mailto:board-ec-boun...@lists.openid.net] On Behalf Of Nat Sakimura
Sent: Thursday, March 20, 2014 8:33 AM
To: board...@lists.openid.netmailto:board...@lists.openid.net; Board OpenID
Subject: [Board-ec] Fwd: JTC1_N13405-Proposal for a liaison C between Open ID 
Foundation and ISO/IEC JTC1 SC27 WG5

Dear fellow board members,

As attached, the ISO/IEC liaison has been approved.

Nat Sakimura

Begin forwarded message:
From: Blandine GARCIA garc...@iso.orgmailto:garc...@iso.org
Date: 2014年3月20日 13:51:12 GMT+1
To: n...@sakimura.orgmailto:n...@sakimura.org 
n...@sakimura.orgmailto:n...@sakimura.org
Cc: Passia Krystyna Mrs 
krystyna.pas...@din.demailto:krystyna.pas...@din.de, Blandine GARCIA 
garc...@iso.orgmailto:garc...@iso.org
Subject: JTC1_N13405-Proposal for a liaison C between Open ID Foundation and 
ISO/IEC JTC1 SC27 WG5
Establishment of Category C liaison between OIDF and ISO/IEC JTC1 SC27 WG5

Dear Sakimura-San,

With reference to your request to ISO/IEC JTC 1/SC 27 for the establishment of 
Category C liaison with SC 27/WG 5, after consulting ISO/IEC JTC 1 we can 
confirm that Category C liaison has now been officially established between 
ISO/IEC JTC 1/SC 27/WG 5 and your organization.

If you have any questions concerning this liaison please contact us.


Mrs Blandine GARCIA
ISO/IEC Information Technology Task Force
ISO Project Manager

ISO Central Secretariat
1, Ch. de la Voie-Creuse
Case Postale 56
CH-1211 Genève 20

Telephone: +41 22 749 01 11
Direct line:  +41 22 749 02 40
Fax:   +41 22 749 03 49
E-mail:garc...@iso.orgmailto:garc...@iso.org
Web:   www.iso.orghttp://www.iso.org/



___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] June 5, 2014 OpenID Executive Committee Call Minutes

[Mike Jones]

June 5, 2014 OpenID Executive Committee Call Minutes

Present:
Don Thibeau, Executive Director
Nat Sakimura
George Fletcher
Mike Jones
John Bradley

Visitors:
John Ehrig, Global Inventures
Tom Smedinghoff, Edwards Wildman

Absent:
(the vice-chair position is currently vacant)


1.  US Government agency possibly joining at the sustaining level and 
Health Information Exchange Profile for OpenID Connect
Don updated us on the possibility of a US government agency joining the board 
and starting a new working group for a Health Information Exchange Profile for 
OpenID Connect.  The agency also plans to join the MIT Kerberos and Internet 
Trust (KIT) Consortium.  MIT plans to join the OpenID Foundation.  The target 
date for an OpenID Connect Workshop sponsored by MIT and the OpenID Foundation 
is Thu-Fri, Sep 18-19, 2014.


2.  Proposal to Change OIDF's State of Incorporation to allow for Proxy 
Voting
Oregon, where we are currently incorporated, doesn't allow proxy voting.  
Oregon is one of the most restrictive states for incorporation in terms of 
board governance.  Changing our incorporation to a state where proxy voting and 
alternative members is permitted would let is practically retain Eric Sachs and 
Dr. Tippett's official representation on the board for Google and Verizon, 
while allowing them to appoint alternates to participate on a day-to-day basis. 
 This could be a net positive for the Foundation.

Tom Smedinghoff gave us a report on our options.  He believes that Oregon law 
does restrict us in the ways described.  He does believe that we need to 
investigate the impact on our 501(c)(6) non-profit tax status application of 
re-incorporation.  He believes that re-incorporation is doable, but there would 
be a few hoops to jump through.

The costs of incorporating would not be great.  There would be some transition 
costs.  Some directed funding might be available to cover these costs.

The best estimate we have from our attorney on our 501(c)(6) completion is that 
it will take months, not years.  We probably want to wait to re-incorporate 
until this completes.  Tom and Don will do the legwork to prepare us to do so 
in the meantime.

A short-term fix would be to create a council of advisors.  The executive 
committee requested that Don invite Dr. Tippett and Eric Sachs to a council of 
advisors.  Don will share the proposed communications with the executive 
committee before they go out.  Creation of the council of advisors will need 
board approval.


3.  Vice Chairmanship Vacancy
The Vice Chairmanship is current vacant, since Eric Sachs had to step down from 
the board due to his increased job responsibilities.  The board will need to 
vote to elect a new Vice Chairman.  It was suggested that someone make a motion 
nominating Adam Dawes to fill the vacancy.


4.  OpenID Connect Self-Certification
Don and Tom are working on a report to the board about the OpenID Connect 
self-certification program.


5.  Process for Making Future Public Statements About Vulnerabilities
There was insufficient time to consider this issue.


6.  Next EC Meeting
We will schedule another EC meeting in two weeks on June 19th to consider the 
remaining agenda items.



June 5, 2014 OpenID Executive Committee Call Minutes.docx
Description: June 5, 2014 OpenID Executive Committee Call Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] OIDF Board and EC 2014/15 Meeting Calendar Feedback

[Mike Jones]

I would choose RSA over IIW for the Spring board meeting.  The kinds of focused 
multi-hour board meetings we can have at RSA are much more valuable than the 
rushed, distracted ones we have at IIW.  We should also try to have the OIX 
board meet there and have a joint lunch again.  We should plan for a 2-3 hour 
board meeting at RSA so we have time to tackle substantive strategy and 
planning issues - not just rush through an agenda, which is all we have time 
for in one-hour meetings.

The other reason for choosing RSA is that I think we should be planning for 
P.R. and public launch events for a number of our initiatives there (and 
planning our work in the working groups accordingly).  The press is at RSA.  
They aren't at IIW.

We should schedule a full board call soon after the election ends to elect 
officers - mid-to-late February.

Pam and John, can you please impress upon the Ping Identity meeting planners 
the importance of not scheduling CIS on top of IETF again - in this case the 
July 19-24 meeting in Prague?

-- Mike

From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of Anthony Nadalin
Sent: Thursday, July 31, 2014 9:52 AM
To: openid-board@lists.openid.net
Cc: OIDF Board
Subject: Re: [OpenID board] OIDF Board and EC 2014/15 Meeting Calendar Feedback

I think we should be reducing the meetings at IETF unless there is some 
progress in the Health Care or Mobile profiles. There should not be any weekend 
board meetings (like at CIS), I would shoot for only 3-4 (max) F2F board 
meetings a year with optional video intriem.

From: 
openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net
 [mailto:openid-board-boun...@lists.openid.net] On Behalf Of John Bradley
Sent: Thursday, July 31, 2014 9:05 AM
To: openid-board@lists.openid.netmailto:openid-board@lists.openid.net
Cc: OIDF Board
Subject: Re: [OpenID board] OIDF Board and EC 2014/15 Meeting Calendar Feedback

For 1 that is fine on Oct 30. (There is an extra 19 in the date that I am 
ignoring)
2 is fine.

2a I note that MWC is March 2-5 in Barcelona and we may want to plan something 
around that, though probably not a board meeting.
2b IETF 92 Dallas March 22-27  (probably WG meeting)

3 Hotels are not cheep for IIW.   I will probably only do one of those events, 
but what one will likely depend on finding funding, so I am undecided at this 
point.

4 If we must.
4a IETF 93 Prague July 19-24  (I hope that doesn't collide with CIS again)  (WG 
meetings)

5 This may be a bit close to IETF 94, we may want to have the board meeting 
Wednesday to allow travel.
5a IETF 94 Yokohama Nov 1-6 (this may be an opportunity to piggyback an event 
with OIDFJ)

John B.
On Jul 31, 2014, at 7:52 AM, Don Thibeau d...@oidf.orgmailto:d...@oidf.org 
wrote:

Your comments are requested regarding the proposed meetings times and 
locations. I have references the OIX meetings FYI.


1. The next OIX/OIDF FTF Full Board Meetings are on 19 October 30, 2014 in 
Mountain View in the morning as per previous years.

2. The OpenID Foundation Workshop is on Monday 10/27 Venue TBD

3. IN 2015 IIW and RSA are right on top of one another. Pick one ( RSA is the 
better alternative but the hotels are very expensive) IIW 20 is April 7-9, 2015 
in MV  or RSA 2015 April 20-24 in SF

4. The Cloud Idenity Summit is 2015 July TBD, San Diego

5. IIW 21  October 27-29, 2015 in MV

6. OIX/OIDF Full Board Con Calls:
We have not been scheduling full board con calls between FTF meetings.
We plan to continue that cadence in 2015.

7. OIX/OIDF EC Con Calls:
We have been calendaring calls the first Thursday of the month, skipping the 
months we have full FTF board meetings and August and December as off months.
We plan to continue that cadence in 2015.
___
board mailing list
bo...@lists.openid.netmailto:bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] July 19, 2014 OpenID Board Meeting Minutes

[Mike Jones]

July 19, 2014 OpenID Board Meeting Minutes

Present in Person:
Don Thibeau, Executive Director
Nat Sakimura
John Bradley
George Fletcher
Pamela Dingle
Adam Dawes

Present on the Phone:
Mike Jones
Torsten Lodderstedt
Peter Graham

Absent:
Tony Nadalin
Paul Agbabian
Dylan Casey
Raj Mata

Visitors:
Debbie Bucci, US Department of Health and Human Services, Office of the 
National Coordinator for Health Information Technology (ONC)
John Ehrig, Global Inventures
Tom Smedinghoff, Edwards Wildman Palmer
Mike Leszcz, OnPR
Eric Sachs, Google


1.  Healthcare Information Exchange profile for OpenID Connect
Debbie Bucci reported that ONC plans to join the board at the sustaining level. 
 All that remains is payment mechanics.  The ONC develops healthcare exchange 
standards.  The use of OpenID Connect has been recommended by the ONC.  ONC has 
joined other technology organizations related to their mission.  The MIT 
Kerberos Consortium has an open source implementation being used for healthcare 
IT, and also plans to join the OpenID Foundation.

A Healthcare Information Exchange working group creating a profile of OpenID 
Connect is being planned.  A pilot project is being planned.

Debbie is leading a profiling and interoperability testing effort at ONC.  She 
pointed out that just because you're certified, that doesn't mean that you're 
interoperable.  Interop testing is needed for that.  Initial funding is from 
the innovation team at the Department of Veterans Affairs in San Diego.

This working group will follow our normal IPR policies and procedures.


2.  Mobile Connect Profile
The proposed charter for the working group was presented at the OpenID workshop 
today at the Cloud Identity Summit.  An initial working group meeting will be 
held on July 29th as a conference call.  Several mobile network operators have 
signed contribution agreements, including Deutsche Telekom, Telefonica, and 
Verizon.  T-Mobile plans to join but still needs to submit their contribution 
agreement.  Don plans to follow up with his contacts at T-Mobile.


3.  Board of Advisors
The board unanimously adopted the resolution creating a board of advisors.  
This will allow Eric Sachs of Google and Dr. Peter Tippett of Verizon to 
continue participating in the foundation in an official capacity.


4.  Reactive PR Process
The board unanimously adopted the resolution creating a reactive PR process.


5.  Membership Update
PayPal has now paid their sustaining membership dues.  ONC's sustaining 
membership should become active shortly.


6.  Budget Update
The main change in the budget is lower projected legal fees for this year.  The 
board unanimously approved the budget as proposed.


7.  501(c)(6) Non-Profit Status
We have achieved our 501(c)(6) non-profit status.  This took seven years!  We 
are also in the final stages of our EU trademark registration.


8.  Vice-Chairmanship Position
George Fletcher was proposed as the new vice-chairman to replace Eric Sachs.  
Adam Dawes was proposed as the new community liaison to replace George.  Both 
would then be on the executive committee.  There were no other nominations 
made.  The board unanimously approved the nominations.



July 19, 2014 OpenID Board Meeting Minutes.docx
Description: July 19, 2014 OpenID Board Meeting Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] OIDF Board and EC 2014/15 Meeting Calendar Feedback

[Mike Jones]

The Hilton Union Square has availability every day during RSA at reasonable 
(for San Francisco) rates.  I'd reserve now.  You can always drop days from the 
reservation if you don't need them or cancel entirely with no penalty.

From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of Don Thibeau
Sent: Monday, August 04, 2014 7:52 AM
To: openid-board@lists.openid.net
Cc: OIDF Board
Subject: Re: [OpenID board] OIDF Board and EC 2014/15 Meeting Calendar Feedback

Seems like the consensus is for meetings at RSA.

Hotel rooms at that time are already hard to get and fantastically expensive 
this year at RSA as it coincides with Oracle world.


Don Thibeau
The OpenID Foundationhttp://openid.net



On Aug 2, 2014, at 6:12 PM, Nat Sakimura 
sakim...@gmail.commailto:sakim...@gmail.com wrote:

Agreed on the multi-hour board meetings.
If it is just transnational, we could do it over the phone call.


2014-08-01 3:12 GMT+09:00 Mike Jones 
michael.jo...@microsoft.commailto:michael.jo...@microsoft.com:
I would choose RSA over IIW for the Spring board meeting.  The kinds of focused 
multi-hour board meetings we can have at RSA are much more valuable than the 
rushed, distracted ones we have at IIW.  We should also try to have the OIX 
board meet there and have a joint lunch again.  We should plan for a 2-3 hour 
board meeting at RSA so we have time to tackle substantive strategy and 
planning issues - not just rush through an agenda, which is all we have time 
for in one-hour meetings.

The other reason for choosing RSA is that I think we should be planning for 
P.R. and public launch events for a number of our initiatives there (and 
planning our work in the working groups accordingly).  The press is at RSA.  
They aren't at IIW.

We should schedule a full board call soon after the election ends to elect 
officers - mid-to-late February.

Pam and John, can you please impress upon the Ping Identity meeting planners 
the importance of not scheduling CIS on top of IETF again - in this case the 
July 19-24 meeting in Prague?

-- Mike

From: 
openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net
 
[mailto:openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net]
 On Behalf Of Anthony Nadalin
Sent: Thursday, July 31, 2014 9:52 AM

To: openid-board@lists.openid.netmailto:openid-board@lists.openid.net
Cc: OIDF Board
Subject: Re: [OpenID board] OIDF Board and EC 2014/15 Meeting Calendar Feedback


I think we should be reducing the meetings at IETF unless there is some 
progress in the Health Care or Mobile profiles. There should not be any weekend 
board meetings (like at CIS), I would shoot for only 3-4 (max) F2F board 
meetings a year with optional video intriem.

From: 
openid-board-boun...@lists.openid.netmailto:openid-board-boun...@lists.openid.net
 [mailto:openid-board-boun...@lists.openid.net] On Behalf Of John Bradley
Sent: Thursday, July 31, 2014 9:05 AM
To: openid-board@lists.openid.netmailto:openid-board@lists.openid.net
Cc: OIDF Board
Subject: Re: [OpenID board] OIDF Board and EC 2014/15 Meeting Calendar Feedback

For 1 that is fine on Oct 30. (There is an extra 19 in the date that I am 
ignoring)
2 is fine.

2a I note that MWC is March 2-5 in Barcelona and we may want to plan something 
around that, though probably not a board meeting.
2b IETF 92 Dallas March 22-27  (probably WG meeting)

3 Hotels are not cheep for IIW.   I will probably only do one of those events, 
but what one will likely depend on finding funding, so I am undecided at this 
point.

4 If we must.
4a IETF 93 Prague July 19-24  (I hope that doesn't collide with CIS again)  (WG 
meetings)

5 This may be a bit close to IETF 94, we may want to have the board meeting 
Wednesday to allow travel.
5a IETF 94 Yokohama Nov 1-6 (this may be an opportunity to piggyback an event 
with OIDFJ)

John B.
On Jul 31, 2014, at 7:52 AM, Don Thibeau d...@oidf.orgmailto:d...@oidf.org 
wrote:

Your comments are requested regarding the proposed meetings times and 
locations. I have references the OIX meetings FYI.


1. The next OIX/OIDF FTF Full Board Meetings are on 19 October 30, 2014 in 
Mountain View in the morning as per previous years.

2. The OpenID Foundation Workshop is on Monday 10/27 Venue TBD

3. IN 2015 IIW and RSA are right on top of one another. Pick one ( RSA is the 
better alternative but the hotels are very expensive) IIW 20 is April 7-9, 2015 
in MV  or RSA 2015 April 20-24 in SF

4. The Cloud Idenity Summit is 2015 July TBD, San Diego

5. IIW 21  October 27-29, 2015 in MV

6. OIX/OIDF Full Board Con Calls:
We have not been scheduling full board con calls between FTF meetings.
We plan to continue that cadence in 2015.

7. OIX/OIDF EC Con Calls:
We have been calendaring calls the first Thursday of the month, skipping the 
months we have full FTF board meetings and August and December as off

Re: [OpenID board] Making statement that XML sources of the specs are unofficial

[Mike Jones]

Here’s my comments on your proposed actions:

1. Declare clearly in http://openid.net/specs/ that HTML files are 
authoritative and others are not.

We could do this in a readme.txt file there.

2. Remove all XML files from http://openid.net/specs/.

I strongly oppose doing this.  The files provide useful documentation on what 
has changed between versions.  They’re a lot easier to diff than the outputs.  
Also, we could lose svn.openid.net at some point, which is the only other place 
that these source files are authoritatively recorded for the foundation.

3. Put explanatory note in the XML files that they are not official and 
ipr=... and other tags are there just to satisfy the tools.

Agreed

4. Use ipr=none instead of ipr=full200902 in the XML file.

Agreed.  And we should say that the “Notices” section contains the pertinent 
IPR information.

5. Put the link to the OpenID IPR Policy to the text The OpenID Intellectual 
Property Rights policy

I would not include links to specific IPR documents in the comment because we 
update these from time to time. If you want to say anything in the comment, you 
could just say that current versions of the OpenID IPR Policy and Process 
documents can be found at openid.net.  The board has already decided that the 
text in the Notices section is sufficient in this regard.

Thanks,
-- Mike

From: openid-board-boun...@lists.openid.net 
[mailto:openid-board-boun...@lists.openid.net] On Behalf Of Nat Sakimura
Sent: Monday, August 11, 2014 7:52 PM
To: openid-board
Subject: [OpenID board] Making statement that XML sources of the specs are 
unofficial

Dear board members,

I have found out that the XML source code for our specifications are having the 
following.

?rfc ipr=full200902 and ?rfc private=Final

which indicates that the file follows IETF's IPR rather than OpenID 
Foundation's, and it is a private note and not a public document.

As I found out, it was put there to satisfy the tool that we are using: xml2rfc.

In the time of OpenID Authentication 2.0, it was using ?rfc ipr=full3978.

It is fine as long as these files are unofficial tool only, but there is no 
indication of it as it stands now.

Further investigation lead me to find out that these XML files were not 
recorded in official http://openid.net/specs/ folder before OpenID Connect.

In addition, I have found out that there is no link from the Connect specs to 
the OpenID IPR Policy although there is a verbal mention of it in the Copyright 
statement. The reference is not there so the readers cannot find what it is.

This lead me to think that we probably need to take the following actions:

1. Declare clearly in http://openid.net/specs/ that HTML files are 
authoritative and others are not.
2. Remove all XML files from http://openid.net/specs/.
3. Put explanatory note in the XML files that they are not official and 
ipr=... and other tags are there just to satisfy the tools.
4. Use ipr=none instead of ipr=full200902 in the XML file.
5. Put the link to the OpenID IPR Policy to the text The OpenID 
Intellectual Property Rights policy
My proposal for the XML Comment is as follows:




!--

NOTE on this XML File.



This XML file is a tool to produce the authoritative copy of OpenID Foundation 
spec.

The authoritative copy is the HTML, and the corresponding XML source is not 
authoritative.

The statement that ipr=none is here only to satisfy the tool.

The IPR of this document is OpenID IPR Policy found at

http://openid.net/ipr/OpenID_IPR_Policy_(Final_Clean_20071221).pdf

and governed by OpenID Process found at

http://openid.net/wordpress-content/uploads/2010/01/OpenID_Process_Document_December_2009_Final_Approved.pdf.

The directive private=... is here only to satisfy the tool and desired HTML 
output.

This is a public OIDF document and not an individual private memo as 
private=... indicates.

--

This is supposed to be put in at the top of the file right after the DOCTYPE 
declaration.

And my proposal for the /specs/ pages is to put the following after the first 
paragraph.

NOTE: HTML files are the authoritative version. All other formats are provided 
for the convenience of the readers.

Please discuss. After some discussion time, I will craft a motion for the email 
vote.
[https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif]

--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] US Government Office of the National Coordinator for Health Information Technology (ONC) Joins the OpenID Foundation

[Mike Jones]

Congratulations on the ONC joining!

