Category: Identity Metasystem

A C# Code Library for building an Information Card STS

I just heard about SharpSTS – a new open source project that allows you to implement a custom claims provider that will support Identity Selectors like CardSpace.  Better still, the code base has been posted.  Barry Dorrans, from idunno.org,  says:

Dominick and David beat me to the punch; last night I hit the “publish” button on codeplex for SharpSTS; a C# library to allow you to develop Information Card Security Token Services.

As with all open source projects there is still a bunch of work to do; as it stands we have a command line STS which should allow you to get started. Well; if you can work out from the source code what you need to do 🙂

Over the coming weeks and months I, as dictator, Dominick Baier and David  Christiansen hope to deliver a stable, tested, code base from which you can deliver managed information cards to your users, as well as a test web site which will issue and accept managed cards.

In the mean time you can download the code, implement your own authorisation policy provider and get started. In the meantime we’re guiding the rough beast, its hour come round at least, slouching towards Redmond to be born (with apologies to Yeats).

Wow.  Not only an STS but Yeats too!

SharpSTS is a C# code library which enables easy development of a Security Token Service, the server component for managed Information Cards.

To begin developing with SharpSTS you will need Visual Studio 2008 Standard (or higher), an SSL certificate and a client system that supports Information Cards.

The source code is available from http://www.codeplex.com/sharpSTS and is licensed under the Microsoft Public License (MS-Pl).

For those who are curious, the SharpSTS site includes a notice making it clear that “this web site, service and code are unaffiliated with Microsoft…”.

Microsoft says, “U-Prove it”

Ralf Bendrath chided me yesterday for bragging about having proven Bruce Schneier wrong in his concern that there is not a “viable business model” for the Credentica technology.  (In my defense, Bruce had said, “I'd like to be proven wrong.”, and I was just trying to oblige him.)

Anyway,  I think Joe Wilcox's article in eWeek's Microsoft Watch provides some unbiased analysis of the issue.

Sometimes, Microsoft really spends its money well, such as last week's acquisition of U-Prove technology from Credentica.

This is a damn, exciting acquisition. It's strategic and timely.

U-Prove is, simply put, a privacy/security protection mechanism. The technology works on a simple principle: Enable transactions by revealing as little information as possible.

Credentica's Stefan Brands, Christian Paquin and Greg Thompson have joined Microsoft, where they will work as part of the Identity and Access Group. Microsoft also acquired associated U-Prove patents.

Brands is a well-regarded cryptographer and author of “Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy,” which explains the principles behind U-Prove. The book is available for free download, courtesy of MIT Press. He brings a somewhat radical approach to cryptography: Disclose or collect little—ideally no—private information during any transaction process. During most transactions, whether online or offline, too much personal information is exposed.

I vaguely recall Brands from Zero-Knowledge Systems, where he went in early 2000. About six months earlier I consulted Zero-Knowledge Systems’ chief scientist for a story about an alleged cryptographic flaw/back door in then unreleased Windows 2000.

Brands, his colleagues and U-Prove will first go into Windows Cardspace and Windows Communications Foundation. Microsoft's Brendon Lynch explained in a Thursday blog post:

“Credentica's U-Prove technology will help people protect their identities by enabling them to disclose only the minimum amount of information needed for a transaction—sometimes no personal information may be needed at all. When this technology is broadly available in Microsoft products (such as Windows Communication Foundation and Windows Cardspace), enterprises, governments and consumers all stand to benefit from the enhanced security and privacy that it will enable. We look forward to a world where people have more control of their personal information and are better protected from harms of online fraud and identity theft.”

Kim Cameron, Microsoft's identity architect, does a wonderful job explaining Brands’ “minimal disclosure” approach in a Thursday blog post and how the company may apply it. The basic concept: to use other cryptographic means to verify identity “without revealing the signature applied by the identity provider.”

