Microsoft, Google, Yahoo gain seats on OpenID Foundation board
What Yahoo's massive conversion to OpenID last month lacked is a way for Web sites to securely authenticate the users who have signed in. As it turns out, OpenID's directing body may want Microsoft to provide that part.
Almost exactly one year ago, Microsoft made a bold announcement at an RSA security conference, saying it would be working with the OpenID Foundation to craft a solution to the problem of spoofing authentication. As was hidden from precisely no one, that method would involve Microsoft's CardSpace technology.
This morning, as part of an upgrade in membership status that also involves Google, Yahoo, and certificate provider VeriSign, Microsoft will be joining the other three as the Foundation's newest corporate board members. This means the four companies will now be represented on the board, rather than cooperating in ventures with the board.
Yahoo's upgrade in status is both important and deserved, as last month, it became the largest resource of OpenID identities in one fell swoop, moving its over quarter-billion registered usernames to an OpenID-compliant database. So Microsoft attaining a similar status with Yahoo in the same group would suggest it has something equally important to contribute.
That important component was apparently unveiled last year at this time: Microsoft wants to cement CardSpace's place as a provider of authentication for OpenID, the one component which even its own creators have admitted it lacks.
In a February 6, 2007 speech to the RSA conference, Microsoft Chairman Bill Gates spelled out the problem: "Identity...I think, is where the weakest link in these systems have been. You know, the overhead for password reset, the ease of guessing people's passwords, they use the same passwords on consumer things they sign up for that they use in the corporation. So passwords are not only weak, passwords have a huge problem in that...if you get more and more of them, the worse it is. And so that in the past if you want to just say get to a partner's Web site, they might give you a different account and a different password, and that would have to be managed, if you changed your role they wouldn't know to go and change that. So we have passwords, and, of course, we have to evolve from them, but we see Smart Cards as the specific, but certificates in general is the way that these things should go, that you'll be presenting certificates as opposed to weak passwords."
Gates did not, at that time, specifically mention OpenID as an example of a password-based approach which could be strengthened through the use of smart cards or certificates, but perhaps no knowledgeable person in the audience didn't think that's what he was talking about.
Just a few weeks prior to Gates' speech, Microsoft Chief Identity Architect Kim Cameron presented a demonstration of how CardSpace (which at the time was transitioning from its previous incarnation as InfoCard) could be used in an anti-phishing situation to prevent a malicious third party from using a man-in-the-middle approach to swipe an OpenID user's tokens. It wasn't a difficult demonstration to understand: CardSpace provided the secure transaction layer between the user (the relying party or RP) and the OpenID provider (which Cameron called the "IP," but which OpenID itself prefers to call the "OP"). As a result, an intermediary cannot then pretend to be the OP and provide the RP with a legitimate token, taken when that same party pretends to be the RP in communication with the OP.
Microsoft has been developing this system throughout the year, though little or no mention of it has been made by the Foundation. In fact, many of the Foundation's "current events" as of today continue to date back to December 2006 and earlier.
But today, it was Cameron who was given the floor by the Foundation in stating Microsoft's goals for making use of its board seat: "Since Bill Gates and [Chief Research and Strategy Officer] Craig Mundie announced our collaboration with the OpenID community last February at RSA, Microsoft has played a leading role in establishing the Foundation's open policy framework that allows everyone to participate in the development and use of OpenID specifications. Now, we look forward to working with the community to refine and drive adoption of the specifications."
And as Microsoft Director of Identity Partnerships Michael Jones pointed out to BetaNews early this afternoon, the Foundation needs to step up its work on completing the draft of the Provider Authentication Policy Extension document -- the specification which would enable CardSpace and others to provide that secure layer. Jones may have further comment for BetaNews later in the day.
Google's new seat on the board marks the official, and perhaps long overdue, acknowledgement by the Foundation of Brad Fitzpatrick, who is not only currently employed by Google but also just happens to be OpenID's creator.
Fitzpatrick's contribution to this morning's Foundation statement was noteworthy not only for what it said, but for the fact that it preceded Microsoft's by two paragraphs: "OpenID was always intended to be a decentralized sign-on system, so it's fantastic to join a foundation committed to keeping it free and unencumbered by proprietary extensions."
1:58 pm ET February 7, 2008 - This afternoon, a Microsoft spokesperson issued this response to BetaNews: "Microsoft's collaboration with the OpenID community to address the phishing problem using Information Cards and Windows CardSpace with leading OpenID providers is one result of our efforts. For instance, JanRain's MyOpen.com, Ping Identity's SignOn.com, VeriSign's PIP.VeriSignLabs.com, and LinkSafe's LinkSafe.name all offer their users the option to use Information Cards for login and account creation. Microsoft remains committed to providing a range of identity technologies appropriate to different situations and to working with industry partners to make users' digital identity experiences across different contexts seamless and secure.
Further comment from Microsoft's Michael Jones was still expected.