From: oidf-marketing-commit...@googlegroups.com 
[mailto:oidf-marketing-commit...@googlegroups.com] On Behalf Of Don Thibeau
Sent: Thursday, August 21, 2014 8:47 AM
To: OIDF Board
Cc: oidf-marketing-committee
Subject: US Government Office of the National Coordinator for Health 
Information Technology (ONC) Joins the OpenID Foundation


US Government Office of the National Coordinator for Health Information 
Technology (ONC) Joins the OpenID Foundation
The Office of the National Coordinator for Health Information Technology (ONC) 
located within the Office of the Secretary for the U.S. Department of Health 
and Human Services (HHS) has joined the OpenID Foundation (OIDF). ONC is the 
principal federal entity charged with coordination of nationwide efforts to 
implement and utilize the most advanced health information technology for the 
electronic exchange of health information.
ONC is at the forefront of the Administration's Health IT efforts and is a key 
standards development resource to the national health system to support the 
adoption of health information technology and the promotion of nationwide 
health information exchanges. Ms. Debbie Bucci will join the Board of Directors 
of the OpenID Foundation as the ONC representative.
The ONC plans to lead a Healthcare Information Exchange (HIE) working group to 
create a profile of OpenID Connect and associated pilot projects. Ms. Bucci, an 
IT Architect in the Implementation and Testing Division, is helping lead a 
profiling and interoperability testing effort at ONC and will be one of the 
leaders of the HIE working group.
Don Thibeau, Executive Director of the OIDF, pointed out that this public 
sector effort parallels the increasing global adoption among large commercial 
enterprises. Google, Microsoft, Ping identity, Salesforce, ForgeRock and others 
have embraced OpenID Connect as fundamental to their identity initiatives. 
Thibeau noted, After the launch of OpenID Connect early this year, the OIDF 
finds itself working on one of the hardest use cases in identity; patient 
medical records at the same time as working on the platform of choice; the 
mobile device. Working with OIDF member organizations like the ONC, GSMA and 
others brings important domain expertise and a user-centric focus to these OIDF 
working groups. These standards development activities are loosely coupled with 
pilots in the US, UK and Canada.
If you are interested in the HIE working group, please consider attending the 
OpenID Day on RESTful Services in Healthcare at MIT on September 19th in 
Cambridge, MA. This event will focus on emerging Web-scale technologies as 
applied to health information sharing. The focus will be on group discussion 
among MIT's expert participants. The OIDF will follow its standards development 
process while MIT leads outreach and industry engagement. This day is part of 
the 2-day annual MIT KIT Conference at MIT on September 18-19. For more 
information on this event and to register, please visit 
http://kit.mit.edu/events.

Don Thibeau
The OpenID Foundationhttp://openid.net



--
You received this message because you are subscribed to the Google Groups OIDF 
Marketing Committee group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
oidf-marketing-committee+unsubscr...@googlegroups.commailto:oidf-marketing-committee+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] FW: General Availability of Microsoft OpenID Connect Identity Provider

[Mike Jones]

FYI

From: Mike Jones
Sent: Wednesday, September 10, 2014 12:09 PM
To: openid-specs...@lists.openid.net
Subject: General Availability of Microsoft OpenID Connect Identity Provider

Microsoft has announced that the Azure Active Directory OpenID Connect Identity 
Provider has reached general availability.  Read about it in Alex Simons' 
release 
announcementhttp://blogs.technet.com/b/ad/archive/2014/09/09/openid-connect-and-oauth-2-0-support-in-azure-active-directory-has-ga-d.aspx.
  The OpenID Provider supports discovery of the provider configuration 
information as well as session management (logout).  The team participated in 
public OpenID Connect interop 
testinghttp://osis.idcommons.net/wiki/OC5:OpenID_Connect_Interop_5 prior to 
the release.  Thanks to all of you who performed interop testing with us.

-- Mike

P.S.  This note was also posted at http://self-issued.info/?p=1281 and as 
@selfissued.
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] FW: Review of Proposed Errata to OpenID Connect Specifications

[Mike Jones]

From: Mike Jones
Sent: Tuesday, September 16, 2014 6:11 PM
To: sp...@lists.openid.net
Subject: Review of Proposed Errata to OpenID Connect Specifications

The OpenID Connect Working Group recommends the approval of Errata to the 
following specifications:

* OpenID Connect Core 
1.0http://openid.net/specs/openid-connect-core-1_0-21.html - Defines the core 
OpenID Connect functionality: authentication built on top of OAuth 2.0 and the 
use of Claims to communicate information about the End-User

* OpenID Connect Discovery 
1.0http://openid.net/specs/openid-connect-discovery-1_0-24.html - Defines how 
Relying Parties dynamically discover information about OpenID Providers

* OpenID Connect Dynamic Client Registration 
1.0http://openid.net/specs/openid-connect-registration-1_0-27.html - Defines 
how Relying Parties dynamically register with OpenID Providers

An Errata version of a specification incorporates corrections identified after 
the Final Specification was published.  This note starts the 45 day public 
review period for the specification drafts in accordance with the OpenID 
Foundation IPR policies and procedures.  This review period will end on Friday, 
October 31, 2014.  Unless issues are identified during the review that the 
working group believes must be addressed by revising the drafts, this review 
period will be followed by a seven day voting period during which OpenID 
Foundation members will vote on whether to approve these drafts as OpenID 
Errata Drafts.  For the convenience of members, voting may begin up to two 
weeks before October 31st, with the voting period still ending on Friday, 
November 7, 2014.

These specifications incorporating Errata are available at:

* http://openid.net/specs/openid-connect-core-1_0-21.html

* http://openid.net/specs/openid-connect-discovery-1_0-24.html

* http://openid.net/specs/openid-connect-registration-1_0-27.html

The corresponding approved Final Specifications are available at:

* http://openid.net/specs/openid-connect-core-1_0-final.html

* http://openid.net/specs/openid-connect-discovery-1_0-final.html

* http://openid.net/specs/openid-connect-registration-1_0-final.html

A description of OpenID Connect can be found at http://openid.net/connect/. The 
working group page is http://openid.net/wg/connect/.  Information on joining 
the OpenID Foundation can be found at 
https://openid.net/foundation/members/registration.  If you're not a current 
OpenID Foundation member, please consider joining to participate in the 
approval vote.

You can send feedback on the specifications in a way that enables the working 
group to act upon your feedback by (1) signing the contribution agreement at 
http://openid.net/intellectual-property/ to join the working group (please 
specify that you are joining the AB+Connect working group on your 
contribution agreement), (2) joining the working group mailing list at 
http://lists.openid.net/mailman/listinfo/openid-specs-ab, and (3) sending your 
feedback to the list.

A summary of the errata corrections applied is:

* All - Added errata set number to the titles.

* All - Updated dates for specs containing errata updates.

* Core - Changed the RFC 6749 references from Section 3.2.1 to Section 
2.3.1 in the client_secret_basic and client_secret_post definitions.

* Fixed #954 - All - Added NOT RECOMMENDED to the list of RFC 2119 
terms.

* All - Updated references to pre-final IETF specs.

* All - Replaced uses of the terms JWS Header, JWE Header, and JWT 
Header with the JOSE Header term that replaced them in the JOSE and JWT 
specifications.

* Fixed #921 - Core 3.1.2.1 - Authorization Request should be 
Authentication Request.

* Fixed #926 - Core - Typo in Self-Issued ID Token Validation.

* Fixed #920 - Core - Attack identified against self-issued sub 
values.

* Core - Authorization Code validation is not done when using the 
response type code token because the validation process requires an ID Token.

* Fixed #925 - Registration - Typos (jwk vs jwks) in jwks client 
metadata parameter definition.

-- Michael B. Jones - OpenID Foundation Board Secretary

(This notice has also been posted at 
http://openid.net/2014/09/16/review-of-proposed-errata-to-openid-connect-specifications/.)

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] Welcome to the OIDF Board!

[Mike Jones]

Welcome, Roger!

-- Mike

OpenID Foundation Board Secretary

From: board [mailto:openid-board-boun...@lists.openid.net] On Behalf Of Don 
Thibeau
Sent: Monday, November 03, 2014 5:39 AM
To: openid-board@lists.openid.net
Cc: Paul Agbabian; Roger Casals
Subject: Re: [OpenID board] Welcome to the OIDF Board!

OpenID Foundation:

Please welcome Roger Casals to the Board of Directors of the OpenID Foundation.

Roger will be taking Paul Agbabian's place as Symantec's representative.

Paul Agbabian remains in his role of Vice Chairman of the Open Identity 
Exchange.

Symantec has an important role in supporting OpenID Connect Conformance 
Self-Certification and its registration on OIXnet.

Don Thibeau
The OpenID Foundationhttp://openid.net


Don, I'm honored to be part of the team now, and I look forward to start 
contributing in my humble capacities... ;-)

Best regards

Roger


Roger Casals
Sr. Director, Product Management
Symantec Corporation
www.symantec.comhttp://www.symantec.com/

Mountain View, CA
Office: +1 (650) 527-9790
Cell: +1 (408) 306-6564


___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] October 29, 2014 OpenID Board Meeting Minutes

[Mike Jones]

October 29, 2014 OpenID Board Meeting Minutes

Present in Person:
Don Thibeau, Executive Director
Nat Sakimura
John Bradley
George Fletcher
Pamela Dingle
Adam Dawes
Mike Jones
Tony Nadalin
Raj Mata
Lovesh Chhabra (representing Yahoo)
Debbie Bucci

Present on the Phone:
Torsten Lodderstedt
Peter Graham

Absent:
Paul Agbabian

Visitors:
John Ehrig, Global Inventures
Tom Smedinghoff, Edwards Wildman Palmer (on the phone)
Mike Leszcz, OIX


1.  Local Chapters Policy Proposal
The proposed local chapters policy has been in circulation for over a year.  It 
was changed recently to restrict the ability to direct funds to local chapters 
to sustaining members and to restrict the amount that can be directed to 50% of 
the dues. Tony asked why we aren't providing more incentive for local chapters 
to join.  He proposed a 75/25 split.  John, as treasurer spoke up for 50/50.  A 
compromise at 60/40 was suggested.  The proposal was unanimous approved, with 
up to 60% of funds being eligible for directed funding back to the local 
chapter.


2.  Liaison Report
We submitted a liaison statement to ISO SC27 WG5 and the statement was 
accepted.  We expect to receive ISO documents to review as a result.  We can 
let our members know that this gives them an opportunity to review ISO 
documents at no cost, if they're interested in doing so.  We have a category C 
liaison.

[Debbie Bucci joined the meeting at this point]

The ITU-T has accepted our liaison request for categories A4 and A5.  We 
received a liaison statement from Martin Euchner of the ITU.

Mike reported that Joni Brennan and he had a Kantara liaison meeting a few 
months ago.  They discussed the possibility of collaborations around 
certification but didn't determine a fruitful collaboration opportunity at that 
time.


3.  Account Chooser Working Group Status
The working group is working towards getting to Implementer's Drafts of the 
specification.  Pamela Dingle is actively merging several spec versions.  A few 
updates have been done to the production deployment.

Symantec is taking over issuing the certifications for the Account Chooser 
sites.  Tony requested that the certificates be extended validation (EV) 
certificates.  Mike also requested that only EV certs be considered, due to the 
verification of the identity of the party requesting the certificate that is 
done.

Adam reported that were discussions with browser vendors and W3C security group 
about standardizing criteria for bootstrapping (populating) accounts in the 
account chooser.  Adam will inquire about establishing a liaison relationship 
with the W3C.

The board discussed what incentives enterprises have to bootstrap their 
accounts into Account Chooser.  The working group will take up writing down and 
publicizing those incentives.


4.  OpenID Connect Working Group Status
Votes are under way for approval of the OpenID Connect Errata and the OpenID 
2.0 Migration specification.  The working group is actively working on creating 
self-certification conformance criteria and working with Roland Hedberg and 
Umeå University on creating testing tools for those criteria.


5.  Native Applications Working Group Status
Several in-person working group meetings have been held recently and there has 
been a lot of input on the specifications.  They have determined that there are 
significant security and inter-process communication mechanism differences in 
the different platforms and different criteria for registering applications.  
The working group is trying to take these differences into account.  They are 
still a ways off from having Implementer's Drafts.


6.  Mobile OpenID Connect Profile Working Group Status
The working group is holding regular phone meetings.  An initial submission was 
made by Deutsche Telekom.  There are currently three work areas:  Discovery, 
Client Registration, and Authentication, with specifications for each.  There 
is also a developer experience document that Tim Bray created.  They are 
discussing several key topics, including MSISDN confidentiality, whether to 
have a single virtual IdP (this idea was rejected), and issues raised by 
telephone number portability.


7.  HEART Working Group Status
The Health Relationship Trust (HEART) working group was approved.  The proposed 
co-chairs are Eve Maler and Debbie Bucci.  They are currently reaching out to 
potential members with plans for a launch in January.


8.  Board Representatives
Debbie Bucci has joined the board representing the US Department of Health and 
Human Services, Office of the National Coordinator for Health Information 
Technology (ONC).  Symantec is transitioning its board representation from Paul 
Agbabian to Roger Casals.


9.  Financial and Membership Update
Our finances are in good shape.  We continue receiving new membership 
inquiries.  We have money budgeted for the legal preparations for 
self-certification.  Some additional funding may be needed

[OpenID board] December 4, 2014 OpenID Executive Committee Call Minutes

[Mike Jones]

December 4, 2014 OpenID Executive Committee Call Minutes

Present:
Don Thibeau, Executive Director
Mike Jones
Nat Sakimura
John Bradley
George Fletcher
Adam Dawes

Visitors:
John Ehrig, Global Inventures
Brian Berliner, Symantec


1.  Review of Certification Legal Documents
Mike reported that Microsoft standards lawyers have started reviewing the draft 
legal documents.  They found them currently to be overly heavyweight and to 
impose potentially onerous requirements that would be an impediment to parties 
considering certification.  They will be producing proposed changes to address 
these concerns.


2.  Review of Certification Workflow
We walked through a proposed certification workflow outlining proposed 
responsibilities for the parties involved in certification and registration.  
The same workflow was reviewed on the OIX executive committee call earlier 
today.

Don pointed out that we are trademarking the term OpenID Connect Conformance 
Test Suite.

Mike pointed out that it's the OIDF's responsibility to verify that the 
certification submission is complete - not the OIX's.  He stated that the 
verification that OIX should do is that a valid representative of the OIDF 
submitted the package for registration.

Adam asked whether we'll eventually relax the membership requirement.  John 
Bradley pointed that there will still likely be payment transaction of some 
kind, which serves as a form of identity verification.  The OIDF could also 
control that the submitter controls the submitting e-mail address.

Mike asked who is going to produce and keep up to date the certification web 
pages showing the logos of all parties who have been certified and a list of 
the conformance profiles they certified to.  Don said that he is working on a 
contract to do that for the OIDF with a third party.

George asked whether it was true that parties seeking certification didn't have 
to have a relationship with the OIX.  Mike responded that that was true because 
we want many parties to certify their OpenID Connect implementations and we 
can't place a burden on them of joining two organizations to obtain 
certification.



December 4, 2014 OpenID Executive Committee Call Minutes.docx
Description: December 4, 2014 OpenID Executive Committee Call Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] January 8, 2015 OpenID Executive Committee Call Minutes

[Mike Jones]

January 8, 2015 OpenID Executive Committee Call Minutes

Present:
Don Thibeau, Executive Director
Mike Jones
Nat Sakimura
George Fletcher
John Bradley
Adam Dawes

Visitors:
John Ehrig, Global Inventures
Tom Smedinghoff, Edwards Wildman Palmer LLP
Mike Leszcz, Open Identity Exchange (OIX)
Roger Casals, Symantec


1.  Self-Certification  Registration Workflow
Don reviewed a new workflow document.  Adam asked about how we describe 
services versus software products.  He was thinking of the list maybe being a 
whitelist.  John said that it's not a whitelist.  Mike clarified that our 
certification work applies to both software and services.  People should review 
the parts of the legal docs used to describe the deployment being certified and 
see if there's additional information we'd like to enable those seeking 
certification to provide.  We may want to give implementers optional space to 
write down anything about their deployments that they believe would be useful 
to others.


2.  Certification Legal Documents
Tom Smedinghoff reviewed the certification legal documents.  Tom asked us to 
consider whether three years is the right lifetime for a certification.  George 
asked what the process would be if the OIDF terminates a certification and the 
implementer considers the removal to have been in error.  Tom replied that 
there isn't currently a defined process.  Mike stated that the documents 
already define a lightweight process - communication via the 
certificat...@oidf.netmailto:certificat...@oidf.net mailing list.  Tom also 
pointed out that there's an overall legal assumption that contracts are 
administered in an even-handed manner.

Don and Tom plan to review the current legal docs with Microsoft standards 
lawyers, Mike Jones, and Tony Nadalin on Monday, with all but Tom being there 
in person.

A hosting agreement with Symantec is being worked on.  We may also enter into 
an agreement with Global Inventures for administering the certification program.


3.  Other Certification Work
Roland Hedberg continues working on the testing software and deployment.  
Several parties are actively testing their OPs and providing feedback on the 
tests.  The marketing committee is working on a launch plan.  Symantec is 
helping lead the launch PR effort.



January 8, 2015 OpenID Executive Committee Call Minutes.docx
Description: January 8, 2015 OpenID Executive Committee Call Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] February 12, 2015 OpenID Executive Committee Call Minutes

[Mike Jones]

February 12, 2015 OpenID Executive Committee Call Minutes

Present:
Don Thibeau, Executive Director
Mike Jones
Nat Sakimura
John Bradley
Adam Dawes
George Fletcher

Visitors:
John Ehrig, Global Inventures
Tom Smedinghoff, Edwards Wildman Palmer LLP
Mike Leszcz, Open Identity Exchange (OIX)


1.  Certification
The certification legal documents are essentially complete.  Early adopters are 
engaged in active testing.  The OP tests are being refined.  Reporting 
requirements are being refined.

Tom went over the status of the two certification legal documents.  Minor 
updates have been applied to the Terms and Conditions document to incorporate 
feedback received from parties that reviewed them.  Liability protection has 
been added for directors, officers, and members.  It was clarified that 
certification statements can be made in local languages.  There have been no 
changes to the Certification of Conformance document.

Tom suggested that we work through issues of pricing for non-members, etc. 
after we've launched the certification program.  We have ample opportunities to 
fine-tune the program before it's expanded to include more kinds of 
participants.

Nat asked whether restricting participation to members now limits our options 
in the future.  Tom told us that it didn't.  He also said that limiting 
participation during a pilot period was understandable and justifiable.

Adam asked how long certifications are valid.  Currently we're counting on 
people to identify when their certifications are no longer valid.  In the 
future, we could consider adding a term limit after which participants need to 
recertify.  Indicating freshness of registrations is an issue we should take up 
in the future.


2.  Trademark Status
Tom sent us a trademark status spreadsheet yesterday.  It covers what we know, 
versus having performed a comprehensive search, which could be expensive.

There are some OpenID trademarks not currently held by the foundation, 
especially in some countries in Europe.  We do hold the pan-European trademark 
and the Madrid Protocol (WIPO) registration, which were transferred to us from 
Snorri Giorgetti.  The executive committee authorized Don and Tom to 
investigate ways to further clean up the current trademark situation without 
spending an inordinate amount of time and money.  We do want to have everything 
buttoned up with respect to the use of the terms OpenID Connect and OpenID 
Certified and any associated certification marks before the certification 
program launch.  We will periodically return to the trademark topic.

A certification mark can be protected.  It has to be administered in a 
non-discriminatory way.  This is another thing we need to research in the 
future.  There is a distinction between a trademark and a certification mark.

Tom said that protecting a certification mark requires registering it.  Mike 
said that we should do that then.  Don and Tom will propose an action plan in 
this regard.


3.  Liaison Update
Nat suggested a few additional liaison relationships.  One that has been talked 
about is FIDO.  Another possible one is the W3C.  The W3C is starting an 
Internet of Things (IoT) working group.  An ISO IoT working group is also 
forming.  We already have a liaison relationship with the ISO/IEC WG on 
Identity Management and Privacy JTC1/SC27/WG5.  These possibilities should be 
discussed by the full board.  The next board call is in a week.



February 12, 2015 OpenID Executive Committee Call Minutes.docx
Description: February 12, 2015 OpenID Executive Committee Call Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] Certification docs to be reviewed on Thursday's board call

[Mike Jones]

Board - please review the following docs in preparation for Thursday's board 
call.  They are intended for review by your legal departments as well as 
yourselves.  They have already been reviewed by Don, Tom, and Microsoft, and we 
believe them to be in near-final form, subject to feedback resulting from your 
reviews.

These are the documents that we will reference during the Thursday board call.

-- Mike (writing as Secretary)


OpenID Certification of Conformance 1-12-2015.docx
Description: OpenID Certification of Conformance 1-12-2015.docx


OpenID Self-Certification Terms and Conditions 1-12-2015.docx
Description: OpenID Self-Certification Terms and Conditions 1-12-2015.docx


OpenID Self-Certification FAQs 1-12-2015.docx
Description: OpenID Self-Certification FAQs 1-12-2015.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] February 19, 2015 OpenID Board Call Minutes

[Mike Jones]

February 19, 2015 OpenID Board Call Minutes

Present:
Don Thibeau, Executive Director
Mike Jones
Adam Dawes
Torsten Lodderstedt
George Fletcher
Tony Nadalin
Roger Casals
Debbie Bucci
Pamela Dingle
John Bradley
Raj Mata

Absent:
Nat Sakimura
Dylan Casey
Tracy Hulver

Visitors:
John Ehrig, Global Inventures
Tom Smedinghoff, Edwards Wildman Palmer
Mike Leszcz, OIX
Mike Polosky - Verizon


1.   Board Representatives
Don reviewed who the current board representatives are.  There were no changes 
from the previous board, since all incumbents were reelected (John Bradley, 
Mike Jones, and George Fletcher) or joined as sustaining members (Nat 
Sakimura).  We expect an additional sustaining board member to join shortly.