Microsoft has made one helluva good acquisition, whose potential long-term benefits I simply cannot overstate. The company has been trying to tackle the identity problem for nearly a decade. Early days, Passport acted as a single sign-on for multiple services, a heritage Windows Live ID expanded. But U-Prove departs from Microsoft's past identity efforts. The idea is to identify you without, well, identifying you.

Microsoft online services would look dramatically different with an identity mechanism that truly protected privacy and security on both sides of the transaction all while guaranteeing both parties that they are who they say they are, without necessarily saying who they are.

The best conceptual analogy I can think of is Swiss or offshore banking, where an account holder presents a numerical token or tokens that verify his or her right to account access but not the individual's identity or necessarily the token's issuer. Such a mechanism could be a boon to business and consumer confidence in online transactions as well as reduce petty fraud.

Microsoft's money would be better spent on more acquisitions like this one, rather than frittering away valuable resources on Yahoo. Microsoft is operating on the false premise that Google's huge search lead also puts it ahead in advertising—too far to catch up without a means of leaping ahead. Yahoo is the means.

But Microsoft is mistaken. Online activities and transactions are more complex than that. Search is one strategic technology, but there are others that Google doesn't control. If Microsoft could take a strategic lead protecting identity around transactions, the company could better enable all kinds of Web activities, and in so doing raise its online credibility. Privacy concerns have dogged Google.

I think Microsoft should take half of its proposed Yahoo offer and spend it on more acquisitions like Credentica's U-Prove technology. I'm not the first to suggest that Microsoft spend $20 billion on smaller companies. But I will say that U-Prove is an example what Microsoft should do to bolster its online technology portfolio in more meaningful ways, without taking on the hardship of a large, messy acquisition like Yahoo.

Reactions to Credentica acquisition

Network World's John Fontana has done a great job of explaining what it means for Microsoft to integrate U-Prove into its offerings:

Microsoft plans to incorporate U-Prove into both Windows Communication Foundation (WCF) and CardSpace, the user-centric identity software in Vista and XP.

Microsoft said all its servers and partner products that incorporate the WCF framework would provide support for U-Prove.

“The main point is that this will just become part of the base identity infrastructure we offer. Good privacy practices will become one of the norms of e-commerce,” Cameron said.

“The U-Prove technology looks like a good candidate as an authentication mechanism for CardSpace-managed cards (i.e., those cards issued by an identity provider),” Mark Diodati, an analyst with the Burton Group, wrote on his blog

In general, the technology ensures that users always have say over what information they release and that the data can not be linked together by the recipients. That means that recipients along the chain of disclosure can not aggregate the data they collect and piece together the user’s personal information.

[More here…]

Eric Norlin has this piece in CSO, and Nancy Gohring's ComputerWorld article emphasizes that “U-Prove is the equivalent in the privacy world of RSA in the security space.”  Burton's Mark Diodati covers the acquisition here.

Gunnar Peterson from 1 Raindrop notes in That Was Fast

…the digital natives may be getting some better tooling faster than I thought. I am sure you already know there is a northern alliance and Redmond is U-Prove enabled. I fondly remember a lengthy conversation I had with Stefan Brands in Croatia several years ago, while he patiently explained to me how misguided the security-privacy collision course way of thinking is, and instead how real security is only achieved with privacy. If you have not already, I recommend you read Stefans’ primer on user identification.

Entrepreneur and angel investor Austin Hill gives us some background and links here:

In the year 2000, Zero-Knowledge acquired the rights to Dr. Stefan Brands work and hired Stefan to help us build privacy-enhanced identity & payments systems.  It turns out we were very early into the identity game, failed to commercialize the technology – and during the Dot.Com bust cycle we shut down the business unit and released the patents back to Stefan.  This was groundbreaking stuff that Stefan had invented, and we invested heavily in trying to make it real, but there weren’t enough bitters in the market at that time.  We referred to the technologies as the “RSA” algorithms of the identity & privacy industry.  Unfortunately the ‘privacy & identity’ industry didn’t exist.

