What identity providers will sites support?

Paul Madsen digs deeper into the factors that will influence the choices of Internet service providers as they move towards user-centric identity.

“Often times, in trying to be clever and sarcastic, I dive too deep into the ‘satire pool’. The urge to be witty and contrarian surpasses the urge to be clear. Consequently, the ‘point’ I am trying to make can, on occasion, be buried underneath surface frivolity and snideness.
“As happened with my recent post on HealthVault‘s chosen model for OP acceptance.

“With that post, I have confused Kim, and for that I here apologize.

“I was responding to a post of Simon Willison, in which he defended HealthVault's right to choose OPs selectively – and not be compelled to accept any ol’ OP coming in off the street presenting an identity claim.

“My post might have given some the impression that I disagreed with Simon. For instance, I wrote

‘I disagree’

“Admittedly, this set a tone.

“But the rest of the post was meant to point out that, while I do think the user has the right to pressure RPs like HealthVault to accept assertions from particular OPs – the appropriate mechanism for this pressure, as for many other interactions between customers and service providers (e.g. buying an OS), is through market forces. If enough users choose an OP because it is secure and privacy-respecting, or because it offers 2-factor authentication, or because it has a snazzy flash UI, the RPs will find it (if they are interested in serving their customer base).

“When the RPs do find these candidate OPs (or IDPs, the issue is of course not unique to OpenID) they will themselves do their own checking and assessment before they start accepting assertions. And of course, each RP has to ask the question ‘Is this OP appropriate for the resources I protect/manage?’. If the resources are neither privacy sensitive nor valuable, the list of OPs that are appropriate will be longer than for medical or financial information.

“HealthVault (actually probably some other audit & risk management group in Microsoft) performed this assessment and, at least initially, came up with 2 OPs that they felt were right for them. More power to ‘em. Partner selection is tough and fraught with risk – they are right to be careful.

“I smile (more a smirk really) when I hear some in the user-centric world place the sole right and responsibility of choosing an OP on the user's shoulders. User's can't even remember their passwords, and you want them to assess the security infrastructure of an OP?

Surgeon: So, are we ready for your operation tomorrow?
Patient: Hi Doc, yes. But I was just reading about this new surgical instrument for the procedure. I really want you to try it out on me.
Surgeon: Hmmm, I don't know much about it …
Patient: Oh, you'll work it out as you go

“So yes Kim, I agree. Resources, and gall bladders, do have rights. “

Now it becomes clear why his original piece was called Pressure. Meanwhile, everyone should know that the last thing I would ever want to do is cast a chill over Paul's satire pool. What a refreshing oasis it is!  (No pun intended.)

HealthVault moves forward with OpenID

Via Mike Jones, here's a blog post on identity issues by Sean Nolan, chief architect of Microsoft’s HealthVault service:     

My plan had been to blog about this when the feature goes live later in the week. But there's been some online discussion already, and I'm sitting here at the horse show in waiting mode anyway, so it seems like now is as good a time as any to join the conversation.

The deal is — as of our next release in the next few days, users will have a new way to identify themselves to HealthVault. In addition to Windows Live ID, they will be given the option of using OpenID accounts from Verisign or TrustBearer.

As we've always said, HealthVault is about consumer control — empowering individuals with tools that let them choose how to share and safeguard their personal health information. OpenID support is a natural fit for this approach, because it allows users to choose the “locksmith” that they are most comfortable with.

You can certainly expect to see more such options in the future. For example, we are in the process of building in native support for Information Cards, which provide some unique advantages, in particular around foiling phishing attempts.

But why just two providers? When we were making our plans here, Chris on our partner team asked me, “Isn't this more like sort-of-OpenID?” The same question has come up online as well.*** Really, there's a very simple answer here. OpenID is a new and maturing technology, and HealthVault is frankly the most sensitive relying party in the OpenID ecosystem. It just makes sense for us to take our first steps carefully.

Both TrustBearer and Verisign have taken their obligations very seriously with their OpenID implementations. Beyond basic must-have safeguards like SSL, each offers a variety of second-factor options that provide a step up over traditional passwords — through the use of physical tokens or, in Verisign's case, the ability to associate an Information Card with an OpenID. This isn't meant to imply that there aren't other great providers out there — there are. This is just a start.