2.   Executive Committee Members
The current officers and community representative were reelected unanimously.  
Those are: Chairman - Nat Sakimura, Vice-Chairman - Adam Dawes, Secretary - 
Mike Jones, Treasurer - John Bradley, Community Representative - George 
Fletcher.

[John Bradley joined the call at this time]


3.   Certification Update
We are on track to launch certification at RSA in April.  Early adopters 
Google, Microsoft, Salesforce, Ping Identity, and Deutsche Telekom have been 
testing, as well as some other parties.  Symantec has provided hosts to the 
foundation on which the certification testing software will be run.  Designated 
funding and the general budget are currently covering the costs of our 
certification work.  The legal agreements and other documents have undergone 
substantial review by the executive committee and the working group.  There are 
drafts of the foundation certification web pages at 
http://openid.net/certification/, which people are encouraged to review.

[Raj Mata joined the call at this time]


4.   Certification Legal Agreements
The certification legal documents have undergone substantial review by the 
executive committee and parties that plan to sign them.  The current documents 
address only issues needed for the initial launch.  They intentionally leave 
out issues such as fees that may be charged in the future, which are still to 
be determined by the board.

Minor updates have been applied to the Terms and Conditions document to 
incorporate feedback received from parties that reviewed them.  Liability 
protection has been added for directors, officers, and members.  It was 
clarified that certification statements can be made in local languages.  There 
have been no changes to the Certification of Conformance document.
Tom reviewed liability issues.  In particular, he explained that liability for 
any false statements lies with the party initially making those false 
statements, and not with the foundation or its directors.

Adam Dawes moved and Mike Jones seconded the motion to approve the 
certification legal documents.  They were adopted approved.


5.   Certification Messaging
Raj Mata agreed to write a whitepaper on self-certification.  Symantec is 
helping create messaging for the certification launch.


6.   Liaison Update
During the executive committee call a week ago, Nat suggested a few additional 
liaison relationships.  One that has been talked about is FIDO.  Another 
possible one is the W3C.  The W3C is starting an Internet of Things (IoT) 
working group.  An ISO IoT working group is also forming.  We already have a 
liaison relationship with the ISO/IEC WG on Identity Management and Privacy 
JTC1/SC27/WG5.  These possibilities should be considered by the board.

7.   Marketing Committee Update
The Marketing Committee is creating agendas for our workshops before IIW 
https://openid-mar-2015.eventbrite.com and at the EIC 
https://www.id-conf.com/events/eic2015-openid.  The Foundation will be 
represented at the Mobile World Congress by Jörg Connotte of Deutsche Telekom 
and John Bradley.



Febuary 19, 2015 OpenID Board Call Minutes.docx
Description: Febuary 19, 2015 OpenID Board Call Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] Final OAuth 2.0 Form Post Response Mode Specification Approved

[Mike Jones]

http://openid.net/2015/04/27/final-oauth-2-0-form-post-response-mode-specification-approved/

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] Perspectives on the OpenID Connect Certification Launch

[Mike Jones]

http://self-issued.info/?p=1370 and @selfissued

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] April 8, 2015 OpenID Board Meeting Minutes

[Mike Jones]

April 8, 2015 OpenID Board Meeting Minutes

Present in Person:
Don Thibeau, Executive Director
Mike Jones
Adam Dawes
Torsten Lodderstedt
Tony Nadalin
John Bradley
Raj Mata
Debbie Bucci
Roger Casals

Present on the Phone:
Nat Sakimura
George Fletcher

Absent:
Dylan Casey
Tracy Hulver
Pamela Dingle

Visitors in Person:
Brian Campbell, Ping Identity

Visitors on the Phone:
John Ehrig, Global Inventures
Tom Smedinghoff, Locke Lord LLP
Mike Leszcz, OIX


1.   Certification Program and Launch
We went through the certification workflow and showed that there is now a 
completed certification at http://openid.net/certification/, which is 
registered with OIXnet at http://oixnet.org/certifications/.  We expect five 
organizations to submit certifications by next week.  The press release is well 
along.  We are on track to launch the certification program at RSA in two 
weeks.  Symantec is hosting the test suite and is providing marketing and 
communications support for the launch.  Google and Microsoft have also provided 
directed funding for the launch.

Presentations about the self-certification program were well received at the 
OpenID Workshop on Monday https://openid-mar-2015.eventbrite.com.

Don encouraged board members to schedule a press interview with Zack Martin.


2.   Liaison Relationships
We received a liaison statement from ISO/IEC JTC 1/SC 27/WG 5 on Identity 
Management, Privacy Technology and Biometrics.  Nat and Tony created a liaison 
statement to them describing our related work.  Tony lets us know that a report 
will be made at the SC 27 meeting about the liaison statement.  A motion was 
made to send the liaison statement and it passed unanimously.

A motion was made to create a liaison mailing list for the liaison committee.  
It passed unanimously.

Nat reported that there are lots of Internet of Things working groups 
appearing.  ISO has one, the IETF has some, and the W3C is starting a Web of 
Things working group.  We may want to establish liaison relationships with them 
for the purpose of recommending that they use a profile of OpenID Connect.  Nat 
will prepare materials for us to consider at our board meeting during RSA in 
two weeks.


3.   HEART Working Group Status
Debbie Bucci gave us a status report on the HEART working group.  There are 
currently 105 members of the mailing list.  There is a lot of awareness of the 
HEART work by other organizations.  Awareness is growing organically.  There 
are alpha profile working group documents.

Debbie asked the board's opinion about holding a challenge program for HEART 
implementations, possibly as part of the Obama administration's USA Challenge 
program.  John Bradley stated that working groups are probably not the right 
place to host such a challenge because of legal and IPR issues.  However, the 
HEART working group could partner with organizations such as OIX or MIT to run 
the challenge using funding from ONC.


4.   Mobile OpenID Connect Profile Working Group Status
Torsten talked about the relationship between our mobile profile work and the 
GSMA's Mobile Connect work.  We may want to promote additional awareness of our 
working group among the mobile operators.  Raj asked whether we should 
establish a liaison relationship with the GSMA.  Don responded that the GSMA is 
a member of the OpenID Foundation in good standing.

The mobile profile working group has three specifications - on authentication, 
discovery, and registration.  Torsten and John reported that having additional 
active participants in the working group beyond the ~9 that are active now 
would be helpful.

Don took an action item to consult with Dr. Peter Tibbett of Verizon on the 
mobile profile work and report back to us during our meeting in two weeks.  Don 
said that we may also want to make a blog post clarifying the relationship 
between the two pieces of work.

[George Fletcher left the call at this point]


5.   Formation of the RISC Working Group
The OpenID Risk and Incident Sharing and Coordination (RISC) working group has 
been formed.  (This was formerly named the Abuse and Account Take-Over 
Coordination Working Group (AATOC) working group.)


6.   Next Board Meeting
We will be meeting in person during RSA on April 22nd.  We will have a joint 
lunch and joint dinner and party with the OIX board, celebrating the 
certification and registry launches.


7.   Budget Report
Don reported that our legal expenses for the certification program have been 
substantial but within budget.  Funding fell through for the one new sustaining 
board member that had been anticipated.  RSA is now a corporate member of the 
foundation.  There are at least three other high-profile membership prospects.


8.   OpenID Connect Specifications Update
The vote to approve the final OpenID 2.0 to OpenID Connect Migration 1.0 
specification has passed.  The vote for approving the final OAuth 2.0 Form Post 
Response Mode specification is under way

[OpenID board] FW: The JWT, JOSE, and OAuth Assertions specs are RFCs!

[Mike Jones]

FYI

From: Mike Jones
Sent: Tuesday, May 19, 2015 5:38 PM
To: openid-specs...@lists.openid.net
Subject: The JWT, JOSE, and OAuth Assertions specs are RFCs!

The JSON Web Token (JWT), JSON Object Signing and Encryption (JOSE), and OAuth 
Assertions specifications are now IETF standards - RFCs.  They are:


* RFC 7515http://www.rfc-editor.org/info/rfc7515:  JSON Web Signature 
(JWS)

* RFC 7516http://www.rfc-editor.org/info/rfc7516:  JSON Web 
Encryption (JWE)

* RFC 7517http://www.rfc-editor.org/info/rfc7517:  JSON Web Key (JWK)

* RFC 7518http://www.rfc-editor.org/info/rfc7518:  JSON Web 
Algorithms (JWA)

* RFC 7519http://www.rfc-editor.org/info/rfc7519:  JSON Web Token 
(JWT)
and

* RFC 7521http://www.rfc-editor.org/info/rfc7521:  Assertion 
Framework for OAuth 2.0 Client Authentication and Authorization Grants

* RFC 7522http://www.rfc-editor.org/info/rfc7522:  Security Assertion 
Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and 
Authorization Grants

* RFC 7523http://www.rfc-editor.org/info/rfc7523:  JSON Web Token 
(JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

See JWT and JOSE are now RFCs!http://self-issued.info/?p=1387 and The OAuth 
Assertions specs are now RFCs!http://self-issued.info/?p=1389 for more 
background and information.  Thanks to all that each of you contributed to 
making this a reality!

-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] July 14, 2015 OpenID Board Meeting Minutes

[Mike Jones]

July 14, 2015 OpenID Board Meeting Minutes

Present:
Don Thibeau, Executive Director
Debbie Bucci
Pamela Dingle
Nat Sakimura
Mike Jones
Torsten Lodderstedt
Tony Nadalin
George Fletcher
John Bradley
Raj Mata

Absent:
Adam Dawes
Dylan Casey
Tracy Hulver
Roger Casals

Visitors:
John Ehrig, Global Inventures
Tom Smedinghoff, Locke Lord LLP


1.   Resolutions
The Executive Committee unanimously recommends that the board adopt the 
following two resolutions:

RESOLUTION G: Guidelines for OpenID Foundation Certification Program
WHEREAS the OpenID Foundation OpenID Certification program allows entities to 
formally and publicly declare that their specific deployment of a product or 
service conforms to a specific conformance profile of the OpenID Connect 
protocol, and

WHEREAS, in connection with the operation of the Certification Program, it has 
been proposed that OIDF adopt the following OpenID Foundation Certification 
Program Guidelines:

1.   Adoption is the foundation's highest priority.

2.   The foundation's goals include incentivizing membership, 
certification of multiple profiles per implementation and international 
participation.

3.   Certification Profiles are rolled out in three phases: 
pilot by early adopters, membership beta and general availability.

4.   OpenID Certification pilots and betas are to be available 
to all members in good standing.

5.   Upon completion of the beta and pilot phases, 
certification for those profiles will be made available to non-members.

6.   All fees are waived during the pilot phase; fees will be 
charged during the beta and general availability phases.

7.   The Foundation intends to authorize fees sufficient to 
cover the costs of operating a certification program once the corresponding 
pilot phase is complete.

8.   OpenID Foundation Certification fees are to be the same 
for all members.

9.   Certification fees are due at the time of submission and 
are charged per implementation.

10.   Certification(s) will be approved once payment is received.

Now, therefore, be it RESOLVED that the OIDF Board APPROVE the OpenID 
Foundation Certification Program Guidelines as proposed and presented.  Mike 
moves, George seconds.  The motion was approved by unanimous consent.

RESOLUTION L. Formation of liaison committee and delegation of power to the 
committee
WHEREAS the OpenID Foundation board recognises the importance of the liaison 
communications being made in a timely fashion, now

BE IT RESOLVED that
(1) the liaison committee (LC) to be created with its member being the liaison 
officers and EC members;
(2) the LC to be given a delegation of power as to the creation and 
authorization of the liaison communications to the liaison organisation;
(3) the LC's decision shall be by the simple majority of the LC members either 
in a quorate meeting or the majority of the entire LC expressed by the written 
consent by the LC members;
(4) The LC shall report the liaison communication made in the next board 
meeting after the communication was made.  Nat moves, Mike seconds.  The motion 
was approved by unanimous consent.

Don noted for the record that the liaison committee is separately actively 
working on establishing liaison relationships with FIDO and Kantara


2.   Working Group Formation
Tony raised a concern that there is grey area on who can propose a WG that some 
have taken to mean that non-members can create/propose WG's.  Tony suggested 
that this may cause an IPR issue since it may be the case that there has not 
been a contribution agreement signed before the WG is created (i.e., you cannot 
sign a contribution agreement for a working group or make contributions until a 
working group has been created to contribute to) .  Tony believes the proper 
checks and balances are not in place to prevent non-members from claiming that 
it is their charter and their work since they will have not signed a 
contribution agreement. However, it is clear that actual contributions must be 
made by parties that signed an IPR contribution agreement. Foundation 
membership is not related to who can participate in working groups, although in 
practice and experience, participation in a working group often leads to 
membership, because active WG members often choose to join the foundation.

It is in the interest of the foundation to keep the barrier to start work in 
the foundation low since it encourages people to do work in the OIDF and become 
members.   Mike Jones pointed out the checks and balances already in place in 
Section 4.2 of the OpenID Process Document, which provides for review of 
proposed charters by the Specifications Council.  The Specifications Council 
can reject proposed charters for any of these reasons:

(a)   an incomplete Proposal (i.e., failure to comply with §4.1);

(b

[OpenID board] July 9, 2015 OpenID Executive Committee Call Minutes

[Mike Jones]

July 9, 2015 OpenID Executive Committee Call Minutes

Present:
Don Thibeau, Executive Director
Mike Jones
John Bradley
Adam Dawes
George Fletcher
Nat Sakimura

Visitors:
John Ehrig, Global Inventures
Tom Smedinghoff, Edwards Wildman Palmer LLP
Mike Leszcz, Open Identity Exchange (OIX)


1.   Connect WG and RP Test Suite Update
Decisions on how to proceed on simplifying the logout spec were made.  The RP 
certification test suite testing is under way.


2.   Self-Certification Pricing
The need and agreement to nominally charge ($200) for certification to cover 
costs was re-confirmed.  The short term forecast for the number of 
certifications is expected to stay in the dozens.  Our IT vendor Delineate (aka 
Refresh Media) will be providing a quote to enable certification invoicing on 
the OIDF website and will rolled out in the September time frame.


3.   Next EC Call
The next EC will be rescheduled for September 3rd to accommodate vacation 
conflicts



4.   Formation of a Liaison Committee
The EC unanimously agreed to recommend to the board approving the formation of 
a liaison committee and to assign the responsibility and authority to the 
liaison committee for communications to the Foundation's liaisons as proposed:
RESOLUTION L. Formation of liaison committee and delegation of power to the 
committee

WHEREAS the OpenID Foundation board recognises the importance of the liaison 
communications being made in a timely fashion, now

BE IT RESOLVED that
(1) the liaison committee (LC) to be created with its member being the liaison 
officers and EC members;
(2) the LC to be given a delegation of power as to the creation and 
authorization of the liaison communications to the liaison organisation;
(3) the LC's decision shall be by the simple majority of the LC members either 
in a quorate meeting or the majority of the entire LC expressed by the written 
consent by the LC members;
(4) The LC shall report the liaison communication made in the next board 
meeting after the communication was made.




5.   Certificate for openid.net
The issue is that browsers are trying to depreciate end certificates with SHA1 
signatures. Chrome shows our cert as invalid and MS will as well by January 
2017 or before.  Currently certificates that expire in more than 12 months show 
up as insecure in Chrome. Our current cert from Verisign is signed with SHA1 
and expires in August 2018. Our web site is not actually insecure but the 
browser warnings are going to ramp up.  The only reason to still have a SHA1 
cert is to support XP pre SP3 and those people are now going to not work many 
places on the net as people update certs.  Given that our cert expires in 2018, 
we are going to need to replace it sooner than that; the question is when.  
Symantec may be able to provide guidance on how we should update the 
certificate.   Inventures got the cert last year.



6.   Certification Guidelines

Adam offered that we should be clear about precedence if trade-offs need to be 
made . With the exception of point #1, adoption being most crucial, he was not 
sure we have consensus on the balance but will leave it to later discussion 
about how to balance these when they conflict.



The EC unanimously agreed to recommend to the board approving the certification 
guidelines as revised and presented.




July 9, 2015 OpenID Executive Committee Call Minutes.docx
Description: July 9, 2015 OpenID Executive Committee Call Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] Lots of great data about JWT and OpenID Connect adoption!

[Mike Jones]

Read https://auth0.com/blog/2015/07/21/jwt-json-webtoken-logo/ and check out 
http://jwt.io/.  Very cool!

I posted about this at http://self-issued.info/?p=1423 and as 
@selfissuedhttps://twitter.com/selfissued.

-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] October 29, 2015 OpenID Board Meeting Minutes

[Mike Jones]

October 29, 2015 OpenID Board Meeting Minutes

Present:
Don Thibeau, Executive Director
Mike Jones
Torsten Lodderstedt
Debbie Bucci
Adam Dawes
George Fletcher
John Bradley
Lydia Varmazis
Brian Berliner
Bjorn Hjelm

Present on the Phone:
Pamela Dingle
Nat Sakimura

Absent:
Tony Nadalin
Dylan Casey
Tracy Hulver

Visitors:
John Ehrig, Global Inventures
Mike Leszcz, Open Identity Exchange (OIX)


1.   New Board Members
Lydia Varmazis is now representing PayPal, replacing Raj Mata.  She is 
responsible for their identity strategy and platform.  Brian Berliner is now 
representing Symantec, replacing Roger Casals.  Bjorn Hjelm is representing 
Verizon today.


2.   OpenID Certification Progress
New OP certifications keep coming in.  We now have 48 certifications of 16 
implementations, with more in the works.  We are working on a press release 
about these new certifications.

People are now testing the RP tests.  Roland Hedberg had a hands-on RP 
certification session during IIW.  We're at about the same place with RP 
certification now that we were at the same time last year with OP 
certification.  We plan to launch the RP certification publicly during the RSA 
conference next year (at the end of February 2016).  We'll know later this year 
who is positioned to be launch partners for RP certification and we can decide 
then what the right time to have the launch is.

Adam Dawes reported on the value that Google and its customers have already 
received from certification.

Adam asked whether we wanted to try to front-load pricing discussions for RP 
certification, given that it took a while to determine pricing for OP 
certification.  People thought that that was a good idea.

Mike Jones previewed that after we've launched RP certification, which will be 
targeted at RP libraries, we plan to investigate how to certify RP deployments, 
which often do not need to implement all RP features.  The RP deployment 
certification program would verify that the features used are correct - not 
that all features are implemented.  This work will be done after the RP 
certification launch in 2016.

We should reach out to Dominick Baier, Auth0, StormPath, Connect2ID, and others 
with RP libraries to begin testing.

[Nat Sakimura joined the meeting at this point]


3.   Open Source Libraries
John Bradley asked about how working groups can curate open source software 
projects.  We agreed that new working groups shouldn't have to be created to do 
this.  Mike Jones said that we should have a policy proposal made to the 
executive committee and the board.  Mike also said that any code we use should 
use an Apache 2 license.  Some foundation members are planning to develop open 
source libraries for some of our protocols.  Some of our working groups, such 
as Account Chooser, already do have source code.  Don and the EC will drive 
creation of the policy proposal.  Mike, John, and Adam Dawes also asked to be 
involved in this effort.


4.   The working groups reported on their status during the workshop on 
Monday
The RISC working group is making progress and some members are planning pilots. 
 The OpenID Connect working group is working on logout specifications as their 
primary current deliverable outside of certification.

Debbie reported that there are five profiles being worked on by the HEART 
working group.  They plan to take some of these specifications to Implementer's 
Draft status early next year.  ONC plans to fund some pilots.  That opportunity 
will be announced by HEART to its members.

Pamela reported that Account Chooser has been coordinating with MODRNA.  Phone 
number accounts will be supported by Account Chooser.  She would like to see 
them bring the specifications to Implementer's Draft status in early 2016.

Torsten reported that MODRNA made significant progress on specifications this 
week.  GSMA has confirmed that they will adopt the upcoming version of the 
MODRNA authentication spec as Mobile Connect profile 1.2.

John reported that iGov is coordinating with HEART about cross-referencing 
shared content.  Several additional governments have expressed interest in 
participating.  There will be a NIST meeting on January 13-14 at which our work 
will be discussed.  There will also be OIX presentations at the NIST meeting.


5.   Liaison Committee Update
ISO is working on a liaison response back to us.  They're particularly 
interested in RISC and want to support it.  They view it as a novel problem and 
are still discussing it on their mailing list.

Don Thibeau attended the recent FIDO meeting in Washington DC as substitute 
liaison for Tony.