Stefan went on to found Crendentica to continue the work of commercialization of his invention. Today he announced that Microsoft has acquired his company and he and his team are joining Microsoft.

Microsoft’s Identity Architect Guru Kim Cameron has more on the deal on his blog (he mentions the RSA for privacy concept as well).

Adam Shostack (former Zero Knowledge Evil Genius, who also created a startup & currently works at Microsoft) has this post up.   George Favvas, CEO of SmartHippo (also another Zero-Knowledge/Total.Net alumni – entrepreneur) also blogged about the deal as well.

Congratulations to Stefan and the team.  This is a great deal for Microsoft, the identity industry and his team. (I know we tried to get Microsoft to buy or adopt the technology back in 2001 🙂 

(I didn't really know much about Zero-Knowledge back in 2000, but it's interesting to see how early they characterized of Stefan's technology as being the privacy equivalent of RSA.  It's wonderful to see people who are so forward-thinking.)

Analyst Neil Macehiter writes:

Credentica was founded by acknowledged security expert Stefan Brands, whose team has applied some very advanced cryptography techniques to allow users to authenticate to service providers directly without the involvement of identity providers. They also limit the disclosure of personally-identifiable information to prevent accounts being linked across service providers and provide resistance to phishing attacks. Credentica's own marketing literature highlights the synergies with CardSpace:

“`The SDK is ideally suited for creating the electronic equivalent of the cards in one's wallet and for protecting identity-related information in frameworks such as SAML, Liberty ID-WSF, and Windows CardSpace.”

This is a smart move by Microsoft. Not only does it bring some very innovative and well-respected technology (with endorsements from the likes of the Information and Privacy Commissioner of Ontario, Canada) which extends the capabilities of Microsoft's identity and security offerings; it also brings some heavyweight cryptography and privacy expertise and credibility from the Credentica team. The latter can, and undoubtedly will, be exploited by Microsoft in the short term: the former will take more time to realise with Microsoft stating that integrated offerings are at least 12–18 months away.

[More here…]

Besides the many positives, there were concerns expressed about whether Microsoft would make the technology available beyond Windows.  Ben Laurie wrote:

Kim and Stefan blog about Microsoft’s acquisition of Stefan’s selective disclosure patents and technologies, which I’ve blogged about many times before.

This is potentially great news, especially if one interprets Kim’s

Our goal is that Minimal Disclosure Tokens will become base features of identity platforms and products, leading to the safest possible intenet. I don’t think the point here is ultimately to make a dollar. It’s about building a system of identity that can withstand the ravages that the Internet will unleash.

in the most positive way. Unfortunately, comments such as this from Stefan

Microsoft plans to integrate the technology into Windows Communication Foundation and Windows Cardspace.

and this from Microsoft’s Privacy folk

When this technology is broadly available in Microsoft products (such as Windows Communication Foundation and Windows Cardspace), enterprises, governments, and consumers all stand to benefit from the enhanced security and privacy that it will enable.

sound more like the Microsoft we know and love.

I hope everyone who reads this blog knows that it is elementary, my dear Laurie, that identity technology must work across boundaries, platforms and vendors (Law 5 – not to mention, “Since the identity system has to work on all platforms, it must be safe on all platforms”). 

That doesn't mean it is trivial to figure out the best legal mecahnisms for making the intellectual property and even the code available to the ecosystem.  Lawyers are needed, and it takes a while.  But I can guarantee everyone that I have zero intention of hoarding Minimal Disclosure Tokens or turning U-Prove into a proprietary Microsoft technology silo. 

Like, it's 2008, right?  Give me a break, guys!

Microsoft to adopt Stefan Brands’ Technology

The Internet may sometimes randomly “forget”.  But in general it doesn't. 

Once digital information is released to a few parties, it really is “out there”.  Cory Doctorow wrote recently about what he called the half-life of personal information, pointing out that personal information doesn't just “dissipate” after use.  It hangs around like radioactive waste.  You can't just push a button and get rid of it.