As we learn more, and as OpenID continues to mature, we fully expect to broaden the set of providers that work with HealthVault. We believe that a critical part of that expansion is the formalization and adoption of PAPE, which gives relying parties a richer set of tools to determine if they are comfortable with the policies of an identity provider.

This is exciting stuff — in a geeky way perhaps, but anything that begins to put strong identity technology in the hands of real users is a good thing, not just for those users, but for HealthVault and the Internet overall. Woo hoo!

*** BTW, I am clearly all about being cool and buzzword-compliant! :)

It's great to see an architect like Sean, who lives in Internet time and has a thousand other things on his mind, paying so much personal attention to identity issues.  He's showing leadership through his commitment to phishing resistant solutions (like OpenID's PAPE and Information Cards).  And he clearly embraces giving people choice. 

The privacy requirements of the information he is protecting mean he HAS to do everything possible to protect peoples’ privacy.  It makes complete sense to move incrementally.  I hope the other OpenID providers who have clearly demonstrated their committment to strong security see the wisdom in this approach.  He's opening doors.  And this is the beginning of a process, not the end. 

European Identity Awards

The recent European Identity Conference 2008 featured the presentation of Kuppinger Cole's European Identity Awards. Vendors, integrators, consultants and user companies were asked for nominations. For each category, three outstanding projects and innovations were nominated as finalists. Here is how Kuppinger Cole framed the results:

Best Innovation

“The award went to a group of companies that are driving forward the process to outsource authentication and authorisation, making it easier to control application security ‘from outside’.   There are several providers with different approaches in this field but during the past year, they all contributed a lot to promote this concept, considered as indispensable by KCP.   The winners in this category are Bitkoo, CA, iSM, Microsoft and Oracle.

“Also among the finalists were Aveksa and Sailpoint for their Identity Risk Management solutions and Microsoft for making a significant contribution to identity information protection in distributed environments through their takeover of Credentica and the planned integration of U-Prove technology into user-centric Identity Management.”

Best New/Improved Standard

“The award went to the OpenID Foundation and to Microsoft for their InfoCard initiative. These standards form the base for Identity 2.0, the so-called user-centric Identity Management.

“Other outstanding solutions nominated as finalists were the eCard API Framework and the simpleSAMLphp project driven forward by Feide RnD. The eCard API Framework has been jointly developed by Secunet and the Bundesamt für Sicherheit in der Informationstechnik (abbreviated BSI – in English: Federal Office for Security in Information Technology) to simplify the interaction of applications with different card technologies. With simpleSAMLphp, federation functions can easily be integrated into existing and new applications.”

Best Internal Identity Management Project

“The award went to BASF for their AccessIT project, which realises Identity Management within a complex corporate structure and excells in consistent approaches to centralised auditing.

“Another finalist in this category was the Royal Bank of Scotland, with its project to control a multitude of applications by an integrated role-based access control.”

Best B2B Identity Management Project

“The award went to Orange/France Telecom.  Their project is revolutionary due to the consistent use of federation and the opening of systems to partners.

“Also among the finalists in this category were Endress+Hauser for their business customer portal and education network SurfNET which is at present one of the most comprehensive federation implementations.”

Best B2C Identity Management Project

“The award went to eBay and Paypal which support strong authentication mechanisms, thus making a significant contribution to the protection of online transactions and creating more awareness on this issue among the wider public.

“Other finalists were Karlsruhe-based company Fun Communications for their innovative approach to the use of info cards as virtual customer cards, which is groundbreaking in our opinion, and KAS bank for their consistent use of strong authentication and encryption technologies to protect transactions.”

Best eGovernment Identity Management Project 

“The Republic of Austria received the prize in the “Best eGovernment Identity Management project” category for their eGovernment initiatives which we think are leading with regard to the implementation of Identity Management.

“Other finalists were Crossroads Bank, Smals and BAMF  – the Bundesamt für Migration and Flüchtlinge (Federal Office for Migration and Refugees).”

Special prizes

Dale accepting award and champagne on behalf of Higgins/Bandit“Special prizes were given to two initiatives considered as groundbreaking by KCP.

“In KCP's opinion, the VRM project by Doc Searls is an innovative approach that applies user-centric Identity Management concepts to customer management. In the VRM Unconference 2008 at the EIC 2008, this issue was intensely discussed in Europe for the first time.

“The second special prize went to open source projects Higgins and Bandit which we think are the most important open source initiatives in Identity Management.”