6.   Web Site Maintenance
Mike Jones reported that Darin Richardson of Refresh Media/Delineate is 
updating the tools used on the openid.net Web site to use current versions.  He 
has implemented additional administrative functionality to enable Global 
Inventures to more easily keep Corporate and Sustaining memberships up to date 
in our

[OpenID board] FW: Building on What’s Built: OpenID Certification Momentum

[Mike Jones]

From: Mike Jones
Sent: Thursday, November 05, 2015 4:53 PM
To: Torsten Lodderstedt; Denise Tayloe; 'Dominick Baier'; Cal Heldenbrand 
(c...@fbsdata.com); Brock Allen (brockal...@gmail.com); 'Mike Schwartz'; Justin 
Richer (jric...@mit.edu); Roland Hedberg
Cc: Don Thibeau; Mike Leszcz
Subject: Building on What’s Built: OpenID Certification Momentum

The certification momentum press release is now posted at 
http://openid.net/2015/11/04/openid-certification-momentum/ and tweeted by 
@openid<https://twitter.com/openid>.  Congratulations to all of you and thanks 
for your contributions to advancing OpenID Connect!

-- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] FW: OpenID Connect Back-Channel Logout Specification

[Mike Jones]

FYI

From: Mike Jones
Sent: Wednesday, September 09, 2015 11:54 PM
To: sp...@lists.openid.net; 'gene...@lists.openid.net'
Subject: OpenID Connect Back-Channel Logout Specification

A new back-channel OpenID Connect Logout spec has been published at 
http://openid.net/specs/openid-connect-backchannel-1_0.html.  This can coexist 
with or be used instead of the front-channel-based Session 
Management<http://openid.net/specs/openid-connect-session-1_0.html> and 
HTTP-Based Logout<http://openid.net/specs/openid-connect-logout-1_0.html> 
specifications.

The abstract for the new specification states:
This specification defines a logout mechanism that uses back-channel 
communication between the OP and RPs being logged out; this differs from 
front-channel logout mechanisms, which communicate logout requests from the OP 
to RPs via the User Agent.

This completes publication of the three planned OpenID Connect logout 
mechanisms:  two that communicate on the front-channel through the User Agent 
(browser) and this one that communicates on the back-channel, without involving 
the User Agent.  See the 
Introduction<http://openid.net/specs/openid-connect-backchannel-1_0-00.html#Introduction>
 for a discussion of the upsides and downsides of the different logout 
approaches.  As much as we'd like there to be a single logout solution, both 
experience and extensive discussions led us to the conclusion that there isn't 
a feasible one-size-fits-all approach.

Reviews of the new (and existing!) specifications are welcomed.

Thanks to John Bradley, Pedro Felix, Nat Sakimura, Brian Campbell, and Todd 
Lainhart for their contributions to the creation of the specification.

-- Mike

P.S.  This note was also published at http://self-issued.info/?p=1452 and as 
@selfissued<https://twitter.com/selfissued>.
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] September 24, 2015 OpenID Board Call Minutes

[Mike Jones]

September 24, 2015 OpenID Board Call Minutes

Present:
Nat Sakimura
Mike Jones
Roger Casals
Don Thibeau, Executive Director
Tony Nadalin
Lydia Varmazis
John Bradley
Debbie Bucci
George Fletcher
Adam Dawes
Pamela Dingle

Absent:
Dylan Casey
Tracy Hulver
Torsten Lodderstedt

Visitors:
John Ehrig, Global Inventures
Tom Smedinghoff, Locke Lord LLP


1.   Welcoming a New Director
The board welcomed Lydia Varmazis as PayPal's new board representative.  Lydia 
is director of products and platforms at PayPal.


2.   Certification Pricing
The Executive Committee unanimously recommended an initial set of pricing plans 
for OpenID Certification.  These were circulated to the board on August 24th.  
The pricing plans align with the previously unanimously approved certification 
guidelines.

Adam reviewed the EC discussions on the pricing with the board.  Adam called 
out that we might introduce additional pricing tiers in the future but that 
it's time to put at least a preliminary pricing plan in place.  Adam called out 
regional IdPs such as Yandex as a category that we might want additional 
pricing tiers for.

Don reported that he is seeing substantial demand for certification when 
speaking at conferences - especially in Europe.  It's time to put a pricing 
plan in place and open up certification to all.  The creation of the iGov 
Profile working group is generating additional interest in certification.  He 
also reported that the GSMA is extolling the values of certification in its 
presentations.

Mike Jones moved and Adam Dawes and Roger Casals seconded this resolution:

Resolution M on Member Pricing:

BE IT RESOLVED that:

* The OpenID Certification price for certifying an implementation to a 
set of certification profiles no longer in the pilot phase for all classes of 
OpenID Foundation members is to be $200.  This price covers all certifications 
of that implementation occurring during the calendar year that the payment was 
received, after which new payment would be required for new certifications.

The resolution was unanimously approved.

Mike Jones moved and John Bradley and Roger Casals seconded this resolution:

Resolution N on Non-Member Pricing:

BE IT RESOLVED that:

* The OpenID Certification price for certifying an implementation to a 
set of certification profiles in the general availability phase for non-members 
of the OpenID Foundation is to be a $400 plus what the cost would have been for 
the submitter to have become an OpenID Foundation member.  This price covers 
all certifications of that implementation occurring during the calendar year 
that the payment was received, after which new payment would be required for 
new certifications.

During discussion of the resolution, Mike described how the initial non-member 
pricing is intentionally slightly more than the pricing of certifying as a 
member.  He stated that while membership is valuable, it's also important to 
open up certification to non-members soon.  Regarding the possibility of 
additional pricing tiers, Mike stated that in the future, for instance, we 
might introduce a different pricing plan for certifying additional deployments 
of already-certified products, such as ADFS or Ping Federate.

The resolution was unanimously approved.


3.   Global Identity Conference
Don attended the Global Identity Conference in Tampa this week.  NIST announced 
the formation of the iGov Profile OpenID working group during the workshop.  
Brett McDowell, executive director of the FIDO Alliance, announced that a 
liaison relationship between the FIDO Alliance and the OpenID Foundation has 
been established.


4.   Upcoming Workshops

* Pre-IIW OpenID Workshop at Symantec on October 26 - Additional slots 
have been opened up for registrants.  People can register at 
http://www.eventbrite.com/e/openid-foundation-workshop-before-fall-2015-iiw-meeting-tickets-17960843366.

* OpenID Workshop in Tokyo on November 10 - This is organized by the 
OpenID Foundation Japan.  Speakers need to submit their speaking proposals as 
soon as possible.

* OpenID Workshop at NIST Headquarters on January 12-13.  This will be 
followed by an OIX workshop on the 14th.  These workshops are intended to help 
educate NIST and other US government agencies about OpenID Connect and trust 
frameworks.

* OpenID Workshop in Europe - Don received significant demand for an 
OpenID Workshop in Europe soon.  He is working on planning one in Amsterdam for 
early next year.


5.   iGov Profile Working Group
The iGov working group formation was approved.  The mailing list has been 
created.  John Bradley is creating the working group web pages on openid.net.  
There will be a first meeting of the working group during the pre-IIW workshop.


6.   Liaison Relationships
We have established a liaison relationship with the FIDO Alliance.  Tony 
Nadalin is our liaison representative.  Don plans to attend the October

[OpenID board] September 3, 2015 OpenID Executive Committee Call Minutes

[Mike Jones]

September 3, 2015 OpenID Executive Committee Call Minutes

Present:
Don Thibeau, Executive Director
Nat Sakimura
John Bradley
George Fletcher
Mike Jones
Adam Dawes

Visitors:
John Ehrig, Global Inventures
Tom Smedinghoff, Locke Lord LLP
Mike Leszcz, Open Identity Exchange (OIX)


1.   Self-Certification Pricing

Don circulated proposed certification pricing and accompanying resolutions to 
the EC on August 24th.  These were discussed by the EC on the mailing list.  
John communicated that Eric Sachs would eventually like to have enterprise SAAS 
providers be certified before federating, and at that point we may need 
additional pricing classes.  There may be trust frameworks associated with that 
use case.

Adam would like to see every major regional IdP certified - for instance, 
web.de, yandex.ru, nic.cz, etc.  Mike pointed out that we may need multiple 
target certification pricing classes.  For instance, someone deploying an 
already certified product might get a price break.  But we can go to market 
with the current proposed pricing and continue refining our offering over time. 
 Adam said that we do need to be mindful of how to incentivize broad 
participation, including among parties who are just deploying software written 
by others.

Certification will be more widely adopted as it's perceived as being valuable 
to the certifier.  For instance, if certification is required for some 
integrations, it will be perceived as being more valuable, and more parties 
will seek certification.

George pointed out that our goal of incentivizing membership does have pricing 
consequences.  If some opt out for that reason, we may still need to create new 
pricing points under different conditions.  George said that he might have 
difficulty getting $15K to get his consumer implementation certified.

Adam said that he backs the current pricing for now, but that we should be 
clear to the board that this is provisional pricing and is probably most 
attractive to software and service solution providers.  We should be clear that 
in the future we can offer a lower price point to deployments of already 
certified software.  Mike asked about Yandex as a hypothetical example, which 
may have created its own implementation from scratch.  Adam pointed that a 
differentiation between a Google or Microsoft and Yandex is that Google and 
Microsoft deploy their IdP services across many domains and Yandex or web.de 
are only deploying on their own.

We have a sense of the executive committee to recommend action by the board at 
our upcoming meeting.

Adam began a motion that was simplified by Mike and seconded by Adam that we 
recommend to the board that we go to market with the proposed pricing 
structure, being aware that we will likely want to offer additional pricing 
points for additional market segments.  The resolution was unanimously adopted.


2.   Upcoming Workshops

We briefly discussed the upcoming workshop before IIW and the Tokyo workshop 
after IETF 94.  Don is coordinating the agenda and speakers for the pre-IIW 
workshop.  Nat will work with Don to arrange meetings with key Japanese 
companies as a recruiting and PR effort.  We will promote the Tokyo workshop 
via an openid.net blog post.



September 3, 2015 OpenID Executive Committee Call Minutes.docx
Description: September 3, 2015 OpenID Executive Committee Call Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] December 3, 2015 OpenID Executive Committee Call Minutes

[Mike Jones]

December 3, 2015 OpenID Executive Committee Call Minutes

Present:
Don Thibeau, Executive Director
John Bradley
Mike Jones
George Fletcher
Nat Sakimura
Adam Dawes

Visitors:
Mike Leszcz, Open Identity Exchange (OIX)


1.   Repositories for Open Source Projects

John asked if there was any problem using GitHub for working group projects.  
(Some working groups, such as Account Chooser, already have some sources in 
GitHub.)  Nat said that originally, the OIDF chose Bitbucket over GitHub 
because it supported OpenID login and GitHub didn't and at the time, it 
supported https whereas GitHub didn't.  (It now does.)  Mike pointed out that 
the main thing is that only working group members who have signed the IPR 
agreement can have commit rights to software produced by the working group.  
Adam asked whether edits need to be blessed as contributions.  Mike said that 
this can be accomplished by having checkins result in e-mail to the working 
group.  (The IETF does this.)


2.   Non-Member Certification Pricing

We have received feedback from several parties on the currently approved 
non-member pricing structure.  The pricing exercise requires a balance between 
promoting adoption, covering our costs, and incentivizing foundation 
membership.  Global Inventures encouraged us to have a clear rationale for the 
pricing structure.  Don suggested that we may want to consider a cap on the 
non-member price for OP certification.  (He noted that we will separately 
consider non-member RP pricing next year.)

Don plans to put together a year-end summary of our investments to date in 
establishing the certification program.  We will then have a statement on 
record about what we've spent thus far.

John pointed out that we need money to continue revising the tests and running 
the certification test site.  Mike pointed out that we will also need funds to 
renew the contract with Roland Hedberg to operate the certification test site.

Adam had earlier said that he'd like to see a world where every professionally 
run OP gets certified.  Adam said that the current pricing fits for commercial 
software service providers but not necessarily sites where Identity is not core 
to their business.  Adam said that if participation in a trust framework 
requires a certification that is too expensive, it will dampen participation in 
the trust framework.

Pricing on a per-domain basis was suggested.

Adam had also previously said that it would be good if someone with normal 
signing authority could approve the certification cost, rather than it 
requiring signoff by a senior VP.  As a straw-man, Adam said that that price 
would be more like $1000.  SaaS providers ideally want all the OPs they're 
interacting with to be certified, for quality reasons.

George asked whether, for instance, the PingFederate certification would cover 
deployments of PingFederate?  John replied "not necessarily", but there might 
be a way to make that easier.

Adam suggested a $1000/domain price for any provider running software that has 
not been certified, whereas, we would have a lower price for those deploying 
certified software.  Mike suggested $999/domain for those running non-certified 
software and $499 for those running certified software.

Nat asked whether we can tell whether someone has modified the certified 
software.  Mike suggested that that's impossible and not in our interest.  
George said that if someone lies about something, their certification could be 
invalidated anyway, when detected.  John said that since they'd be running the 
tests anyway, that's more than a high enough bar.

Don said that this seems easy to understand, easy to administer, and easy to 
defend.  All the executive committee members concurred.

A next step is for Don to create the costs report.  Mike said that Don should 
also communicate to the board that we suggest revising the pricing as described 
above, given that there was previously a board vote on the pricing.  Don will 
create appropriate messaging to the board.


3.   Web Site Software Status

Mike reported that our web site contractor Darin Richardson at delineate.net 
has written updates to the openid.net software to make it easier for Global 
Inventures to keep their database and our member database in sync.  He has also 
implemented the charging functionality for certification.  These updates are 
currently being tested.

Meanwhile, Nov Matake, the author of widely-used Ruby OpenID Connect RP 
software and frequent Connect contributor, has submitted changes to Darin that 
enable OpenID Connect logins to member accounts in parallel with the current 
login functionality using Janrain Engage.


4.   Upcoming Meetings

There will be an iGov working group meeting the afternoon of Wednesday, January 
13th following a NIST identity workshop on the 12th and 13th in Gaithersburg, 
Maryland, US.  OIX will have a meeting in Washington, DC on the 14th covering 
topics including s

[OpenID board] FW: Review of Proposed Implementer’s Drafts of HEART Specifications

[Mike Jones]

From: Mike Jones
Sent: Thursday, December 10, 2015 6:27 PM
To: sp...@lists.openid.net
Subject: Review of Proposed Implementer’s Drafts of HEART Specifications

The OpenID HEART Working Group recommends approval of the following 
specifications as OpenID Implementer’s Drafts:

·   Health Relationship Trust Profile for OAuth 2.0

·   Health Relationship Trust Profile for OpenID Connect 1.0

·   Health Relationship Trust Profile for User Managed Access 1.0

An Implementer’s Draft is a stable version of a specification providing 
intellectual property protections to implementers of the specification.  This 
note starts the 45-day public review period for the specification drafts in 
accordance with the OpenID Foundation IPR policies and procedures.  This review 
period will end on Sunday, January 24th, 2016.  Unless issues are identified 
during the review that the working group believes must be addressed by revising 
the drafts, this review period will be followed by a seven-day voting period 
beginning on Monday, January 25th, 2016 during which OpenID Foundation members 
will vote on whether to approve these drafts as OpenID Implementer’s Drafts. 
For the convenience of members, voting may begin up to two weeks before Monday, 
January 25th, with the voting period still ending on Monday, February 1st, 2016.

The specifications are available at:

·   http://openid.net/specs/openid-heart-oauth2-2015-12-07.html

·   http://openid.net/specs/openid-heart-openid-connect-2015-12-07.html

·   http://openid.net/specs/openid-heart-uma-2015-12-09.html

The HEART working group page is http://openid.net/wg/heart/.  Information on 
joining the OpenID Foundation can be found at 
https://openid.net/foundation/members/registration.  If you’re not a current 
OpenID Foundation member, please consider joining to participate in the 
approval vote.

You can send feedback on the specifications in a way that enables the working 
group to act upon your feedback by (1) signing the contribution agreement at 
http://openid.net/intellectual-property/ to join the working group (please 
specify that you are joining the “HEART” working group on your contribution 
agreement), (2) joining the working group mailing list at 
http://lists.openid.net/mailman/listinfo/openid-specs-heart, and (3) sending 
your feedback to the list.

-- Michael B. Jones – OpenID Foundation Board Secretary

(This notice has also been posted at 
http://openid.net/2015/12/10/review-of-proposed-implementers-drafts-of-heart-specifications/.)


___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] [OIDFSC] Proposed charter for new working group named "Enhanced Authentication Profile WG"

[Mike Jones]

FYI, the review period has expired and all specs council members who responded 
were in favor.  Therefore, the Enhanced Authentication Profile (EAP) working 
group has been created.

 -- Mike (writing as OpenID Foundation Secretary)

From: specs-council [mailto:openid-specs-council-boun...@lists.openid.net] On 
Behalf Of Ashish Jain
Sent: Tuesday, December 15, 2015 10:37 PM
To: Adam Dawes ; Nat Sakimura 
Cc: John Bradley ; Anthony Nadalin ; 
openid-specs-coun...@lists.openid.net
Subject: Re: [OIDFSC] Proposed charter for new working group named "Enhanced 
Authentication Profile WG"

+1

From: specs-council 
>
 on behalf of Adam Dawes >
Date: Tuesday, December 15, 2015 at 10:35 PM
To: Nat Sakimura >
Cc: John Bradley >, Anthony Nadalin 
>, 
"openid-specs-coun...@lists.openid.net"
 
>
Subject: Re: [OIDFSC] Proposed charter for new working group named "Enhanced 
Authentication Profile WG"

+1

On Tue, Dec 15, 2015 at 9:22 PM, Nat Sakimura 
> wrote:
+1


On Tuesday, 15 December 2015, John Bradley 
> wrote:
I approve the creation of the working group as proposed in the charter.

On Dec 15, 2015, at 10:49 AM, Anthony Nadalin 
> wrote:


Please find the enclosed proposed charter for a new working group to be formed, 
the name of the working group is "Enhanced Authentication Profile”. I would 
like to move this proposal along to form the new WG before the start of the new 
year. Let me know if you have questions, concerns or elated joy and even if you 
have changes that feel are required.



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en




--
Adam Dawes | Sr. Product Manager | ada...@google.com 
| +1 650-214-2410

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] FW: Minutes of OpenID iGov Working Group Meeting at NIST 13-Jan-15

[Mike Jones]

FYI

From: Mike Jones
Sent: Friday, January 15, 2016 7:11 PM
To: Don Thibeau <d...@oidf.org>; John Bradley <ve7...@ve7jtb.com>; Julian White 
(julian.wh...@digital.cabinet-office.gov.uk) 
<julian.wh...@digital.cabinet-office.gov.uk>; Adam Cooper 
<adam.coo...@digital.cabinet-office.gov.uk>; Sarah Squire 
<sa...@engageidentity.com>; Justin Richer <jus...@bspk.io>; Anthony Nadalin 
<tony...@microsoft.com>; George Fletcher at aol.com <gffle...@aol.com>; Dmitry 
Barinov (dmitry.bari...@securekey.com) <dmitry.bari...@securekey.com>; Tom 
Smedinghoff <tom.smedingh...@lockelord.com>; Matt Topper (m...@uberether.com) 
<m...@uberether.com>; Derek Smeds (sme...@uberether.com) 
<sme...@uberether.com>; Mike Polosky <michael.polo...@verizon.com>; Debbie 
Bucci <debbie.bu...@hhs.gov>; Jim Fenton (fen...@bluepopcorn.net) 
<fen...@bluepopcorn.net>; Judy Keator (judy.kea...@securekey.com) 
<judy.kea...@securekey.com>; Bjorn Hjelm <bjorn.hj...@verizon.com>; Mike Leszcz 
<mike.les...@openidentityexchange.org>; Marcel Wendt (mwe...@digidentity.eu) 
<mwe...@digidentity.eu>; Michael Garcia <michael.gar...@nist.gov>; Sudhi Umarji 
(su...@nist.gov) <su...@nist.gov>; Ken Klingenstein <k...@internet2.edu>; Stu 
Vaeth <stu.va...@securekey.com>; Chris Chapman <chris.chap...@securekey.com>
Cc: Paul Grassi <paul.gra...@nist.gov>
Subject: Minutes of OpenID iGov Working Group Meeting at NIST 13-Jan-15

Minutes of OpenID iGov Working Group Meeting at NIST 13-Jan-15

Attendees:
  Don Thibeau, OpenID Foundation
  Mike Jones, Microsoft
  John Bradley, Ping Identity
  Julian White, UK Cabinet Office
  Adam Cooper, UK Cabinet Office
  Sarah Squire, Engage Identity
  Justin Richer, Bespoke Engineering
  Anthony Nadalin, Microsoft
  George Fletcher, AOL
  Dmitry Barinov, SecureKey
  Tom Smedinghoff, Locke Lord
  Matt Topper, Uber Ether
  Derek Smeds, Uber Ether
  Mike Polosky, Verizon
  Debbie Bucci, US HHS ONC
  Jim Fenton, independent
  Judy Keator, SecureKey
  Bjorn Hjelm, Verizon
  Mike Leszcz, OIX
  Marcel Wendt, Digidentity
  Michael Garcia, NIST
  Sudhi Umarji, NIST
  Ken Klingenstein,  Internet2
  Stu Vaeth, SecureKey
  Chris Chapman, SecureKey (remote participant)

The OpenID Foundation "Note Well" was presented
Don Thibeau, the OpenID Foundation executive director, welcomed people to the 
working group meeting
Mike Jones spoke about the OpenID Working group process, as OpenID Board 
Secretary
He surveyed working group materials:
  Working Group Page:  http://openid.net/wg/igov/
  Mailing List (please join!):  
http://lists.openid.net/mailman/listinfo/openid-specs-igov
  Charter:  http://openid.net/igov-wg-draft-charter/

Working group chairs were unanimously selected:
  Adam Cooper of the UK Cabinet Office
  Paul Grassi of NIST (via Mike Garcia)
  John Bradley of Ping Identity (and a resident of Chile)

John Bradley talked about potential contributions to the working group, 
including some of the HEART working group materials
Adam Cooper spoke about his role architecting UK Government identity solutions
Dmitry Barinov of SecureKey spoke about the use of OpenID Connect in connect.gov
Mike Jones talked about OpenID Certification as an example of an activity of a 
working group
  http://openid.net/certification/
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] June 6, 2016 OpenID Board Meeting Minutes

[Mike Jones]

June 6, 2016 OpenID Board Meeting Minutes

Present:
Don Thibeau, Executive Director
Mike Jones
Nat Sakimura
George Fletcher
Brian Berliner
Adam Dawes
Debbie Bucci
Junichi Tabuchi
Lydia Varmazis
John Bradley

Present on the Phone:
Dale Olds

Absent:
Prateek Mishra
Pamela Dingle
Tony Nadalin
Bjorn Hjelm

Visitors:
Tom Smedinghoff, Locke Lord LLP (on the phone)
Mike Leszcz, OIDF
Takao Kojima, KDDI
Harunobu Agematsu, KDDI


1.   KDDI Introduction
Junichi Tabuchi, chief identity architect of KDDI, gave a brief presentation on 
identity at KDDI.