I personally think we are just beginning to understand what it would mean if everything we do is both remembered and automatically related to everything else we do.  No evil “Dr. No” is necessary to bring this about, although evil actors might accelerate and take advantage of the outcome.  Linkage is just a natural tendency of digital reality, similar to entropy in the physical world.  When designing phsyical systems a big part of our job is countering entropy.  And in the digital sphere, our designs need to counter linkage. 

This has led me to the idea of the “Need-to-Know Internet”.

The Need-to-Know Internet

“Need to Know” thinking comes from the military.  The precept is that if people in dangerous situations don't know things they don't need to know, that information can't leak or be used in ways that increase danger.  Taken as a starting point, it leads to a safer environment.

As Craig Burton pointed out many years ago, one key defining aspect of the Internet is that everything is equidistant from everything else. 

That means we can get easily to the most obscure possible resources, which makes the Internet fantastic.  But it also means unknown “enemies” are as “close” to us as our “friends” – just a packet away.  If something is just a packet away, you can't see it coming, or prepare for it.  This aspect of digital “physics” is one of the main reasons the Internet can be a dangerous place.

That danger can be addressed by adopting a need-to-know approach to the Internet.  As little personal information as possible should be released, and to the smallest possible number of parties.  Architecturally, our infrastructure should lead naturally to this outcome. Continue reading Microsoft to adopt Stefan Brands’ Technology

Not the browser!

Google's Ben Laurie bookends our dialog (work back from here) with a really clear statement:

Kim correctly observes that the browser is not the place to be typing your password. Indeed. I should have mentioned that.

Clearly any mechanism that can be imitated by a web page is dead in the water. Kim also wants to rule out plugins, I take it, given his earlier reference to toolbar problems. I’m OK with that. We want something that only a highly trusted program can do. That’s been so central to my thinking on this I forgot to mention it. Sorry.

This sounds really positive.  Now, just so I don't end up with a different security product from every big web site, I hope Ben's work will include integration with the CardSpace framework.  I'm certainly open to discussions about ways we might evolve CardSpace to facilitate this.

Ben Laurie's “Single Passwords”

Given his latest post, I guess I got the gist of Ben Laurie's proposal for using what I'll call “Single Passwords” rather than “Single Signon”:  

“Kim Cameron, bless him, manages to interpret one of my most diabolical hungover bits of prose ever. I am totally with him on the problem of pharming, but the reality is that the average Cardspace user authenticated with nothing better than a password (when they logged into Windows).

Wow.  I appreciate the blessing from Father Laurie, but this is kind of a “We're going to die one day, so who cares if we die tomorrow?” type of argument – surprising for a priest. 

While it's true that pharming is a challenge for the operating system as well as the browser, let's not seriously equate the dangers of entering passwords into browsers (a malleable experience, the goal of which is to be infinitely and easily modified by anyone) with those involved in booting up your PC (a highly controlled environment designed to allow no modification and use a secure desktop).  It's true that both involve passwords.  But the equation is simplistic, best summed up as: “Tables have legs, people have legs, therefore tables are people.”

Anyway, I'm sympathetic to Ben's concerns about portability:

“Furthermore, if you are going to achieve portability of credentials, then you can either do it in dreamland, where all users carry around their oh-so-totally-secure bluetooth credential device, or you can do it in the real world, where credentials will be retrieved from an online store secured by a password.

I don't dismiss dreamland – isn't that what iPhones want to be?  But we do need lightweight roaming.  Using an online vault secured by a passphrase is a reasonable way to bootstrap a secret onto a machine.

But not the browser! 

The rub is:  once a user gets into the habit of typing this secret into the browser, she's ready to be tricked.  I'll go further.  If  the vault one day accrues enough value, a browser-based system WILL fail the user – sooner or later.   

Ben concludes:

“If you believe the Cardspace UI can protect people’s credentials, then surely it can protect a password?