[Thanks to Jackson Shaw for Photos]

Cross industry interop event at RSA 2008

From Mike Jones at self-issued.info here's the latest on the Information Card and OpenID interop testing coming up at RSA.  The initiatives continue to pick up support from vendors and visitors will get sneak peaks at what the many upcoming products will look like.

33 Companies…
24 Projects…
57 Participants working together to build an interoperable user-centric identity layer for the Internet!

Come join us!

Tuesday and Wednesday, April 8 and 9 at RSA 2008, Moscone Center, San Francisco, California
Location: Mezzanine Level Room 220
Interactive Working Sessions: Tuesday and Wednesday, 11am – 4pm
Demonstrations: Tuesday and Wednesday, 4pm – 6pm
Reception: Wednesday, 4pm – 6pm

OSIS Participants RSA 2008

Upcoming Internet Identity Workshop

Identity Woman Kaliya will be back to orchestrate the next identity unconference, one in a series that have played a key role in the evolution of OpenID and Information Cards.  If you are interested in identity, it's a great place to meet a lot of people involved in the community.   

Check out the conference page at Internet Identity Workshop.  Here's an overview:

The heart of the workshop is a practical idealism in working towards the shared vision of a decentralized, user-centric identity layer for the Internet.

Because the web was built around “pages”, no tools or standards were created to control how the information about you was collected or used. At the Internet Identity Workshop we bring the people creating these tools and standards so people can safely manage their online identity and control their personal data.

It is not about any one technology – rather it is a place to discuss multiple interoperating ?(and possible competing) ? projects, standards, and networks for identity, data sharing, and reputation.

As part of Identity Commons, the Internet Identity Workshop creates opportunities for both innovators and competitors. We provide an open forum for both the big guys and the small fry to come together in a safe and balanced space.

There are a wide range of projects in the community:

  1. Open conceptual, community, and governance models.
  2. Open standards and protocols.
  3. Open source projects.
  4. Commercial projects.
  5. Projects to address social and legal implications of these technologies.
  6. Efforts to rethink the business models and opportunities available with these new technologies.

User-centric identity is the ability:

  • To use one's identifier(s) on more then one site
  • To control who sees what information about you
  • To selectively share presence and profile information
  • To maintain multiple identities and personas in the contexts you wish
  • To aggregate attention, navigation, and purchase history from the sites and communities you frequent
  • To move and share your personal data, relationships, documents, and other publications as you wish

All of the following are active topic areas at each IIW:

  • Improving Existing Legal Constructs
    • Privacy Policies
    • Terms of Service
  • Creating New Legal Constructs
    • Limited Liability Personas
    • Identity Rights Agreements
  • Creating New Business Models
    • Identity Oracle
    • I-Brokers
  • New Citizenship Perspectives
    • Activism
    • Community Event Coordination
    • Community Identity and Data Sharing

The conference takes place in Mountain View, California on May 12 – 14

Eric Norlin takes OpenID to CSOs

Digital ID World's Eric Norlin explains why security executives should pay attention to OpenID in this article from CSO – the Resource for Security Executives

Kim Cameron has posted another thoughtful piece about why he (and by extension Microsoft) is supportive of OpenID. For those of you that don't eat, sleep, dream and breathe identity, Kim is the guy at Microsoft that was responsible for writing the “Seven Laws of Identity,” which led to the idea of an identity metasystem, which effectively gave birth to all kinds of meetings (the “identity gang”), which led to things like OpenID and Higgins really taking off. Bottom line: Kim's a VIP in the identity world (he's also one helluva nice guy).

Kim's main point is this:

“My takeaway is that OpenID leads to CardSpace. I don’t mean by this that Information Cards replace OpenID. I just mean that the more people start using cross-site identities, the more the capabilities of CardSpace become relevant as a way of strengthening OpenID and put it in a broader technology context.

Information Cards were created to put in place an infrastructure that can solve the security problems of the web before they explode in our faces. It’s a serious technology and involves secure high-strength products emerging across the industry.”

Its important to note that Kim is thinking about identity ecosystems, not “one protocol to rule them all.” Really, it comes down to making the use of an identity a “ritual.” That sounds a bit off, I know, but hear me out. Believe it or not, the great majority of humanity had its first contact with email in a workplace setting. Now, if the interface (and interaction) for email was substantially different for work-usage and home-usage (or should I say, WorkUsage and HomeUsage?), do you think the adoption curve would've been the same? I don't.