2.   Liaison Update
The Financial API (FAPI) WG wants to establish a liaison relationship with ISO 
TC 68 - Financial Services.  The FAPI specifications will likely be submitted 
to ISO TC 68, when done.  The executive committee also recommends that we 
establish this relationship.  A motion to establish this liaison relationship 
passed unanimously.

Nat proposed that we establish a liaison relationship with the OECD ITAC 
committee.  This would give us early access to their documents.  Nat attends 
their meetings, so could represent us.  Internet partners of ITAC are listed at 
http://www.internetac.org/members.  A motion to establish this liaison 
relationship passed unanimously.


3.   Working Group Updates
The Financial API (FAPI) working group held its first meeting this morning.  
John Bradley contributed Ping's Distributed Session Management proposal to the 
OpenID Connect working group.  Ping is also willing to contribute the 
underlying hash graph technology if there's interest in the working group.  
Dick Hardt has sent a Fast Federation working group proposal to the 
Specifications Council for approval.


4.   ONC Challenge
The US Office of the National Coordinator for Health Information Technology 
(ONC) posted an implementation challenge pertaining to user-centric healthcare 
and the HEART specifications.  Debbie asked if we could make a blog post 
referencing the challenge.  The board was fine with that.  Don will work with 
Debbie on blog post text.


5.   Case Study Proposal
Nat and Phillippe Clement were talking about the possibility of an 
English-language case study about the France Connect deployment.  This could be 
the first of a series of case studies.  Other possible case studies include the 
Buenos Aires and Ireland deployments.  Google has built case studies about 
their smart lock for passwords deployments.  Mike pointed out that doing a 
series of case studies well would require both time and financial resources.  
Lydia pointed out that these days, a few minutes of video would get us far more 
traction than a textual whitepaper.  The board requests that the marketing 
committee work on a plan for communicating case studies in the best way.


6.   Certification
OP certification continues apace.  We now have 90 profiles tested, with several 
new ones coming in in the last month.  The RP certification launch is waiting 
for there to be a sufficient number of RP libraries to be tested to adequately 
test the tests.  A team of Mike, John, George, Debbie, Lydia, and Don will work 
on defining the next certification contract particulars.


7.   Web Site Update
The new code has been updated.  Mike needs to do acceptance testing before we 
change over to it.  After that, we'll hand off new contract work to Nov Matake. 
 We will need to establish a contract with him.


8.   Amendment of Contribution Agreement
Nat proposed a few simplifications to the contribution agreement.  He proposed 
dropping the OpenID field and the need to counter-sign it.  Tom Smedinghoff 
suggested that we add the changes to the revised versions of the legal 
agreements that are already in process and under review.  Adam pointed out that 
reducing friction can actually result in contribution agreements that have not 
been properly legally vetted - such as individuals working for a company who 
are proposing to make contributions for their company who are not authorized to 
do so.


9.   oidf.org E-Mail Addresses for Board Members
Nat asked if we want to create oidf.org e-mail addresses for board members to 
use for official OpenID business.  Lydia said that she wants this to be 
optional since she wants to be representing PayPal.  Mike doesn't want another 
e-mail address.  It's fine for some to have who want it.


10.   Business Cards
Nat created a business card template for people to use if they want to.


11.   Financial Update
We are doing well, with a sustainable budget.  We have new memberships coming 
in both at the corporate and sustaining level.  We have a sustainable budget 
but any new large expenditures would require directed funding.



June 6, 2016 OpenID Board Meeting Minutes.docx
Description: June 6, 2016 OpenID Board Meeting Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] June 2, 2016 OpenID Executive Committee Call Minutes

[Mike Jones]

June 2, 2016 OpenID Executive Committee Call Minutes

Present:
Don Thibeau, Executive Director
Nat Sakimura
John Bradley
Mike Jones
George Fletcher

Absent:
Adam Dawes

Visitors:
Mike Leszcz, OpenID Foundation


1.   Preparation for board meeting at the Cloud Identity Summit (CIS)
Nat requested that some agenda items be added to the board meeting agenda for 
next week:

* Establishment of liaison relationship to ISO/TC68 Financial Services

* Minor updates to the contribution agreement

* Restructuring of http://openid.net/executed-contribution-agreements/

* Creation of @oidf.org email redirector for the member of the 
board and staff: for better branding

* New business card template
Bjorn Hjelm of Verizon will be unable to make it to CIS.  John will substitute 
for Bjorn for the MODRNA presentation.

Nat will propose that we collect case studies describing OpenID Connect 
deployments.  For instance, we might get a whitepaper on the France Connect 
deployment.  He worked on a template for these case studies at IIW.  Other 
possible government deployments to describe are Ireland, Japan, and Czech 
Republic.  Mobile Connect/MODRNA is another possibility.  Real Madrid, AAD, and 
Android are other possibilities.

John wonders whether we'll want to talk about the Ping Distributed Session 
Management proposal in the board meeting or just in backchannel conversations.

[George Fletcher joined the call at this point]

Mike Jones will present a status update on certification.  Certification has 
recently resulted in some new members, including Auth0 and Okta.

Mike and Don will give an infrastructure update.  We need to have discussions 
about how to renew Roland's contract to develop and operate the certification 
site.  This may require some directed funding.

There will be updates on new working groups and possible new work, time 
permitting, including Dick Hardt's proposed FastFed working group.

There are several things Don will talk about that may require directed funding.

It will be important to manage time in the agenda to ensure we get the strategy 
discussions in.  Don and/or Mike Leszcz will send out a revised board 
invitation double-checking the times and adding agenda items.


2.   Financial API Working Group
The first FAPI working group meeting will precede the board meeting at CIS.



June 2, 2016 OpenID Executive Committee Call Minutes.docx
Description: June 2, 2016 OpenID Executive Committee Call Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] Blog post: Identity Convergence and Microsoft’s Ongoing Commitment to Interoperability

[Mike Jones]

My blog post http://self-issued.info/?p=1529 – also tweeted at 
@selfissued – referencing today’s announcement 
by Microsoft identity team follows.

Identity Convergence and Microsoft’s Ongoing Commitment to Interoperability

Please check out this important post today on the Active Directory Team Blog: 
“For Developers: Important upcoming changes to the v2.0 Auth 
Protocol”.
  While the title may not be catchy, it’s content is compelling – particularly 
for developers.

The post describes the converged identity service being developed by Microsoft 
that will enable people to log in either with an individual account (Microsoft 
Account) or an organizational account (Azure Active Directory).  This is a big 
deal, because developers will soon have a single identity service that their 
applications can use for both kinds of accounts.

The other big deal is that the changes announced are a concrete demonstration 
of Microsoft’s ongoing commitment to interoperability and support for open 
identity standards – in this case, OpenID Connect.  
As the post says:
The primary motivation for introducing these changes is to be compliant with 
the OpenID Connect standard specification.  By being OpenID Connect compliant, 
we hope to minimize differences between integrating with Microsoft identity 
services and with other identity services in the industry.  We want to make it 
easy for developers to use their favorite open source authentication libraries 
without having to alter the libraries to accommodate Microsoft differences.

If you’re a developer, please do heed the request in the post to give the 
service a try now as it approaches General Availability (GA).  Enjoy!


___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] FW: HEART Implementer’s Drafts Approved

[Mike Jones]

From: Mike Jones
Sent: Monday, February 15, 2016 5:39 PM
To: openid-specs-he...@lists.openid.net
Subject: HEART Implementer’s Drafts Approved

The following notice was posted at 
http://openid.net/2016/02/15/heart-implementers-drafts-approved/:


HEART Implementer’s Drafts Approved

The OpenID Foundation members have approved of the following specifications as 
OpenID Implementer’s Drafts:
·   Health Relationship Trust Profile for OAuth 2.0
·   Health Relationship Trust Profile for OpenID Connect 1.0
·   Health Relationship Trust Profile for User Managed Access 1.0

An Implementer’s Draft is a stable version of a specification providing 
intellectual property protections to implementers of the specification.

The specifications are available at:
·   http://openid.net/specs/openid-heart-oauth2-1_0-ID1.html
·   http://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html
·   http://openid.net/specs/openid-heart-uma-1_0-ID1.html

The voting results were:
·   Approve – 34 votes
·   Object – 1 vote
·   Abstain – 11 votes

Total votes: 46 (out of 204 members = 23% > 20% quorum requirement)

— Michael B. Jones – OpenID Foundation Board Secretary

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] January 6, 2016 OpenID Executive Committee Call Minutes

[Mike Jones]

January 6, 2016 OpenID Executive Committee Call Minutes

Present:
Don Thibeau, Executive Director
John Bradley
George Fletcher
Mike Jones
Nat Sakimura
Adam Dawes

Visitors:
Tom Smedinghoff, Locke Lord LLP


1.   Meetings in DC Next Week

We mentioned the iGov meeting next week in Washington, DC, as well as the NIST 
meeting and the OIX meeting.


2.   Infrastructure Development in 2016

In the coming year, we should consider several kinds of infrastructure updates.

Darin Richardson, our programming consultant, has decided to wind down our 
relationship after completing his current deliverables, which include enhancing 
the administrative interfaces and enabling certification payments.  Don and 
Mike are working with Darin on a transition plan.  We are already separately 
working on accepting OpenID Connect logins on our site.  We should also 
consider implementing Account Chooser this year.

We may want to do updates to our legal documents to increase their 
understandability - particularly the contribution agreements.  These changes 
would be to address questions that have come up in reviews by potential members.

We plan to beef up our support for open source projects implementing OpenID 
specifications.  This may include setting up a corporate github account.  John 
pointed out that one already exists at https://github.com/openid.  We may need 
to clear up ambiguities in how the contribution agreements apply to code, as 
opposed to specification text.

John said that we need to not allow people who haven't signed contribution 
agreements to make contributions.  Mike encouraged Adam and William to put the 
code in the OpenID repository rather than another one, so that expectations are 
set appropriately.

Per our previous discussions, it's already fine for people to contribute code 
to working groups under the current contribution agreement.  If any blocking 
issues are found in the contribution agreement, they will be sent to the 
executive committee for quick evaluation.  We believe that there are no 
impediments to working group members contributing code now and for people to 
use that code.

We apparently need to clarify that contributions may be used for working 
group-owned implementations (as opposed to just specifications).  Nat suggested 
that we do this an appendix or addendum to the existing contribution agreement, 
rather than a revision. John suggested that we integrate agreeing to this 
addendum into the mechanics of making a pull request. People liked that 
approach.  John volunteered to work with William on making this happen.  John 
later asked us to consider whether the addendum should just be the Apache 2 
contribution agreement.


3.   OpenID Board Elections

The annual election process has started.  There is one community seat open and 
the one corporate seat open.  The nominating period is currently open.  See 
https://openid.net/2016/01/04/announcing-the-openid-foundation-individual-community-board-member-2016-election-schedule/
 for information about the community election.


4.   Non-Member OP Certification Pricing

The $999/$499 pricing points recommended by the EC were presented to the board 
and discussed.  They appeared to be largely embraced by the board, with caveats 
that we may need to refine how we describe the plan and how to best incentivize 
ongoing membership.  Nat said that we will need to work on the announcement of 
the pricing.  Nat will plan to refresh the discussion that died over the 
holidays.


5.   Cloud Identity Summit

The OpenID Foundation content at the Cloud Identity Summit (CIS) will part of 
the main conference program - not a side meeting before CIS.  CIS will be June 
6-9, 2016 in New Orleans.


6.   OpenID Workshop in Chile

John is arranging an OpenID Workshop in Santiago, Chile.  He's secured sponsors 
and a venue.  It will either be the Thursday, March 31st or Friday, April 1st 
before IETF 95 Buenos Aries.


7.   Enhanced Authentication Profile (EAP) Working Group

Creation of Enhanced Authentication Profile (EAP) working group was approved by 
the specifications council.  Next steps will be to advertise it on our Web site 
and hold a first meeting.



January 6, 2016 OpenID Executive Committee Call Minutes.docx
Description: January 6, 2016 OpenID Executive Committee Call Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] January 13, 2016 OpenID Executive Committee Meeting Minutes

[Mike Jones]

January 13, 2016 OpenID Executive Committee Meeting Minutes

Present:
Don Thibeau, Executive Director
John Bradley
George Fletcher
Mike Jones

Present on the Phone:
Adam Dawes

Absent:
Nat Sakimura

Visitors:
Tom Smedinghoff, Locke Lord LLP


1.   Discussion of Contribution License Agreement

Tom Smedinghoff created a proposed Contribution License Agreement (CLA) based 
on the Google CLA at https://cla.developers.google.com/clas.  We discussed 
Tom's proposed CLAs.  We decided to remove contributors list that Tom had added 
and to remove the "outside the scope of" language.

Adam moved that we approve Tom's documents as amended for use for Github 
contributions and for the executive director oversee implementation of a 
workflow implementing the use of this agreement.  John seconded.  The 
resolution passed unanimously.

The workflow will have code contributors sign both the existing contribution 
agreement and the software contribution agreement.  This will unblock software 
contributions in the short term.  We will work to unify the two contribution 
agreements as part of our larger package of updates to our legal agreements.



January 13, 2016 OpenID Executive Committee Meeting Minutes.docx
Description: January 13, 2016 OpenID Executive Committee Meeting Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] Enhanced Authentication Profile (EAP) WG Mailing List

[Mike Jones]

You can now subscribe to the OpenID Enhanced Authentication Profile (EAP) 
working group mailing list at 
http://lists.openid.net/mailman/listinfo/openid-specs-eap.  The working group 
page is also up at http://openid.net/wg/eap/.

  -- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

Re: [OpenID board] April 27, 2016 OpenID Board Meeting Minutes

[Mike Jones]

OK – I’ll amend the minutes accordingly.  You hadn’t responded to the 
board-private draft version sent per policy for review purposes so I assumed 
that the draft version was correct.  Are there any other amendments needed?

From: board [mailto:openid-board-boun...@lists.openid.net] On Behalf Of Pamela 
Dingle
Sent: Monday, May 9, 2016 5:19 AM
To: openid-board@lists.openid.net
Cc: bo...@openid.net
Subject: Re: [OpenID board] April 27, 2016 OpenID Board Meeting Minutes

Hey Mike -- I'm not sure it really matters, but I was on the phone for this 
meeting.  I didn't say anything because I was in the airport (and then onboard 
my aircraft), but was present for whole meeting, only missing the very 
beginning and a little bit of the meeting that went over the time at the end 
there.

Thanks!

On Mon, May 9, 2016 at 3:01 AM, Mike Jones 
<michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>> wrote:
April 27, 2016 OpenID Board Meeting Minutes

Present:
Don Thibeau, Executive Director
John Bradley
Mike Jones
Nat Sakimura
George Fletcher
Prateek Mishra
Brian Berliner
Dale Olds
Adam Dawes

Present on the Phone:
Bjorn Hjelm

Absent:
Debbie Bucci
Pamela Dingle
Lydia Varmazis
Tony Nadalin

Visitors:
Tom Smedinghoff, Locke Lord LLP (on the phone)
Mike Leszcz, OIDF (on the phone)
Phil Hunt, Oracle


1.   New Board Member
We welcomed Oracle to the board.  Prateek Mishra and Phil Hunt are in 
attendance from Oracle.

Prateek said that Oracle is working to integrate an identity fabric with 
business services – both for external applications and within the company.  
Phil Hunt said that SCIM is very important to Oracle and sees potential 
synergies between SCIM and OpenID Connect.  Phil talked about developing best 
deployment practices.  George and Brian and John affirmed Oracle’s goals.  Phil 
expressed a desire for us to evaluate the possibility of doing SCIM interop and 
possibly conformance work, which the IETF doesn’t do.


2.   Legal and Policy Review
Tom has been going through our mostly 7-year-old legal documents, addressing 
issues found.  One item was to create a software contribution agreement based 
upon the Google contribution agreement.  Some members and potential members had 
also identified issues.  We are explicitly not touching the IPR Policy and IPR 
Process documents.

Tom has sent revised copies to the EC for review and is awaiting comments.  
Then they will be circulated to the full board.  The new versions separate 
policies from procedures.

Mike described that the IPR policy and process documents are, by design, 
difficult to update.  Nat pointed out that we did update them once, in 2009, to 
streamline the specifications council working group approval procedures.


3.   Status of Trademarks
There is a deadline of May 6th for a response to a trademark registration 
refusal in Canada, which is related to SXIP’s registration of OpenID in Canada. 
 Mike Jones and Don Thibeau are in communication with Dick Hardt about 
assigning SXIP’s registration to the OpenID Foundation, which Dick has agreed 
to do.


4.   OpenID Certification
Mike reported on the status of the certification program.  The number of 
registrations continues to grow.  Registrations are now being paid for by 
registrants.  OpenID Connect working group members and Don are working with 
Roland Hedberg on advancing the RP certification program during IIW.


5.   Website Update
Mike reported that we are making substantial progress both towards deploying 
the revised membership Ruby code and towards transitioning from Darin 
Richardson, as our web site developer to Nov Matake, who has agreed to become 
our new web site developer.  Mike and Don have continued to work with both 
Darin and with OSUOSL and are happy to report that the new code is now running 
on a staging server and another server that will be put in production to 
replace the 7-year old Ruby deployment, after the new code has been evaluated 
and accepted.


6.   Working Group Updates
There were substantive working group updates at the OpenID workshop on Monday, 
so we didn’t repeat most of that content here.

Adam reported that Google is working on opening up their Android password 
manager and Account Chooser experience to other platforms.  This would require 
a standard password manager API.  That work is happening in the W3C Web 
Credentials working group.  The Account Chooser working group may choose to 
utilize and build upon this functionality.


7.   Financial Update
The foundation is in sound financial shape.  The legal efforts have been the 
primary cost driver but there are sufficient existing funds to cover that work 
without needing directed funding.


8.   Recognizing Substantive Contributions to the Foundation and its Mission
In recognition of their substantive contributions towards the creation of the 
OpenID Foundation and their long-term technical contributions to OpenID 
Foundation specifications, th

Re: [OpenID board] [OIDFSC] Financial API WG (FAPI WG) Proposal

[Mike Jones]

Requested

From: Nat Sakimura [mailto:sakim...@gmail.com]
Sent: Monday, May 9, 2016 11:44 PM
To: OpenID Board (public) <bo...@lists.openid.net>; Mike Jones 
<michael.jo...@microsoft.com>
Cc: openid-specs-coun...@lists.openid.net
Subject: Re: [OIDFSC] Financial API WG (FAPI WG) Proposal

The WG is approved.
Could you please set up the list, please? > Mike.

Nat


2016年4月26日(火) 13:03 Nat Sakimura 
<sakim...@gmail.com<mailto:sakim...@gmail.com>>:
Thank you.

And needless to say, I also approve it.
On Mon, Apr 25, 2016 at 20:59 John Bradley 
<ve7...@ve7jtb.com<mailto:ve7...@ve7jtb.com>> wrote:
I approve of the creation of this WG.