“If it really can’t (that is, we cannot come up with UI that people will reliably identify and eschew all imitations), then how will we ever have a workable, scalable system that includes recovery of credentials after loss or destruction of their physical goods?”

There's food for thought here.  Start to take advantage of the engineering in CardSpace, and you inherit significant protection in terms of both phishing and pharming.  So if Ben implements his “Single Password” this way, he could start to be reasonably confident that the “function of the password” is what is released, while the password is guarded.

Understanding Windows CardSpace

There is a really wonderful new book out on digital identity and Information Cards called “Understanding Windows CardSpace“. 

Written by Vittorio Bertocci, Garrett Serack and Caleb Baker, all of whom were part of the original CardSpace project, the book is deeply grounded in the theory and technology that came out of it.  At the same time, it is obviously their personal project.  It has a personal feeling and conviction I found attractive.

The presentation begins with a problem statement – “The Advent of Profitable Digital Crime”.  There is a systematic introduction to the full panoply of attack vectors we need to withstand, and the book convincingly explains why we need an in-depth solution, not another band-aid leading to some new vulnerability.

For those “unskilled in the art”, there is an introduction to relevant cryptographic concepts, and an explanation of how both certificates and https work.  These will be helpful to many who would otherwise find parts of the book out of reach.

Next comes an intelligent discussion of the Laws of Identity, the multi-centered world and the identity metasystem.  The book is laid out to include clever sidebars and commentaries, and becomes progressively more McLuhanesque.  On to SOAP and Web Services protocols – even an introduction to SAML and WS-Trust, always with plenty of diagrams and explanations of the threats.

Then we are introduced to the concept of an identity selector and the model of user-centric interaction.

Part two deals specifically with CardSpace, starting with walk-throughs, and leading to implementation.  This includes “Guidance for a Relying Party”, an in-depth look at the features of CardSpace, and a discussion of using CardSpace in the browser.

The authors move on to Using CardSpace for Federation, and explore how CardSpace works with the Windows Communication Foundation.  Even here, we're brought back to the issues involved in relying on an Identity Provider, and a discussion of potential business models for various metasystem actors.

Needless to say, much of what's covered in this book applies to Higgins and OpenInformationCard and Bandit as well as CardSpace. 

Above all, it is a readable book that balances technology with the broader issues of identity.  I imagine almost anyone who reads this blog will have something to gain from it.  I especially recommend it for people who want a holistic introduction to digital identity, CardSpace and web services.  I think the book is excellent for students.  I even expect it will be enjoyed by more than one policy maker who wants to understand the underlying technical problems of identity.

So check it out, and let me know what you think.

[By the way:  One chapter of the book is now online as a stream of html text, but I'd avoid it. The printed layout and interplay of commentaries add both life and interest…]

Eric Norlin takes OpenID to CSOs

Digital ID World's Eric Norlin explains why security executives should pay attention to OpenID in this article from CSO – the Resource for Security Executives

Kim Cameron has posted another thoughtful piece about why he (and by extension Microsoft) is supportive of OpenID. For those of you that don't eat, sleep, dream and breathe identity, Kim is the guy at Microsoft that was responsible for writing the “Seven Laws of Identity,” which led to the idea of an identity metasystem, which effectively gave birth to all kinds of meetings (the “identity gang”), which led to things like OpenID and Higgins really taking off. Bottom line: Kim's a VIP in the identity world (he's also one helluva nice guy).

Kim's main point is this:

“My takeaway is that OpenID leads to CardSpace. I don’t mean by this that Information Cards replace OpenID. I just mean that the more people start using cross-site identities, the more the capabilities of CardSpace become relevant as a way of strengthening OpenID and put it in a broader technology context.

Information Cards were created to put in place an infrastructure that can solve the security problems of the web before they explode in our faces. It’s a serious technology and involves secure high-strength products emerging across the industry.”