One of the essential points that Kim's been hammering on for a couple of years is that we have to make the underlying “ritual” of using identity similar in a foundational sense.

Yet one more reason why you (as a CSO) should be paying attention to OpenID. After all, people don't always first see and experience things in the workplace.

This matter of influences from the internet converging with the enterprise is incredibly important, and I'm going to expand on it soon.  By the way, it was Eric's encouragement that got me hooked on writing the Laws of Identity.

From “Screen-Names in Bondage” to OpenID

Google's Ben Laurie proposes using “functions of passwords” rather than plain passwords as a way to avoid phishing: 

Kim Cameron writes about fixing OpenID’s phishing problems by using Cardspace. Certainly I agree that using strong authentication to the OpenID provider fixes the phishing problem – but if you have strong authentication, why bother to use OpenID at all? Why not strongly authenticate to the site you are really trying to log into, instead?

Of course, Cardspace is a pretty heavyweight solution for this, so perhaps that’s what Kim’s getting at? It also doesn’t work well if you have more than one machine – moving your credentials around is not something Cardspace does well.

In my view, there’s a sweeter spot for solving this problem than Cardspace (or OpenID, obviously) – and that is to do strong authentication based purely on a password. That way, you can use the same password everywhere, so no problem with moving between machines, but can still resist phishing attacks and don’t have to make yourself linkable across all sites. Obviously supporting this would be way easier than taking the whole of Cardspace on board, but would have all of the immediate advantages. Clearly it would get you nowhere with advanced identity management, but its not like we don’t already have protocols for that and nor does there seem to be much demand for it yet.

I take it Ben is talking about having a toolbar that asks for your password, and transforms it based on the site's identity so you can use the same password everywhere.  Perhaps he is even thinking about a digest protocol where this transformed password would be used to calculate a “proof” rather than transported over the wire.

Phished or Pharmed 

Problem is, such a toolbar is as easily “pharmable” as OpenID is phishable.

How does a user know she is typing her password into the legitimate toolbar – rather than an “evil replica”?  Our experience with toolbars teaches us that is easy to trick a LOT of people into using fakes.  In fact, sometimes the fakes have propagated faster than the real thing!  Once people get used to typing passwords into a toolbar you have truly opened Pandora's Box.

Let's look at what happens when the kind of “common password” Ben proposes is stolen. In fact, let's compare it to having money stolen. 

If you go into a store and are short-changed, you just lose money in one store.  If you are pick pocketed, you just lose what's in your wallet – you can cancel your cards.  But if your “common password” is intercepted, it is as though you have lost money in ALL the stores you have been in.   And sadly, you will have lost a lot more than money.

The ultimate advantage of moving beyond passwords is that there is then NO WAY a user can inadvertantly give them away.

Is CardSpace too heavy-weight? 

CardSpace should be a lighter-weight experience than it is today.  We're working on that, making it less “in-your-face” while actually increasing its safety.  I also agree with Ben that it needs to be easier to roam credentials.  We're working on that too. 

The point is, let's evolve CardSpace – and the interoperable software being developed by others – to whatever is needed to really solve the relevant privacy and security problems, rather than introducing more half-measures that won't be effective.

So why OpenID?

If that's all true, Ben wonders why we bother with OpenID at all…

The most important reason is that OpenID gives us common identifiers for public personas that we can use across multiple web sites – and a way to prove that we really own them.

That is huge.  Gigantic.  Compare it to the cacophony of “screen-names” we have today – screen-names in bondage, prisoners of each site.

Technology people are sometimes insulted when you imply they haven't solved the world's problems.  But to be really important, OpenID doesn't have to solve the world's problems.  It just has to do this one common-identifier thing really well.  And it does.  That's what I love about it.

CardSpace doesn't address the same problem.  CardSpace plus OpenID solve it together. 

Why OpenID leads to CardSpace…

The recent announcements about OpenID made enough impact that I've had a number of people ask what our interest in OpenID means for Information Cards in general and CardSpace in particular.

The answer is simple.  OpenID provides Single Sign On to social networking sites and blogs.  It means we can use a public personna across sites, and just log in once to use that persona.

But OpenID doesn't have the privacy characteristics that would make it suitable for government applications or casual web surfing.  And it doesn't have the security characteristics necessary for financial transactions or access to private data.  In other words, its good for a specific set of purposes, and we are interested in it for those purposes, but we remain as committed to more secure and privacy-oriented technologies as ever.  In other words, we are interested in OpenID as part of a spectrum.