> On Apr 18, 2016, at 7:22 AM, Nat Sakimura 
> <sakim...@gmail.com<mailto:sakim...@gmail.com>> wrote:
>
> Dear Specs council:
>
> Please find the enclosed proposed charter for a new working group to be 
> formed, the name of the working group is "Financial API WG”. I would like to 
> move this proposal along to form the new WG before the start of the EIC 2016. 
> Let me know if you have questions, concerns, etc.
>
> Best,
>
> Nat Sakimura
> 
--
Nat Sakimura
Chairman of the Board, OpenID Foundation
Trustee, Kantara Initiative
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] April 14, 2016 OpenID Executive Committee Call Minutes

[Mike Jones]

April 14, 2016 OpenID Executive Committee Call Minutes

Present:
Don Thibeau, Executive Director
John Bradley
George Fletcher
Mike Jones
Adam Dawes

Absent:
Nat Sakimura

Visitors:
Tom Smedinghoff, Locke Lord LLP
Mike Leszcz, OpenID Foundation
Prateek Mishra, Oracle


1.   Legal Review and other topics deferred to the IIW in-person board 
meeting
Don and Tom are preparing a legal review summary for the in-person board 
meeting at IIW - prompted in part, by legal reviews by potential members such 
as Oracle and MIT.  Another topic we are deferring to the IIW board meeting is 
a status update on the certification program.  We continue to get a continuing 
stream of certification requests for new implementations, such as by NEC, who 
contacted us to certify unprompted.  NEC's is a paid certification, as are 
others now coming in.


2.   Upcoming Workshop before IIW
We expect about 80 people to join us at the workshop on Monday prior to IIW on 
Monday, April 25th.  There, we will propose convening a Financial API working 
group to be chaired by Nat Sakimura of NRI as well as potentially other new 
members from the financial sector.


3.   Video on OpenID Connect
A video on OpenID Connect will be produced during IIW, using directed funding 
from Google.  Adam Dawes and the Google identity team are funding a 3-minute 
short film on the importance of OpenID Connect in the identity space.  Tom 
Smedinghoff has done due diligence ensuring that the film will be freely 
available to all.


4.   Website Updates
Mike and Don continue working with our contractor Darin Richardson and the 
Oregon State University Open Source Laboratory (OSUOSL) on updating the 
administrative backend tools of our membership site.


5.   Website Privacy Policy
Adam asked about updates to our Website privacy policy. Our privacy policy 
refers to the US/EU Safe Harbor program, which has been deemed unenforceable.  
Tom suggests that as a short-term measure, we delete the reference to the Safe 
Harbor program.  We then need work on a revised privacy policy.  Tom believes 
we will be able to rely on a consent approach.  Nat pointed out that we are 
already collecting all the personal data based on consent.


6.   Liaison Update
Nat created, Mike edited, and Tony edited and submitted a liaison statement to 
ISO/IEC JTC 1/SC 27/WG 5 - the working group on identity and privacy.  Tony 
presented this statement this week.  We will be receiving a liaison response 
covering new work, including consent and unlinkable authentication.

The OIDF Enhanced Authentication Profile (EAP) work will be discussed by FIDO 
at their next meeting.  This and RISC will also be discussed at the upcoming 
Cloud Identity Summit (CIS).  This work will also be presented at the upcoming 
European Identity and Cloud Conference (EIC).


7.   Proposed Financial API Working Group Update
Nat plans to send a proposed charter to the specifications council in the next 
few days so that it will be ready in time for EIC.  Intuit is a proposer of the 
working group.


8.   Report on OpenID Workshop in Santiago
John reports that the OpenID Workshop in Santiago was a great success.  There 
will shortly be videos of the presentations available.


9.   Report on OpenID Workshop in Amsterdam
Don reports that the workshop in Amsterdam was also a success - focused 
primarily on OpenID Connect.  Don will be sending a report on the workshop 
shortly.



April 14, 2016 OpenID Executive Committee Call Minutes.docx
Description: April 14, 2016 OpenID Executive Committee Call Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] FW: OpenID Connect Token Bound Authentication

[Mike Jones]

Apparently the 
openid-specs-...@lists.openid.net<mailto:openid-specs-...@lists.openid.net> 
mailing list isn't working at present.  While I'd sent the contribution below, 
the archives say that no messages have been sent.  I'm sending this note to 
record the contribution to the OpenID Enhanced Authentication Profile (EAP) 
working group until such time as the EAP mailing list is functioning correctly.

   -- Mike

From: Mike Jones
Sent: Monday, July 4, 2016 7:34 PM
To: 'openid-specs-...@lists.openid.net' <openid-specs-...@lists.openid.net>
Subject: OpenID Connect Token Bound Authentication

The enclosed specification is a submission to the OpenID Connect Enhanced 
Authentication Profile (EAP) working group.  It specifies syntax and semantics 
for applying Token Binding to OpenID Connect ID Tokens.

   -- Mike

From: Mike Jones
Sent: Monday, July 4, 2016 7:33 PM
To: oa...@ietf.org<mailto:oa...@ietf.org>
Subject: Token Binding for Access Tokens, Refresh Tokens, and ID Tokens

Two new related specifications define syntax and semantics for applying Token 
Binding to OAuth Access Tokens and Refresh Tokens and to OpenID Connect ID 
Tokens.  
draft-jones-oauth-token-binding<http://tools.ietf.org/html/draft-jones-oauth-token-binding>
 contains the OAuth portions.  
openid-connect-token-bound-authentication-1_0<http://self-issued.info/docs/openid-connect-token-bound-authentication-1_0.html>
 contains the OpenID Connect portions.

These are being submitted now to hopefully enable end-to-end implementations 
and interop testing of Token Bound Access Tokens, Refresh Tokens, and ID Tokens 
across multiple platforms before the Token Binding specifications are finalized.

The OAuth specification is available at:

*   http://tools.ietf.org/html/draft-jones-oauth-token-binding-00 (HTMLized 
text plus links to other formats)

*   http://self-issued.info/docs/draft-jones-oauth-token-binding-00.html 
(HTML)

The OpenID Connect specification is available at:

*   
http://self-issued.info/docs/openid-connect-token-bound-authentication-1_0-00.html
 (HTML)

*   
http://self-issued.info/docs/openid-connect-token-bound-authentication-1_0-00.txt
 (Text)

*   
http://self-issued.info/docs/openid-connect-token-bound-authentication-1_0-00.xml
 (XML Source)

Thanks to Andrei Popov, Yordan Rouskov, John Bradley, and Brian Campbell for 
reviews of earlier versions of these specifications and to Dirk Balfanz and 
William Denniss for some earlier discussions providing input to these 
specifications.

   -- Mike

P.S.  This note was also posted at http://self-issued.info/?p=1577 and as 
@selfissued<https://twitter.com/selfissued>.
Title: Draft: OpenID Connect
Token Bound Authentication 1.0 - draft 00



 TOC 

DraftM. Jones
 Microsoft
 J. Bradley
 B. Campbell
 Ping Identity
 July 4, 2016

OpenID Connect
Token Bound Authentication 1.0 - draft 00

Abstract

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0
  protocol. It enables Clients to verify the identity of the End-User based
  on the authentication performed by an Authorization Server, as well as to
  obtain basic profile information about the End-User in an interoperable and
  REST-like manner.


	This specification enables OpenID Connect implementations to apply
	Token Binding to the OpenID Connect ID Token.
	This cryptographically binds the ID Token to the TLS connections
	over which the authentication occurred.
	This use of Token Binding protects the authentication flow
	from man-in-the-middle and token export and replay attacks.
  

Table of Contents

1. 
Introduction
1.1. 
Requirements Notation and Conventions
1.2. 
Terminology
2. 
OpenID Connect Token Binding Representation
3. 
OpenID Connect Token Binding Actions
4. 
Phasing in Token Binding and Preventing Downgrade Attacks
5. 
Token Binding Metadata
5.1. 
Token Binding RP Metadata
5.2. 
Token Binding OP Metadata
6. 
Security Considerations
7. 
IANA Considerations
7.1. 
JWT Confirmation Methods Registration
7.1.1. 
Registry Contents
7.2. 
OAuth Dynamic Client Registration Metadata Registration
7.2.1. 
Registry Contents
7.3. 
OAuth Authorization Server Discovery Metadata Registration
7.3.1. 
Registry Contents
8. 
References
8.1. 
Normative References
8.2. 
Informative References
Appendix A. 
Acknowledgements
Appendix B. 
Notices
Appendix C. 
Open Issues
Appendix D. 
Document History
§ 
Authors' Addresses




 TOC 
1. 
Introduction


	OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0
	[RFC6749] (Hardt, D., Ed., “The OAuth 2.0 Authorization Framework,” October 2012.)
	protocol. It enables Clients to verify the identity of the End-User based
	on the authentication performed by an Authorization

[OpenID board] FW: OpenID Connect EAP ACR Values specification

[Mike Jones]

I am also sending this note here to record this contribution because the EAP 
mailing list does not appear to be functioning properly at present.  I have 
submitted a service request on this issue.

-- Mike

From: Mike Jones
Sent: Thursday, July 7, 2016 6:26 PM
To: 'openid-specs-...@lists.openid.net' <openid-specs-...@lists.openid.net>
Subject: OpenID Connect EAP ACR Values specification

The OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0 
specification is enclosed.  This is a submission to the OpenID Enhanced 
Authentication Profile (EAP) working group<http://openid.net/wg/eap/>.  Per the 
abstract:

This specification enables OpenID Connect Relying Parties to request that 
specific authentication context classes be applied to authentications performed 
and for OpenID Providers to inform Relying Parties whether these requests were 
satisfied. Specifically, an authentication context class reference value is 
defined that requests that phishing-resistant authentication be performed and 
another is defined that requests that phishing-resistant authentication with a 
hardware-protected key be performed. These policies can be satisfied, for 
instance, by using W3C scoped credentials or FIDO authenticators.

The specification is glue that ties together OpenID 
Connect<http://openid.net/connect/>, W3C Web 
Authentication<http://www.w3.org/TR/2016/WD-webauthn-20160531/>, and FIDO 
Authenticators, enabling them to be seamlessly used together.

The specification is available at:

* 
http://self-issued.info/docs/openid-connect-eap-acr-values-1_0-00.html (HTML)

* http://self-issued.info/docs/openid-connect-eap-acr-values-1_0-00.txt 
(Text)

* http://self-issued.info/docs/openid-connect-eap-acr-values-1_0-00.xml 
(XML Source)

-- Mike

P.S.  This notice has also been published at http://self-issued.info/?p=1584 
and as @selfissued<https://twitter.com/selfissued>.
Title: Draft: OpenID Connect
Extended Authentication Profile (EAP) ACR Values 1.0 - draft 00



 TOC 

DraftM. Jones
 Microsoft
 July 5, 2016

OpenID Connect
Extended Authentication Profile (EAP) ACR Values 1.0 - draft 00

Abstract

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0
  protocol. It enables Clients to verify the identity of the End-User based
  on the authentication performed by an Authorization Server, as well as to
  obtain basic profile information about the End-User in an interoperable and
  REST-like manner.


	This specification enables OpenID Connect Relying Parties
	to request that specific authentication context classes
	be applied to authentications performed and
	for OpenID Providers to inform Relying Parties
	whether these requests were satisfied.
	Specifically, an authentication context class reference value
	is defined that requests that
	phishing-resistant authentication be performed
	and another is defined that requests that
	phishing-resistant authentication with a hardware-protected key be performed.
	These policies can be satisfied, for instance,
	by using W3C scoped credentials
	or FIDO authenticators.
  

Table of Contents

1. 
Introduction
1.1. 
Requirements Notation and Conventions
1.2. 
Terminology
2. 
Authentication Context Class Reference Values
3. 
Security Considerations
4. 
IANA Considerations
4.1. 
Level of Assurance Profiles Registration
4.1.1. 
Registry Contents
5. 
References
5.1. 
Normative References
5.2. 
Informative References
Appendix A. 
Acknowledgements
Appendix B. 
Notices
Appendix C. 
Open Issues
Appendix D. 
Document History
§ 
Author's Address




 TOC 
1. 
Introduction


	OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0
	[RFC6749] (Hardt, D., Ed., “The OAuth 2.0 Authorization Framework,” October 2012.)
	protocol. It enables Clients to verify the identity of the End-User based
	on the authentication performed by an Authorization Server, as well as to
	obtain basic profile information about the End-User in an interoperable and
	REST-like manner.
  


	This specification enables OpenID Connect [OpenID.Core] (Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, “OpenID Connect Core 1.0,” November 2014.) Relying Parties
	to request that specific authentication context classes
	be applied to authentications performed and
	for OpenID Providers to inform Relying Parties
	whether these requests were satisfied.
	Specifically, an authentication context class reference value
	is defined that requests that
	phishing-resistant authentication be performed
	and another is defined that requests that
	phishing-resistant authentication with a hardware-protected key be performed.
	These policies can be satisfied, for instance,
	by using W3C scoped credentials [W3C.WD‑webauthn‑20160531] (Bharadwaj, V

[OpenID board] FW: RP Certification Launch Announcement Live

[Mike Jones]

FYI.  This is also on twitter as @openid and @selfissued.

From: Mike Jones
Sent: Tuesday, February 14, 2017 2:34 PM
To: Roland Hedberg <rol...@catalogix.se>; Don Thibeau <d...@oidf.org>; Mike 
Leszcz <mike.les...@oidf.org>; Brian Campbell <bcampb...@pingidentity.com>; Nat 
Sakimura <n...@sakimura.org>; Eric Schreiner <eschrei...@janrain.com>
Cc: lmar...@janrain.com; Hans Zandbelt <hans.zandb...@zmartzone.eu>; 'Edmund 
Jay' <e...@mgi1.com>
Subject: RP Certification Launch Announcement Live

http://openid.net/2017/02/14/openid-connect-relying-party-certification-adoption/

I also thanked some people at http://self-issued.info/?p=1636. 

   -- Mike



___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] September 8, 2016 OpenID Executive Committee Call Minutes

[Mike Jones]

September 8, 2016 OpenID Executive Committee Call Minutes

Present:
Don Thibeau, Executive Director
Nat Sakimura
John Bradley
Mike Jones
George Fletcher
Adam Dawes

Visitors:
Tom Smedinghoff, Locke Lord LLP
Mike Leszcz, OpenID Foundation Staff
Prateek Mishra, Oracle


1.   Updates to Legal Documents
Tom circulated updated legal documents to the executive committee.  He gave us 
an overview of the updates.

The updates are motivated by people noticing that the contribution agreement 
that we had been using didn't implement all the requirements of the IPR policy. 
 The updated versions do.  We were intentionally not touching the IPR Policy 
and Procedures documents.

Individuals would need to have any entity that they have an intellectual 
property obligation to, such as an employer, also sign a document, to meet the 
requirements of the IPR policy.

Currently there are two forms of membership agreements - a 7-page document and 
a half-page document.  We streamlined the 7-page version, eliminating 
redundancies, addressing inconsistencies, etc.

The documents have been reorganized to separate policies from agreements.

Another issue pertains to listing working groups in the contribution agreement. 
 We could either drop the working group lists, keep things as-is, or require 
explicit contribution agreements for each working group joined.

Mike pointed out that there's currently a difference between the way we have 
applied the contribution agreements and what they actually say.  We had been 
asking people to sign new contribution agreements when they join working groups 
unless they had already specified "all working groups".  But the current 
agreement says that you can also choose to participate in additional working 
groups in the future.  Mike thinks that we should close that loophole, so that 
we always have an explicit record.

John thinks that asking people to sign individual agreements would result in a 
revolt.  Prateek agreed.

Mike said that, if in the process of reviewing the documents, we learn that we 
would have to have participants perform unnatural acts, that we should *very 
lightly* revise the IPR documents.  We have done this once before - to add a 
clause about working groups being approved in 14 days if the specs council 
takes no action.  We shouldn't change core IPR provisions but we can simplify 
the mechanics.

Tom said that the point of having individuals sign is to individually bind them 
to the agreement.  Prateek pointed out that he probably doesn't even have 
individual signing authority.  Tom understood that asking for individual 
signatures may be perceived as being an "unnatural act".

Mike:  We probably want to revise the IPR documents ever so lightly to allow us 
to continue operating as we have been.

Tom: We could create a document that individuals could take to their employers, 
if appropriate.

John said that we should allow an option in the contribution agreement to allow 
all employees to participate.  Apparently, Google did that.

Nat said that we should remove the OpenID field from the form.

Tom said that we don't anticipate any changes to the software contribution 
agreement that we created earlier this year.

Nat and Tom had a discussion of the definition and application of the term 
"entity" in the bylaws.

The directed funding policy is derived from the directed funding FAQ.

There are substantive changes in the trademark policy.  It covers more cases, 
including use of the OpenID and OpenID Certified marks.

Tom will create updated documents and recirculate.  The remaining major changes 
will be to the contribution agreement.  People are encouraged to review the 
other revised documents now.

The IPR policy currently requires some things to be signed in ink on paper.  If 
we're revising the IPR policy, Tom suggests that we should also revise it to 
also allow the option to sign anything electronically.


2.   Open Source Libraries
We are seeing positive reactions to the AppAuth libraries owned by the 
foundation.  Adam said that he believes that providing high-quality working 
code furthers the mission of the foundation.  We already have a software 
contribution agreement enabling this.

Prateek suggests adopting an Apache-like contribution agreement.  Adam 
responded that the contributed software is using an Apache license.  John said 
that we already have essentially the Apache process but with contributions 
going to working groups and contributors being required to be members of the 
working group.

We added the software contribution agreement about a half year ago because the 
exiting contribution agreements dealt with specifications but not software.  
Mike is explicitly not asking Tom to look at this again because he just did 
recently.  John and Nat suggested that, since apparently we are touching the 
IPR agreement anyway, we should consider whether changing a few words here and 
there might simplify things for

[OpenID board] FW: OpenID Connect Logout Implementer’s Drafts Approved

[Mike Jones]

From: Openid-specs-ab [mailto:openid-specs-ab-boun...@lists.openid.net] On 
Behalf Of Mike Jones via Openid-specs-ab
Sent: Tuesday, March 28, 2017 2:19 PM
To: openid-specs...@lists.openid.net
Subject: [Openid-specs-ab] OpenID Connect Logout Implementer’s Drafts Approved


The OpenID Foundation membership has approved these specifications as OpenID 
Implementer’s Drafts. An Implementer’s Draft is a stable version of a 
specification providing intellectual property protections to implementers of 
the specification.

  *   Session 
Management<http://openid.net/specs/openid-connect-session-1_0-ID4.html> – 
Defines how to manage OpenID Connect sessions, including postMessage-based 
logout functionality
  *   Front-Channel 
Logout<http://openid.net/specs/openid-connect-frontchannel-1_0-ID1.html> – 
Defines a front-channel logout mechanism that does not use an OP iframe on RP 
pages
  *   Back-Channel 
Logout<http://openid.net/specs/openid-connect-backchannel-1_0-ID1.html> – 
Defines a logout mechanism that uses back-channel communication between the OP 
and RPs being logged out

These specifications are available at:

  *   http://openid.net/specs/openid-connect-session-1_0-ID4.html
  *   http://openid.net/specs/openid-connect-frontchannel-1_0-ID1.html
  *   http://openid.net/specs/openid-connect-backchannel-1_0-ID1.html

The voting results were:

  *   Approve – 52 votes
  *   Object – 3 votes
  *   Abstain – 5 votes

Total votes: 60 (out of 219 members = 27% > 20% quorum requirement)

— Michael B. Jones – OpenID Foundation Board Secretary
This was announced at 
http://openid.net/2017/03/28/openid-connect-logout-implementers-drafts-approved/.
  It was also tweeted from @openid<https://twitter.com/openid>.
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] April 6, 2017 OpenID Executive Committee Call Minutes

[Mike Jones]

April 6, 2017 OpenID Executive Committee Call Minutes

Present:
Don Thibeau, Executive Director
John Bradley
Mike Jones
Nat Sakimura
Adam Dawes

Absent:
George Fletcher

Visitors:
Mike Leszcz, OpenID Foundation Staff


1.   Real Estate Standards Organization (RESO) Interactions
Don reported that there have been frequent interactions between the Real Estate 
Standards Organization (RESO) and the OIDF.  They are using the OpenID 
Certification suite as part of their RESO certification process.  Several of 
their members have also joined the OIDF and have certified their 
implementations.  Joint blog posts are planned.


2.   New & Updated Bylaws, Agreements, and Policies Documents
Mike has reviewed all the changes proposed by Tom Smedinghoff. These align the 
documents with our actual practices and simplify their structure.  In 
particular, the foundation policies are gathered into a set of individual 
policy documents.  Mike has forwarded these changes for review by the Microsoft 
standards lawyers.  After that, we will circulate the results for broader 
review.  We hope to complete the reviews in time for board approval at IIW.


3.   Certification Program Update
The certification program continues to attract more interest on a diverse 
global basis, including recently from Korea.  We are working on a certification 
roadmap presentation to update the board at the in-person meeting in May.

We have contracts in place with Roland and Hans that are being completed.  Hans 
has demonstrated that he can update, extend, and deploy all the certification 
software to our live certification servers.  Roland has deployed the updated OP 
testing software to the server new-op.certification.openid.net.  This is the 
version available in a Docker container.  Volunteers are needed to do A/B 
testing between op.certification.openid.net and new-op.certification.openid.net 
to make sure that the new software does the same thing as the old.  After that, 
we'll cut over to using the new OP testing software.  Google may be able to be 
one of the parties to do this.  Adam asked if there is new documentation, which 
Mike will look into.  Mike will ask for other volunteers, such as Dominic 
Baier, Brock Allen, Matias Woloski.

