IIW OpenID Sessions

1. Title: OpenID UI Work Group

Leaders: Allen Tom <atom@yahoo-inc.com>, "Luke Shepard" <lshepard@facebook.com>,

Topic: OpenID UI Work Group can present the OpenID UI Extension, as well as an official kickoff for the OpenID UI Committee. Allen will review the results of a (very modest) study that Yahoo did recently on the effectiveness of a Popup UI, and we'll have some wireframes documenting RP and OP best practices.

2. Title: Facebook RP Challenges

Leaders: "Luke Shepard" <lshepard@facebook.com>,

Topic: Discuss the the challenges Facebook faces as an RP both for UX and security, as well as show a demo.

3. Title: Evolution of Discovery & OpenID

Leaders: "Dirk Balfanz" <balfanz@google.com>, "Eran Hammer-Lahav" <blade@yahoo-inc.com>

Topic: Have Eran give an update on the evolution of discovery standards. Then have Dirk Balfanz give a specific example of how Google is using those standards to help RPs support scenarios where an enterprise has outsourced their IDP to a service-provider such as Google Apps. Also discuss the reverse where a website has outsourced their RP to a service-provider such as Janrain's RPX.

4. Title: Best practices for very-secure RP/IDP interaction

Leader: "John Bradley" <jbradley@mac.com>,

Topic: Describe some of the current suggested best practices for increasing the security of RP/IDP interaction, and then try to create a community document of best practices. Look at NIST & PCI compliance as example targets.

5. Title: How RPs can handle phishing of a user's IDP account

Leader: "Breno de Medeiros" <breno@google.com>, "Luke Shepard" <lshepard@facebook.com>

Topic: Many websites that are not RPs have mechanisms to detect that a user might have been phished, and if so they try to help the actual user recover their account just as by requiring that the password on the account be changed. Once a website becomes an RP, its recovery mechanisms have to change. Breno/Dirk will discuss how to address this need using some OpenID extensions that can allow the RP to detect things such as the last time the user changed their password, or entered it on the computer, as well as more advanced methods to enable the RP to redirect the user to the IDP to automatically route the user into the change password flow (or re-enter password, or require the user to manually re-approve the identity assertion)

6. Title: Best practices for using CAPTCHAs, such as to meet NIST/PCI type compliance

Leader: "Eric Sachs" <sachse@google.com>

Topic: Some RPs require that IDPs comply with guidelines such as NIST/PCI, and in particular the sections about reducing hackers ability to do online attacks to guess a user's password. Many major consumer oriented websites protect against those types of attacks using CAPTCHAs as well as temporary time-out mechanisms. Eric will describe some of the current suggested best practices for preventing these attacks, and then try to create a community document of best practices.

7. Title: RPs who DONT want any PII (personally identifiable information)

Leader: "John Bradley" <jbradley@mac.com>, "Dirk Balfanz" <balfanz@google.com>

Topic: Some websites are especially privacy sensistive and would like to avoid collecting any PII from user's, including global IDs such as Email address, blog URLs, or OpenID URLs that are sent to multiple RPs. John will lead a discussion about potential best practices for how an RP/IDP can interact without exchanging PII, and then try to create a community document of best practices. Dirk will then lead a discussion about how an RP can indicate what type of URL (or URLs) it wants such as these non-PII URLs, or a blog/profile URL, or a global URL which won't necessarily have any interesting information about the user.

8. Title: Invisible detection by RP of user's login state at IDPs

Leader: "Luke Shepard" <lshepard@facebook.com>, "Brian Eaton" <beaton@google.com>,

Topic: The OpenID community still does not have a solid best practice for how RPs can determine a user's IDP without the usability problems of lots of buttons or a raw URL entry box. Another possible option is for the RP to try to invisibly detect whether the user is logged into an IDP, and then promote that IDP option to the user. Luke will discuss his ideas on how an RP might do this with an IDP today. Brian will discuss how we might build upon that model to let the RP check the login state at a few shared-domains that could return a list of IDPs where the user is logged in. For example, Google hosts many enterprise/school's E-mail, and could potentially provide a way for an RP to get a list of which such domain(s) a user is currently logged into.

9. Title: Bronze/Silver certifications for OpenID IDPs

Leader: "John Bradley" <jbradley@mac.com>

Topic: Some identity communities such as InCommon have defined some optional mechanisms for IDPs to show they meet specific requirements, especially around security. For example, InCommon has their Bronze/Silver certification as described at http://www.incommonfederation.org/assurance. How might we package some of the OpenID communitie's best practices into some levels like this, and if we did so, what form might certification take against those levels?

10. Title: Changes in spec language and capabilities

Leader: George Fletcher

Topic: Discuss RP experience, and the potential need for some changes in spec language and capabilities to make it a little easier (even with all the open source libraries)