Information Cards are a way of safely organizing a palette of digital identities into a “digital wallet”.  Over time, some of these identities will be very valuable, controlling access to government information, bank accounts, and corporate resources.  Other identities will be very private, like those associated with health information or perhaps dating.  Others will be the kind of public personas we are talking about with OpenID.

These different identities will co-exist in a metasystem with contextual separation but a similar use model.  Importantly, the metasystem won't replace the underlying technologies – it will unify them and provide a consistent experience. 

The relation between OpenID and CardSpace provides a good example of the issues involved here.   OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies – the more it succeeds, the more dramatically phishable it will become.  I've created a visual demo to help explain how this works - and how CardSpace works with OpenID to solve the problems.

My takeaway is that OpenID leads to CardSpace.  I don't mean by this that Information Cards replace OpenID.  I just mean that the more people start using cross-site identities, the more the capabilities of CardSpace become relevant as a way of strengthening OpenID and put it in a broader technology context.  

Information Cards were created to put in place an infrastructure that can solve the security problems of the web before they explode in our faces.  It's a serious technology and involves secure high-strength products emerging across the industry.  The recent announcement by Higgins of the new user-centric identity framework for Eclipse  is a great sign of the progress being made.  And there are other important announcements coming as well.

[In this demo I use my favorite OpenID provider, which is myOpenID.com.  It is super important to point out that I think the company is great.  None of my analysis is a critique of myOpenID – I'm explaining some of the “browser-redirect” problems that face all OpenID providers (as well as SAML and Shibboleth providers). Importantly, myOpenID have supported Information Cards for a long time – and their implementation works well.  So they are at the forefront of working these problems.  Try using their Information Card solution.]

Heavyweights, Giants, Bigwigs and Snugglers

Last week's announcement about the OpenID Foundation, and news of participation by a number of large industry players has echoed far and wide.  In fact, Bill Gates announced Microsoft's decision to collaborate with the OpenID community almost a year ago at RSA (See the CardSpace / OpenID Collaboration Announcement and a lot of Blogosphere discussion or postings like these from identityblog.    

Since the announcement many of us have been involved in sorting out the intellectual property issues which plagued the community.  We've come through that, and arrived at a point when we can begin to look at how the technology might be integrated into various services and user experiences.  We've also made progress on looking at how the phishing vulnerabilities of OpenID can be addressed through Information Cards and other technologies.

My view is simple.  OpenID is not a panacea.  Its unique power stems from the way it leverages DNS – but this same framework sets limits on its potential uses.  Above all, it is an important addition to the spectrum of technologies we call the Identity Metasystem, since it facilitates integration of the “long tail” of web sites into an emerging identity framework.   The fact that there is so much interest from across the vendor community is really encouraging. 

Here's some of coverage I have been made aware of.  It ranges from the fanciful to the accurate, but demonstrates the momentum we are beginning to acquire in the identity arena.

IDG News Service
Major Vendors Join OpenID Board
Chris Kanaracus

(Appeared in:  The Industry Standard, Computerworld, InfoWorld, The New York Times, PCWorld.com, CSO, Techworld, iT News, Reseller News New Zealand)
     
CNET News.com
OpenID Foundation scores top-shelf board members
Caroline McCarthy
    
PC Magazine
Microsoft, Google, IBM Join OpenID
Michael Muchmore
    
Read/Write Web
OpenID: Google, Yahoo, IBM and More Put Some Money Where Their Mouths Are
Marshall Kirkpatrick
    
ZDNet
Microsoft and Google join OpenID, but where’s Cisco?
David “Dave” Greenfield
    
Wired
The Web's Biggest Names Throw Their Weight Behind OpenID
Scott Gilberston

Slashdot
OpenID Foundation Embraced by Big Players
Zonk 
    
O'Reilly Radar
OpenID Foundation – Google, IBM, Microsoft, VeriSign and Yahoo
Artur Bergman
    
InformationWeek
Major Tech Companies Join OpenID Board
Antone Gonsalves
    
TechCrunch
OpenID Welcomes Microsoft, Google, Verisign and IBM
Michael Arrington
    
PC Pro Online
OpenID receives heavyweight backing
Stuart Turton
    
ZDNet
Google, IBM, Microsoft and VeriSign join Yahoo on OpenID
Larry Dignan
    
Forrester Research
OpenID family grows – How it can transform Identity Federation between enterprises
Andras Cser
    