During IETF, William ran AppAuth through the RP certification suite.  The 
AppAuth developers want to automate AppAuth testing as part of continuous 
integration.

John spent time in London recently with 9 large banks and the open banking 
authority.  They decided to deploy the FAPI profile, rather than customizing 
OAuth.  They are interested in certification testing for FAPI conformance 
profiles.  They might produce directed funding towards that goal.


4.   OpenID.net Website
Nov Matake is now maintaining our website instead of our old contractor, Darin 
Richardson.  He's been proactive and has quickly fixed a number of niggly bugs 
in our Ruby code.  Nov has also pointed out updates needed for our WordPress 
installation.

Mike Jones is working with OSUOSL to move our WordPress installation from an 
obsolete PHP version to a current one.

Mike Leszcz is reviewing the openid.net website content, identifying obsolete 
content that we should delete or update.  Some volunteers are also updating the 
OpenID Wikipedia entry.

Mike Jones is writing a "How do Working Groups Work" page to help working group 
members and working group chairs understand how to get things done in OpenID 
working groups.  It will describe how decisions are made, what kinds of 
decisions are made, and how drafts progress.  It will reference the IPR Process 
document but also add practical information like how decisions are discussed on 
calls and confirmed on the WG mailing list.  It will talk about how chairs are 
empowered to call consensus and how that works.  And it will also talk about 
the foundation-wide votes to convey IPR protections to proposed Implementer's 
Drafts, Final Specifications, and Errata.  Given the growth of the foundation, 
both in participants and in working groups, we all agreed that getting this 
written down in an easily accessible form will be a help to all.

Auth0 has offered to help with visual designs for our website.  They plan to 
make a proposal to the marketing committee.


5.   Sponsoring Nov Matake to come to CIS
The OpenID Foundation Japan has sponsored Nov Matake's travel to come to the 
Cloud Identity Summit.  The OIDF is picking up his hotel.  Ping Identity is 
covering Nov's registration.  Nov will be talking about the state of identity 
deployments in Japan.


6.   Upcoming Meetings and Events
There is an OpenID Workshop on May 1st at Google the day before IIW.  We'll use 
the same template for the OpenID workshop at the European Identity and Cloud 
Summit (EIC) in May.  The OIDF will be contributing content into the main 
content stream of the Cloud Identity Summit (CIS) in June.


7.   Liaison Relationships
Nat is writing a liaison stateme

[OpenID board] FW: Public Review Period for Four MODRNA Specifications Started

[Mike Jones]

From: Mike Jones
Sent: Monday, March 6, 2017 7:25 PM
To: openid-specs-mobile-prof...@lists.openid.net
Subject: Public Review Period for Four MODRNA Specifications Started

See the announcement of the public review period before the specifications will 
be voted on for Implementer's Draft status at 
http://openid.net/2017/03/06/public-review-period-for-four-modrna-specifications-started/
 and at @openid<https://twitter.com/openid>.

-- Mike (writing as OpenID Foundation Board 
Secretary)

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] February 15, 2017 OpenID Board Meeting Minutes

[Mike Jones]

February 15, 2017 OpenID Board Meeting Minutes

Present:
Don Thibeau, Executive Director
Mike Jones
Nat Sakimura
Brian Berliner
Adam Dawes
Tony Nadalin
Bjorn Hjelm
Prateek Mishra
Tushar Pradhan
Pamela Dingle

Present on the Phone:
John Bradley
Debbie Bucci
George Fletcher

Absent:
Dale Olds
Masato Obata

Visitors:
Eric Sachs, Google
Ashish Jain, VMware
Tom Smedinghoff, Locke Lord LLP
Mike Leszcz, OIDF (on the phone)


1.   Election of Officers
A proposal was made to re-elect the officers of the OpenID Foundation.  They 
are Nat Sakimura as chairman, Adam Dawes as vice-chairman, John Bradley as 
treasurer, Mike Jones as secretary, and George Fletcher as community liaison.  
John acknowledged that being treasurer of OIDF may or may not disqualify him to 
become treasurer of OIX, pending deliberations of the OIX board.

The OIDF officers were unanimously re-elected.


2.   Corporate Board Representative
The board welcomed Ashish Jain of VMware, who was elected to be the corporate 
board representative starting on February 17, 2017.


3.   Website Privacy Policy
The EU General Data Protection Regulation (GDPR) will affect the OpenID 
Foundation.  This motivates updating our Website privacy policy.  The new 
privacy policy is intended to comply with the GDPR.  Nat had sent some comments 
on the new privacy policy, which were incorporated.  John moved and Adam 
seconded that the new privacy policy be approved.  The motion passed 
unanimously.

Some of the openid.net Web site procedures will need to be updated to add 
explicitly granting consent.


4.   New OIDF Bylaws, Agreements, and Policies
Proposed changes to the bylaws, member agreement, contribution agreement, 
trademark usage policy, directed funding policy, and IPR policy have been 
circulated.  At an executive committee call, a decision was made to simplify 
some of the procedural aspects of the IPR policy to make contributions simpler 
and the procedures more closely aligned with the ways we have been operating in 
practice.  No changes to the intellectual property rights of any participants 
are being planned.  Some discussions on these documents are still ongoing.  
Mike Jones intends to review them and have Microsoft's standards lawyers also 
provide feedback, as they have done in the past.


5.   Certification Update
Mike Jones gave an update on the OpenID Certification program.  The RP 
Certification program was publicly launched on February 14, 2017 with this 
announcement: 
http://openid.net/2017/02/14/openid-connect-relying-party-certification-adoption/.
  Exceeding expectations, 12 RP implementations have been certified while still 
in the pilot phase of the program.  Meanwhile new OP certifications continue 
coming in at a rapid pace.  The certification program has become a recognized 
center of excellence, attracting people to both OpenID Connect and the OpenID 
Foundation.

The foundation has entered into a contract with Hans Zandbelt to work alongside 
Roland Hedberg in maintaining and operating the certification program.  His 
initial deliverables are about ensuring that all aspects of the program are 
sufficiently documented that the program's continuity is not dependent upon any 
knowledge only one person might currently have.

New certification profiles are planned, such as one for the form post response 
mode.  Hans' second deliverables are about ensuring that the means of adding 
tests are well-documented and working with Roland to add some of these new 
tests.

Tony Nadalin asked whether we have data on what value the certification program 
has provided to participants.  Mike Jones reported that we have gathered that 
data by surveying existing parties who have certified.  We will use this data 
in future communications about the value of the certification program.  
Numerous people said very positive things about the certification program both 
improving the quality of their implementations and boosting the reputation of 
their implementations.

Certification training has been proposed for both the Cloud Identity Summit and 
possibly also at a future Japanese OpenID event.

Don reported that he has been having discussions with Brett McDowell of the 
FIDO Alliance about possible certification coordination.

[Debbie Bucci joined on the phone at this point]

Discussions have been ongoing with the HEART working group chairs about the 
working group's possible future certification needs and the possibility of 
folding some of the testing work that was done for HEART into the foundation's 
certification program.

For scalability, maintainability, and branding reasons, the foundation has and 
plans to have a single certification program, with the testing software 
structed to enable adding new certification profiles.  For instance, eventually 
new certification profiles for MODRNA, iGov, EAP, HEART, FAPI, and other sets 
of specifications should be made available by selecting appropriate 
configuration information

[OpenID board] June 19, 2017 OpenID Board Meeting Minutes

[Mike Jones]

June 19, 2017 OpenID Board Meeting Minutes

Present:
Don Thibeau, Executive Director
Mike Jones
Nat Sakimura
Brian Berliner
Adam Dawes
Bjorn Hjelm
John Bradley
George Fletcher
Prateek Mishra
Ashish Jain
Tony Nadalin
Pamela Dingle

Present on the Phone:

Absent:
Debbie Bucci
Masato Obata
Tushar Pradhan

Visitors:
Tom Smedinghoff, Locke Lord LLP
Mike Leszcz, OIDF
Arvindan Raganathan, PayPal
Nov Matake, OpenID Foundation Japan
Shin Kusunoki, NRI


1.   Board Resolution: Approve New & Updated OIDF Bylaws, Agreements and 
Policies
Tom Smedinghoff reviewed the status of the project to update our legal and 
organizational documents.  These were reviewed at the last board meeting in 
May.  The changes align the contribution agreement with the IPR policy and 
procedures.  They also align the procedures with how we've actually been doing 
business.

The changes were unanimously adopted.  Mike Jones will work as Secretary to 
draft the voting announcement to the membership.


2.   Board Resolution: Approve Florida Agency for State Technology's 
Request to Publish OpenID Specification
We discussed whether to allow the State of Florida to post copies of the OpenID 
Connect specifications.  We decided to ask them the keep paper copies on file 
rather than posting them.  Don and Tom will write a blog post about this 
decision.


3.   Vote for Implementer's Drafts of OpenYOLO for Android Specification
This vote is under way.


4.   Public Review Period for "Financial API - Part 2: Read and Write API 
Security Profile" Started
The 45-day review period began on June 1st.


5.   Public Review Period for Five HEART Specifications Started
The 45-day review period began on June 2nd.


6.   OpenID Certification Program Update
New OP and RP certifications continue to come in, both from members and 
non-members.  Some certifiers are choosing to become members at the time of 
their certifications.

Both Hans Zandbelt and Roland Hedberg are under new contracts that run through 
the end of 2017.  The deliverables in these contracts include updating the OP 
software version, enabling new OP and RP certification test suites for form 
post response mode, refresh token behaviors, logout functionality, and 
OP-initiated logout, and maintenance and operation of the certification 
software and sites.

We plan to move off of the Symantec-provided certification hosts by the end of 
the year, per Symantec's request.


7.   OpenID Foundation Website Updates
The board thanked Nov Matake for the useful and timely work that he is doing 
for the OpenID Foundation.  The motion carried unanimously.

Nov is also under contract to the foundation through the end of 2017.


8.   RESO & OpenID Foundation - Connecting Standards
Several RESO members have joined the OpenID Foundation.  They are using the 
OpenID Certification suite as part of their certification program.  They are 
encouraging their members to also directly obtain OpenID Certification.


9.   Open Banking Identity Contract Update
A statement of work has been developed by Hans Zandbelt to create certification 
software for the FAPI standards.  The Open Banking Working group is evaluating 
the proposal.  The proposal contains a 15% overhead fee going to the OpenID 
Foundation to cover our costs of administering the contract.  The draft 
contract has undergone legal review by Tom Smedinghoff.  We are waiting for 
banks to join the foundation and to produce designated funds to support the 
program.

John pointed out that we should have the contributors sign code contribution 
agreements so that it is clear that the OpenID Foundation has rights to the 
code.


10.   Upcoming Meetings & Events
Our events are posted at http://openid.net/foundation/calendar-of-events/.
There is a FAPI meeting in London on July 12th.
OpenID Connect Federation will be discussed during the September 12-14 NORDU 
workshop in Copenhagen, per https://events.nordu.net/display/NTW2017/Welcome.
The OpenID Workshop before IIW will be October 16th at PayPal.
The next F2F board meeting will be October 18th at IIW.


11.   Liaison Report
ISO/IEC JTC 1/SC 17/WG 4 (Driver's License Group) sent a liaison request.  They 
are working on a mobile driver's license using OpenID Connect.

Nat and Tony talked about the possibility of submitting a profile of OpenID 
Connect to ISO.  Note that ISO requires rewriting the specifications.  ITU 
doesn't require rewriting.

We have sent a liaison request to ISO TC68 - Financial Services.  It is in 
letter ballot state.

The Linux Foundation's Automotive Grade profile group is considering OpenID 
Connect.  They are considering a liaison relationship with us.

There may be interest from the GSMA in interacting with FAPI.  Bjorn Hjelm is 
working on establishing a liaison relationship with the GSMA to facilitate 
collaborations.


12.   Financial Update
We currently have ten sustaining members.  Due to budgetary issues, one may not 
renew

[OpenID board] FW: Public Review Period for OpenYOLO for Android Specification Started

[Mike Jones]

From: Mike Jones
Sent: Wednesday, May 3, 2017 4:26 PM
To: 'oidf-account-chooser-l...@googlegroups.com' 
<oidf-account-chooser-l...@googlegroups.com>
Cc: Iain McGinniss <iainmc...@google.com>; Adam Dawes <ada...@google.com>
Subject: Public Review Period for OpenYOLO for Android Specification Started


The OpenID Foundation Account Chooser/Open YOLO (You Only Login Once) Working 
Group<http://openid.net/wg/ac/> recommends approval of the following 
specification as OpenID Implementer's Draft:

  *   OpenYOLO for Android, draft 
03<http://openid.net/specs/openyolo-android-03.html>

An Implementer's Draft is a stable version of a specification providing 
intellectual property protections to implementers of the specification. This 
note starts the 45-day public review period for the specification drafts in 
accordance with the OpenID Foundation IPR policies and procedures. Unless 
issues are identified during the review that the working group believes must be 
addressed by revising the drafts, this review period will be followed by a 
seven-day voting period during which OpenID Foundation members will vote on 
whether to approve these drafts as OpenID Implementer's Drafts. For the 
convenience of members, voting may actually begin up to two weeks before the 
start of the official voting period.

The relevant dates are as follows:

  *   Implementer's Draft public review period: 2017-05-03 to 2017-06-17 (45 
days)
  *   Implementer's Draft vote announcement: 2017-06-05
  *   Implementer's Draft voting period: 2017-06-12 to 2017-06-26 (7 days)*

* Note: Pre-voting before the start of the formal voting will be allowed.

The Account Chooser/Open YOLO working group page is http://openid.net/wg/ac/. 
Information on joining the OpenID Foundation can be found at 
https://openid.net/foundation/members/registration. If you're not a current 
OpenID Foundation member, please consider joining to participate in the 
approval vote.

You can send feedback on the specifications in a way that enables the working 
group to act upon your feedback by (1) signing the contribution agreement at 
http://openid.net/intellectual-property/ to join the working group (please 
specify that you are joining the "Account Chooser/Open YOLO" working group on 
your contribution agreement), (2) joining the working group mailing list at 
https://groups.google.com/forum/#!forum/oidf-account-chooser-list<https://groups.google.com/forum/#%21forum/oidf-account-chooser-list>,
 and (3) sending your feedback to the list.

- Michael B. Jones - OpenID Foundation Board Secretary
P.S.  This was also announced at 
http://openid.net/2017/05/03/public-review-period-for-openyolo-for-android-specification-started/
 and as @openid<https://twitter.com/openid>.
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] May 3, 2017 OpenID Board Meeting Minutes

[Mike Jones]

May 3, 2017 OpenID Board Meeting Minutes

Present:
Don Thibeau, Executive Director
Mike Jones
Nat Sakimura
Brian Berliner
Adam Dawes
Bjorn Hjelm
John Bradley
Debbie Bucci
George Fletcher
Prateek Mishra
Ashish Jain
Pamela Dingle

Present on the Phone:
Tony Nadalin

Absent:
Masato Obata
Tushar Pradhan

Visitors:
Tom Smedinghoff, Locke Lord LLP (on the phone)
Mike Leszcz, OIDF (on the phone)
Phil Hunt, Oracle


1.   Tenth Anniversary of the Foundation
The Foundation has been in operation for ten years now!


2.   Updates to Legal Documents
Tom described the updates made to the legal documents.  Tom notified us that he 
made conforming changes to the IPR process document that are not substantive in 
nature.  Microsoft's standards lawyers reviewed the documents and Tom 
incorporated the results of their feedback.  Don sent a complete set of both 
clean copies and redline documents to the full board earlier this week.  We 
plan to consider approval of these changes during the board meeting at the 
Cloud Identity Summit in June.

The changes align our documents with our existing operating practices.  Mike 
described that the minor changes to the IPR process are there to align with our 
business practices.  Tom added that there were no substantive changes to the 
actual IPR policies or procedures.  Tony sought a clarification that we are 
continuing to enumerate participants, which we are.  Prateek sought 
clarifications on how the patent non-assert process works.  We discussed the 
scenario in which an individual owns a patent and is representing a company.  
Adam and Phil discussed whether we could require that companies to ensure that 
their representatives do not have a conflict of interest with the goals of the 
working groups.  Some expressed that this would be onerous and impractical.  
John said that an alternative is the IETF process where people are required to 
assert patents at Implementer's Draft time could work as well.  Tom said that 
the risks we are discussing are ones that the foundation has already been 
bearing.  Don suggested that we proceed with the documents as-is.  The board 
concurred.

[Pamela Dingle joined on the phone at this point]


3.   Florida is asking for permission to post copies of some OpenID 
standards
Their procedures require them posting documents that are referenced in their 
regulations.  John suggested that we have them do a 302 redirect to the 
authoritative copies.  Tom said that their regulations require them actually 
publishing a copy.  Phil suggested that we request that they provide a link to 
the authoritative sources.  Pam asked Tom to send us a link to the regulations, 
which he will do.  We agreed to have the executive committee take up this topic.


4.   Accessible Documentation for Working Group Chairs and Members
As the foundation is growing, there are increasing numbers of working groups, 
chairs, and working group members.  People have agreed that it would be helpful 
to have an accessible "How working groups work" document, so both chairs and 
working group members understand both the "whats" and "whys" of the things that 
working groups do.  While many of those things are codified in IPR process and 
policy documents, an FAQ-like presentation is likely to be more accessible to 
participants.


5.   Web Site Updates
Don reported that the Marketing Committee is working on updates to the look of 
the Web site.  Auth0 has made specific proposals for graphical improvements 
that are being considered.


6.   Certification Update
Numbers of certifications continue increasing.  Increasing numbers of people 
are using local deployments of the testing software, which can be packaged into 
Docker containers.

Hans Zandbelt has joined the certification team and has contracted with the 
foundation for specific deliverables.  These augment the deliverables that 
Roland Hedberg is already producing.  Deliverables include new tests, 
additional documentation, and ongoing operation and maintenance.  Hans will be 
writing some of the new tests.

Symantec is providing us the certification hosts.  Symantec suggests that we 
eventually move hosting to actual hosting providers, because it will probably 
result in less friction as the scope of certification increases.  We could 
consider doing that near the end of the year.  Adam asked whether Symantec's 
certificates for Account Chooser would also be affected.  Brian said that no 
changes for Account Chooser are anticipated and that that's a separate 
discussion.  We acknowledged the value that Symantec has added to the 
certification program and our appreciation of it.

There are several other organizations using the certification program as part 
of their businesses, including RESO - the Real Estate Standards Organization.  
The GSMA is using a copy of the certification software internally.  New 
certifications are being considered for additional specifications, su

[OpenID board] September 7, 2017 OpenID Executive Committee Call Minutes

[Mike Jones]

September 7, 2017 OpenID Executive Committee Call Minutes

Present:
Don Thibeau, Executive Director
John Bradley
George Fletcher
Mike Jones
Adam Dawes
Nat Sakimura

Absent:
(none)

Visitors:
Mike Leszcz, OpenID Foundation Staff
Tom Smedinghoff, Locke Lord LLP


1.   New "Government" Membership Category
Don Thibeau and Tom Smedinghoff made a recommendation to add a "Government" 
membership category - distinct from non-profit memberships.  The proposed price 
point is $500.  Adam asked what we're trying to solve here.  The goals are to 
make it easy for governments to join and easier for an agency to understand the 
implications of joining.  Tom reported that the current membership agreement 
has the notion of a "control group".  This works for corporate organizations 
but may not work for government agencies.  Tom suggests that the "control 
group" concept not apply to the government category.

John Bradley stated that while the US may not assert IPR, this may not be true 
of all governments.  Adam asked where the current structure is sufficiently 
broken that it is inhibiting government participation.  John said that 
government employees participating in working groups is a separate issue.  An 
alternative strawman is to simply rename the non-profit category to "non-profit 
and government".

This is coming up in the context of the iGov working group for some potential 
European participants.  Don will go back to the people discussing this and come 
back with an updated recommendation.


2.   Certification Program Update
Engineering Update:  RP Certification is now in production.  This means that we 
are charging for it and it is now available to non-members for the first time.  
We are now on the new OP testing code base that enables adding new tests.  
Additional tests are being worked on by Roland Hedberg and Hans Zandbelt.  
Roland has written some code in support of the FAPI testing requirement that 
signed requests be used.  This will be a selectable option.

Business Update: Mike, Roland, Hans, and Don are helping Open Banking 
participants as we can.  Mike recently reinforced the goal of having one 
certification program using one code base.  The Open Banking people understood 
and supported this goal.  Don will also be taking this message to the 
participants in London in the next few weeks.

Personnel Update:  We are considering bringing Filip Skokan on as a third 
programmer on the certification project.  He has already made substantial 
contributions on a volunteer basis.


3.   Liaison Update
Don and Nat spoke to the ITU-T about FAPI and other related work.


4.   Marketing Update
The marketing committee is looking at a small contract with a third-party 
resource shared with OIX for that party to participate in social media channels 
for the foundation.  Don will report back with further details as they develop.


5.   Calendar Update
Don and Mike Leszcz are working on a calendar update they plan to publish in 
the next few days.


6.   Native Applications BCP and OpenID Foundation Links
John is in the AUTH48 process for the IETF Native Applications BCP.  Currently 
the AppAuth references are directly to the GitHub repository.  William Denniss 
and John were thinking it would be good to have the spec point to stable OpenID 
Foundation hosted links.  Mike suggested doing this in openid.net/code/.  John 
will work with Mike to create these links.

As an aside, we discussed that certification applications for the AppAuth 
libraries have not yet been submitted.  John will ask William, etc. about 
making this happen.


7.   JWT Library Validation
Adam proposed creating JWT validation software to the OpenID Connect working 
group. Mike Jones replied to the working group proposing specifics that should 
be tested.  Adam and a new program manager on his team will discuss this on an 
upcoming OpenID Connect working group call.  Mike asked whether this would be 
black-box testing or testing that calls the library APIs directly.  Adam said 
that that hadn't been decided yet.  We want to include developers of existing 
high-quality libraries in this effort.


8.   FAPI Spec Improvements
The foundation paid Carla Roncato to make editorial improvements to the two 
existing FAPI specs.  Mike asked when these will be posted at openid.net/specs. 
 John didn't know, and Nat wasn't on the call.  Mike will follow up via e-mail.


9.   Upcoming Meetings and Events
The next face-to-face board meeting is during IIW, which is October 17-19.  
There will be a workshop at PayPal that Monday, October 16th.  There will be 
another executive committee call before IIW on October 5th.

[Nat Sakimura joined the call at this point]



September 7, 2017 OpenID Executive Committee Call Minutes.docx
Description: September 7, 2017 OpenID Executive Committee Call Minutes.docx
___
board mailing l

[OpenID board] October 18, 2017 OpenID Board Meeting Minutes

[Mike Jones]

October 18, 2017 OpenID Board Meeting Minutes

Present:
Don Thibeau, Executive Director
Mike Jones
Brian Berliner
Adam Dawes
Bjorn Hjelm
John Bradley
George Fletcher
Ashish Jain

Present on the Phone:
Pamela Dingle
Nat Sakimura

Absent:
Tony Nadalin
Prateek Mishra
Tushar Pradhan
Masato Obata
Debbie Bucci

Visitors:
Phil Hunt, Oracle

Visitors on the Phone:
Tom Smedinghoff, Locke Lord LLP
Mike Leszcz, OIDF


1.   Certification Update
Mike reported that the RP Certification program is now in production mode, 
rather than pilot mode.  The certification fees for RP Certification are the 
same as those for OP certification.

Filip Skokan is being brought on board as a contributor to the certification 
team.  He produced the continuous integration tests already used for the 
certification software.

The certification revenues are not directly covering our costs of operating the 
certification program.  It probably breaks even if the incremental revenue from 
additional memberships attributable to the certification program is factored in.

Brian Berliner asked about enabling additional cost and support models.  Don 
will take this under consideration, particularly when FAPI certification comes 
online.

We will be migrating off of the four physical hosts currently supplied by 
Symantec to hosted virtual machines by the end of the year.  Brian Berliner 
produced a project plan to facilitate the migration.

We have actively mitigated what were previously single points of failure during 
this year.  Multiple people understand how to maintain, enhance, release, and 
operate the certification software.  Multiple people are able to process 
certification applications.  Docker containers for the certification software 
are available and being used by multiple parties.

Several new certification profiles about to be launched after review by the 
Connect working group.  These include Form Post Response Mode, refresh token 
behaviors, logout functionality, and OP-initiated login.  These will initially 
be in pilot mode, in which we are "testing the tests".

We don't have visibility into the FAPI testing coding being done by the Open 
Banking contractor.


2.   Liaison Update
Mike reported that the OpenID Connect Extended Authentication Profile (EAP) ACR 
Values specification can be used to request authentications that FIDO 
authenticators would satisfy.  John added that ACR value defined by other 
profiles may also accomplish this.

[Pamela Dingle joined the meeting at this point]


3.   Open Banking Update
Pam reported that the Open Banking developers have released prototype tests for 
the FAPI specs.  Their Dynamic Client Registration spec is largely baked but is 
not compatible with OpenID Connect Dynamic Client Registration.  They require a 
signed request rather than a JSON request.  The Open Banking folks want 
non-repudiation.  Pam will set up a call to discuss this.  Mike, John, Bjorn, 
George, Phil, and Don requested to participate.

[Adam Dawes departed at this point]


4.   ID Pro Relationship
The executive committee is working on ways for attendees of OpenID Events to 
get ID Pro education credit.  It's currently in the court of the ID Pro 
organization to make a specific proposal to the OpenID Foundation.


5.   Marketing Committee Update
Adam and Don are working on consolidating our multiple presences on Facebook 
and Google+.  This is part of an initiative to improve our social media 
communications.  We will begin using these and Twitter more systematically in 
the coming year and will be collecting engagement metrics.

[Nat joined the meeting at this point]


6.   Internationalization of Board Meetings
There's a proposal to hold a board meeting in Munich in conjunction with EIC 
and/or in London in conjunction with IETF.  These might replace the meeting 
during RSA.  Don will poll the board and follow up with a specific proposal.  
There's also the April board meeting at IIW.


7.   FAPI Update
FAPI has set up a repository to enable the Open Banking folks to institute 
change and issue tracking for their specs.  They currently are not change 
tracked.

Nat said that FAPI may want Final Specification votes for Part 1 and Part 2 in 
a few months.

There will be a joint FAPI Open Banking meeting on Monday, November 6th in 
London.


8.   Real Estate Standards Organization (RESO) Update
Don will be presenting at the RESO annual meeting tomorrow.  RESO is using our 
certification suite as part of their certification.  Several of the RESO 
vendors have also completed OpenID Certifications.


9.   Membership and Budget Update
We are in good financial shape.  We continue getting more members - in part, 
because of the certification program.  We have money in the bank that can be 
used for projects, as needed.  We currently have something over 200 members.


10.   RISC Working Group Update
The RISC WG met on Monday at PayPal.  There continues to be a robust 

[OpenID board] FW: Public Review Period for Three RISC Specifications Started

[Mike Jones]

From: Mike Jones
Sent: Monday, May 7, 2018 4:44 PM
To: 'openid-specs-r...@lists.openid.net' <openid-specs-r...@lists.openid.net>
Subject: Public Review Period for Three RISC Specifications Started


The OpenID Risk and Incident Sharing and Coordination (RISC) Working 
Group<http://openid.net/wg/risc/> recommends approval of the following 
specifications as OpenID Implementer's Drafts:
* OpenID RISC Profile of IETF Security Events 
1.0<http://openid.net/specs/openid-risc-profile-1_0-01.html>
* OpenID RISC Event Types 
1.0<http://openid.net/specs/openid-risc-event-types-1_0-01.html>
* OAuth Event Types 
1.0<http://openid.net/specs/oauth-event-types-1_0-01.html>

An Implementer's Draft is a stable version of a specification providing 
intellectual property protections to implementers of the specification. This 
note starts the 45-day public review period for the specification drafts in 
accordance with the OpenID Foundation IPR policies and procedures. Unless 
issues are identified during the review that the working group believes must be 
addressed by revising the drafts, this review period will be followed by a 
seven-day voting period during which OpenID Foundation members will vote on 
whether to approve these drafts as OpenID Implementer's Drafts. For the 
convenience of members, voting will actually begin a week before the start of 
the official voting period.

The relevant dates are:
* Implementer's Drafts public review period: Monday, May 7, 2018 to 
Thursday, June 21, 2018 (45 days)
* Implementer's Drafts vote announcement: Friday, June 8, 2018
* Implementer's Drafts voting period: Friday, June 15, 2018 to Friday, 
June 29, 2018 (7 days)*

* Note: Early voting before the start of the formal voting will be allowed.

The RISC working group page is http://openid.net/wg/risc/. Information on 
joining the OpenID Foundation can be found at 
https://openid.net/foundation/members/registration. If you're not a current 
OpenID Foundation member, please consider joining to participate in the 
approval vote.

You can send feedback on the specifications in a way that enables the working 
group to act upon it by (1) signing the contribution agreement at 
http://openid.net/intellectual-property/ to join the working group (please 
specify that you are joining the "RISC" working group on your contribution 
agreement), (2) joining the working group mailing list at 
http://lists.openid.net/mailman/listinfo/openid-specs-risc, and (3) sending 
your feedback to the list.

- Michael B. Jones - OpenID Foundation Board Secretary
P.S.  This notice was also posted at 
http://openid.net/2018/05/07/public-review-period-for-three-risc-specifications-started/
 and as @openid<https://twitter.com/openid>.
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] Mobile Connect Reference Implementation is now OpenID Certified

[Mike Jones]

I thought I'd share the good news that the Mobile Connect Reference 
Implementation is now OpenID Certified for the Basic OP profile.  See the new 
GSMA entry at http://openid.net/certification/.  FYI, I believe that the 
implementation also correctly supports the Config OP profile and I've 
encouraged David Pollington to submit a certification application for that 
profile as well.

Congratulations OIDF member GSMA!

   -- Mike

___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] May 15, 2018 OpenID Board Meeting Minutes

[Mike Jones]

May 15, 2018 OpenID Board Meeting Minutes

Present:
Don Thibeau, Executive Director
Mike Jones
Nat Sakimura
John Bradley
George Fletcher
Pamela Dingle

Present on the Phone:
Brian Berliner
Bjorn Hjelm

Absent:
Prateek Mishra
Tushar Pradhan
Masato Obata
Ashish Jain
Tony Nadalin
Sarah Squire
Adam Dawes

Visitors on the Phone:
Mike Leszcz, OIDF


1.   Certification Update
Mike reported on certification developments.  New certification requests keep 
coming in - the latest from Kim Cameron.  Hans Zandbelt is back doing some work 
on certification.  We are glad for his return!

We are working on recruiting a summer intern from USF to work on the 
certification program.  Emily Xu of VMware is responsible for this opportunity 
and would mentor the intern.  The certification committee is currently thinking 
that the intern could enhance the certification software to enable it to be 
used by FAPI/Open Banking deployments.  This would involve adding mutual TLS 
certification authentication and request object support.  Then FAPI 
implementations could be tested for full OpenID Connect conformance.

Nat and George talked about wanting to enhance the test suite so that there's a 
modular, extensible architecture.  George said that ideally, working groups 
ought to develop and own the certification code to test their profiles.  Mike 
said that a second possible intern project idea is to enhance the software to 
have explicit support for adding new profiles in an extensible, modular manner.

Don continues talking with OIBE about their testing code but there's not any 
clear path forward for it.  He will talk with them again next week.  George 
asked about the possibility of eventually mixing tests from different test 
suites in the same user interface.


2.   Liaison Update
ISO TC 68 (Financial Services) just had a meeting in Zurich. Dave Tonge is the 
OIDF liaison to TC 68.  Nat reported that FAPI parts 1 and 2 are part of a new 
ISO technical specification.  If we get a liaison relationship with ISO SC 17, 
we'll be able to review the mobile driver's license specifications.  We agreed 
that we should send a liaison request to SC 17.  Nat will draft the request.

FSISAC is adopting FAPI Part 1.  The Australian banking organization decided to 
adopt Open Banking.  Others are also planning to.


3.   OIDF GDPR Compliance
Tom reported that the foundation will need to enter into data processor 
agreements with those who handle OpenID Foundation data, such as Global 
Inventures and OSUOSL.  We also need to do work to facilitate the transfer of 
data from the EU.  We are working on these things.


4.   Stanford Workshop Last Week
Tom presented on the case for shared signals and multi-lateral sharing 
contracts / trust frameworks.  Tom's presentation will be shared shortly.


5.   New RP Libraries
Mike is working with Luke Camery and Roland Hedberg on logistics of getting the 
three new RP libraries contributed to the OpenID Connect working group.  John 
suggested that we may want to develop additional negative tests for the JWT 
implementations.


6.   Workshops
Don suggests that we have more workshops like today's directed at the European 
market because of all of the PSD2 and open banking developments.  Nat suggests 
that we should be having more face-to-face working group meetings - possibly 
co-located with the workshops.  We could also have one in Japan, if it makes 
sense.  Don will develop a plan for these, including proposed dates during the 
second half of the year and locations.



May 15, 2018 OpenID Board Meeting Minutes.docx
Description: May 15, 2018 OpenID Board Meeting Minutes.docx
___
board mailing list
bo...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board

[OpenID board] February 15, 2018 OpenID Board Call Minutes

[Mike Jones]

February 15, 2018 OpenID Board Call Minutes

Present:
Don Thibeau, Executive Director
Mike Jones
Nat Sakimura
Brian Berliner
Bjorn Hjelm
Prateek Mishra
Ashish Jain
George Fletcher

Absent:
John Bradley
Pamela Dingle
Adam Dawes
Tony Nadalin
Tushar Pradhan
Masato Obata

Visitors:
Phil Hunt, Oracle

Visitors on the Phone:
Tom Smedinghoff, Locke Lord LLP
Mike Leszcz, OIDF


1.   OIDF/OIX/Open Banking Workshop in London
Mike reported on last month's financial workshop in London.  He learned things 
about the way the financial people think about the "embedded" profile - that 
they consider all actors to be within the security perimeter and so it's not a 
problem in their thinking for one actor to collect credentials that belong to 
another. Hans Zandbelt gathered additional data for his report on the Open 
Banking test suite developed by FinTech Labs and its contractors. That software 
is currently incomplete in a number of ways.  There is no plan to incorporate 
the full functionality of the OpenID Certification test suite into the Open 
Banking test suite.  There is no plan to be able to operate or maintain the 
testing software on an ongoing basis.  The Open Banking specs are similar to 
but different from FAPI specs in some ways.  Don sent a report on Certification 
status and plans for 2018.


2.   FAPI Update
Nat reported on the state of the FAPI work and its relationship to Open 
Banking.  They are producing a high security profile for OpenID Connect.  FAPI 
has had two Implementer's Draft votes.  They plan to hold another one soon.  
FAPI has a profile of the MODRNA Client Initiated Backchannel Authentication 
(CIBA) spec.  Open Banking considers FAPI a target.  They aspire to be fully 
FAPI compliant.


3.   Data Sharing Agreement Workshop
Tom reported that Google recently hosted a workshop to develop a legal 
agreement to use for data sharing.  They are starting with a bilateral 
agreement.  They plan to contribute a model agreement to the RISC working 
group.  Eventually they want to get to a trust framework.  In this first 
meeting, one of the goals was educating the participating lawyers.  The lawyers 
plan to work among themselves and report back.


4.   Election Update
George Fletcher and Ashish Jain were re-elected.  See 
https://openid.net/2018/02/06/openid-foundation-board-2018-election-results/.


5.   Selection of Officers
The current officers were all willing to continue to serve. No volunteer 
offered to replace the current officers.  The current slate of officers was 
unanimously reappointed.


6.   Partner / Liaison Update
A new liaison relationship was established with TC 68 in ISO (Financial 
Services).  We can join their calls.  We have an existing liaison relationship 
with SC 27 (Security, IDM, Privacy).  We can submit comments.  Mike has 
informally updated some FIDO members on the state of the EAP specifications.


7.   Financial Workshops
We are scheduling a series of workshops around the world on open banking and 
related topics.  Don is hoping for FAPI interop work at the Identiverse 
conference.  There will be a board meeting and OpenID workshop at EIC.


8.   Women in Identity Organization
Don created a challenge grant to provide some initial funding to help the new 
Women in Identity organization get started.  Several foundation members have 
committed to contributions.  See 
https://openid.net/2018/01/11/women-in-identity-event-january-29-2018/ and 
https://openid.net/2018/02/14/the-london-chapter-of-women-in-identity-held-its-first-ever-event-on-the-29th-of-january-2018/.


9.   OIX Work on Trust Frameworks
An OIX workshop on Trust Frameworks is being planned targeted at lawyers. The 
goal is to educate and make progress on moving from bilateral agreements to 
trust frameworks.  Stanford will be hosting the workshop on May 9th.


10.   Upcoming Events
Oracle is hosting the Monday OpenID Workshop prior to IIW.  There will be a 
Board dinner and social event during the RSA conference.

[Nat reported that Masato tried to join but was having technical difficulties.]


11.   W3C "Verifiable Claims" Interest Group
We discussed the work happening in the W3C "Verifiable Claims" interest group.  
They are not using either SAML or JWT tokens to represent the claims but are 
using RDF under the covers.  We discussed the desire to avoid JSON-LD.  Nat 
plans a session at IIW comparing self-issued ID Tokens with other self-asserted 
identity formats.


12.   Financial Update
We are in strong shape, with a contingency fund, money in the bank, and money 
to fund the certification program.  We have a contractor doing marketing and 
social media work.  We are making an investment in marketing.


13.   Infrastructure Update
We are moving our WordPress installation to a machine with modern, supported 
software versions.  Nov Matake is doing this for the foundation, with 
assistance from OSUOSL.


14.   Membership Update
Membe

[OpenID board] April 4, 2018 OpenID Board Meeting Minutes

[Mike Jones]

April 4, 2018 OpenID Board Meeting Minutes

Present:
Don Thibeau, Executive Director
Brian Berliner
Adam Dawes
John Bradley
George Fletcher
Tony Nadalin
Sarah Squire
Mike Jones

Present on the Phone:
Nat Sakimura
Bjorn Hjelm
Ashish Jain

Absent:
Prateek Mishra
Tushar Pradhan
Masato Obata

Visitors on the Phone:
Tom Smedinghoff, Locke Lord LLP
Mike Leszcz, OIDF


1.   Liaison Update
Dave Tonge will be our liaison to ISO/TC 68/SC 9 - Information exchange for 
financial services.  They will have a meeting May 14th in Zurich.  We are 
establishing a liaison relationship with ISO/IEC JTC 1/SC 27/WG 5 - Identity 
management and privacy technologies.


2.   RISC Update
Adam reported that the RISC working group plans to request an Implementer's 
Draft vote for the current RISC spec.  RISC will have a face-to-face meeting 
this week.


3.   Certification Update
Mike reported that the OpenID Certification program won the Identity Innovation 
Award last week at the IDnext conference.  See 
https://openid.net/2018/03/29/openid-certification-program-wins-2018-identity-innovation-award/.

Mike reported that Hans Zandbelt is fortunately recovering from his auto 
accident and is now able to do some work on the certification program.

Mike said that he needs to review the Form Post Response Mode tests before 
adding the new profiles for those "testing the tests".

There may be an option to have college students being mentored by VMware 
employees do some enhancements to the certification code.  One good project 
would be adding certificate-based authentication and an option to require 
signed requests so that Open Banking deployments could be tested with the 
certification test tool.

We discussed the status of the Open Banking/FAPI test suite that has been 
produced by FinTech Labs and its contractors.  While OIBE's intent is to hand 
over that effort to the OpenID Foundation, there currently aren't any financial 
or people resources allocated for maintaining and operating the test suite.  
Don is working with them to clarify their intent and develop a plan that works 
for everyone.  George pointed out that it would be odd for us to operate a test 
suite for specs that aren't OpenID specs.  It may be possible to eventually use 
it to test either Open Banking or FAPI conformance.  We discussed the 
possibility of charging significantly more for Open Banking certifications than 
the current certifications - possibly enough to actually cover our costs.

Mike reviewed some of the conclusions from Hans Zandbelt's report on the Open 
Banking test suite.  He noted that much of the functionality in the OpenID 
Certification test suite is missing in the Open Banking test suite and there 
are no plans to add it.  For instance, of the 6 defined response_type values, 
only one (code) is supported.  We agreed that it would be good to add 
functionality to the OpenID Certification test suite so that Open Banking 
deployments can run it - in addition to the Open Banking specific test suite.


4.   Women in Identity
Microsoft has provided directed funding to the Women in Identity effort through 
OIX.


5.   Board Meetings at IIW
George suggested that we try to schedule future board meetings at IIW at times 
that have less impact on the workshop.  Thursday afternoon or late Monday 
afternoon seem like good options.  Don will plan to have the next one after the 
Monday workshop at VMware.


6.   New RP Libraries
Adam described a Google-funded project to build new RP libraries with better 
support for JWTs and security best practices.  They are working on Python, 
Java, and JavaScript implementations.  They are building on the open source 
Auth0 libraries for Java and JavaScript and Roland Hedberg is doing a new 
Python library.  Adam would like them to be owned by the foundation in the same 
way that the AppAuth libraries are.  Tony was supportive of that.  Adam hopes 
that Auth0 will accept the changes made by the foundation into their code.  We 
will have to work out change management for all the libraries.  George said 
that we are taking on SLA responsibilities to, for instance, fix critical 
vulnerabilities in a timely fashion.  Adam believes that because the libraries 
will be used in production, there will be resources to maintain them.


7.   Renaming FAPI
Tony stated that the FAPI name is causing confusion in the marketplace.  Tony 
is suggesting that both the working group and the specifications be renamed.  
John reported that some Polish planners have been confused into thinking that 
they couldn't have their own API and use FAPI for their PSD2 work.  Mike asked 
if the spec abstracts provide good descriptions from which we could derive good 
names.  (They didn't.)

We should also change the scope to make it not specific to financial data.  It 
should capture that it's for high-value, high-security transactions.  John said 
that that some aspects of the specs currently are financial.  We c