ActiveWin
Technology Leaders Join OpenID Foundation to Promote Open Identity Management on the Web
Jonathan Tigner
02-07-2008
    
Conde Naste Portfolio
Microsoft, Google, Yahoo Agree … on Open ID
Sam Gustin
    
SoftPedia News
Microsoft, Google and Yahoo Join Hands – Over OpenID
Marius Oiaga
    
CSO
OpenID Goes Corporate
Eric Norlin
    
InternetNews
OpenID Gets Star Power
Kenneth Corbin
02-07-2008
    
Windows IT Pro
Industry Behemoths Join OpenID Board
Mark Edwards
    
BetaNews
Microsoft, Google, Yahoo gain seats on OpenID Foundation board
Scott Fulton
    
The Register
Microsoft! snuggles! with! Yahoo! on! OpenID!
Gavin Clarke  
  
San Francisco Chronicle
Tech heavyweights join OpenID Foundation board
Deborah (Debbie) Gage
    
Cox News Service
One password for the Web? Internet giants back idea
Bob Keefe
(Also appeared in Atlanta Journal-Constitution)
    
vnunet.com
IT heavyweights join OpenID project
Clement James
    
IT Pro UK
Industry giants join OpenID foundation
Asavin Wattanajantra
    
Computer Business Review
Industry bigwigs back OpenID single sign-on
Janine Milne
    
BBC Online
Password pain looks set to ease
    
WebProNews.com
Microsoft, Google Sign On To OpenID
David Utter
    
GigaOM
OpenID Has Big New Friends
Carleen Hawn
    
Real Tech News
Microsoft, Google, Verisign, Yahoo! and IBM Join OpenID’s Board
Michael Santo
    
ComputerWorld Canada
OpenID gains support for online single sign-on
Shane Schick
(Also appeared in ITworldcanada)
  

Yahoo! announcement on OpenID

Yahoo! has launched the public beta of its OpenID Provider service.  Congratulations to the Yahoo! identity team!  Here's part of the announcement

Today, we are launching the public beta of the much-anticipated Yahoo! OpenID Provider service. This means that users with a Yahoo! account – all 248 million of them – will be able to sign in to any website that supports OpenID 2.0, the latest version of the OpenID specification.

In case you are curious, here are the key features of this release:

Usability – Users will not have to understand the technical details of OpenID simply to use the technology. Thanks to features introduced in the OpenID 2.0 specification, users will not have to type their OpenID URL while signing in to websites. They can simply type yahoo.com in the OpenID textbox or, if the Relying Party website provides it, click a button that takes them to Yahoo!. By not requiring users to understand the meaning of an OpenID URL, we hope that more users will be able to overcome the initial hurdles of using this new echnology. For those of you who want to set up a custom URL, we will provide a way to do so, including the ability to use your Flickr photos page as your OpenID URL.  [Interesting – Kim]. 

User education – We have spent a great deal of time thinking about educating users on the proper use of OpenID and you will see some of these thoughts implemented throughout our service – whether it's an explanation of the benefits of OpenID, our OpenID tour, or messaging on the safe use of OpenID at various locations.

Anti-phishing measures – We suggest that users of the Yahoo! OpenID service set up and look for their Sign-in Seal to confirm that they are entering their password on a genuine Yahoo! page. A Sign-in Seal is a user-created image or a message that will only appear on genuine Yahoo! pages. We hope to continue working with the OpenID community to combat phishing and provide more secure experiences to users.

We are also actively working on non-US English versions of the service. It is already available for 17 countries and we expect to roll out even more international support in the very near future.

If you'd like to use the Yahoo! OpenID service, feel free to start at Plaxo, Jyte, Pibb, or any other OpenID 2.0-compliant website (this list is growing everyday). Alternatively, visit http://openid.yahoo.com to set up your account for OpenID access. We would love to hear your feedback!

We'd like to take this opportunity to thank the OpenID community for educating us over the past 1 year and helping us make this happen. In particular, we'd like to say “Thank you” to Bill Washburn, Brian Ellin, David Recordon, Dick Hardt, Johannes Ernst, Johnny Bufu, Joseph Smarr, Josh Hoyt, Kaliya Hamlin, Kevin Turner, Larry Drebes, Mike Graves, Scott Kveton, and Simon Willison.

(More here…)