Its important to note that Kim is thinking about identity ecosystems, not “one protocol to rule them all.” Really, it comes down to making the use of an identity a “ritual.” That sounds a bit off, I know, but hear me out. Believe it or not, the great majority of humanity had its first contact with email in a workplace setting. Now, if the interface (and interaction) for email was substantially different for work-usage and home-usage (or should I say, WorkUsage and HomeUsage?), do you think the adoption curve would've been the same? I don't.

One of the essential points that Kim's been hammering on for a couple of years is that we have to make the underlying “ritual” of using identity similar in a foundational sense.

Yet one more reason why you (as a CSO) should be paying attention to OpenID. After all, people don't always first see and experience things in the workplace.

This matter of influences from the internet converging with the enterprise is incredibly important, and I'm going to expand on it soon.  By the way, it was Eric's encouragement that got me hooked on writing the Laws of Identity.

From “Screen-Names in Bondage” to OpenID

Google's Ben Laurie proposes using “functions of passwords” rather than plain passwords as a way to avoid phishing: 

Kim Cameron writes about fixing OpenID’s phishing problems by using Cardspace. Certainly I agree that using strong authentication to the OpenID provider fixes the phishing problem – but if you have strong authentication, why bother to use OpenID at all? Why not strongly authenticate to the site you are really trying to log into, instead?

Of course, Cardspace is a pretty heavyweight solution for this, so perhaps that’s what Kim’s getting at? It also doesn’t work well if you have more than one machine – moving your credentials around is not something Cardspace does well.

In my view, there’s a sweeter spot for solving this problem than Cardspace (or OpenID, obviously) – and that is to do strong authentication based purely on a password. That way, you can use the same password everywhere, so no problem with moving between machines, but can still resist phishing attacks and don’t have to make yourself linkable across all sites. Obviously supporting this would be way easier than taking the whole of Cardspace on board, but would have all of the immediate advantages. Clearly it would get you nowhere with advanced identity management, but its not like we don’t already have protocols for that and nor does there seem to be much demand for it yet.

I take it Ben is talking about having a toolbar that asks for your password, and transforms it based on the site's identity so you can use the same password everywhere.  Perhaps he is even thinking about a digest protocol where this transformed password would be used to calculate a “proof” rather than transported over the wire.

Phished or Pharmed 

Problem is, such a toolbar is as easily “pharmable” as OpenID is phishable.

How does a user know she is typing her password into the legitimate toolbar – rather than an “evil replica”?  Our experience with toolbars teaches us that is easy to trick a LOT of people into using fakes.  In fact, sometimes the fakes have propagated faster than the real thing!  Once people get used to typing passwords into a toolbar you have truly opened Pandora's Box.

Let's look at what happens when the kind of “common password” Ben proposes is stolen. In fact, let's compare it to having money stolen. 

If you go into a store and are short-changed, you just lose money in one store.  If you are pick pocketed, you just lose what's in your wallet – you can cancel your cards.  But if your “common password” is intercepted, it is as though you have lost money in ALL the stores you have been in.   And sadly, you will have lost a lot more than money.

The ultimate advantage of moving beyond passwords is that there is then NO WAY a user can inadvertantly give them away.

Is CardSpace too heavy-weight? 

CardSpace should be a lighter-weight experience than it is today.  We're working on that, making it less “in-your-face” while actually increasing its safety.  I also agree with Ben that it needs to be easier to roam credentials.  We're working on that too. 

The point is, let's evolve CardSpace – and the interoperable software being developed by others – to whatever is needed to really solve the relevant privacy and security problems, rather than introducing more half-measures that won't be effective.

So why OpenID?

If that's all true, Ben wonders why we bother with OpenID at all…

The most important reason is that OpenID gives us common identifiers for public personas that we can use across multiple web sites – and a way to prove that we really own them.

That is huge.  Gigantic.  Compare it to the cacophony of “screen-names” we have today – screen-names in bondage, prisoners of each site.

Technology people are sometimes insulted when you imply they haven't solved the world's problems.  But to be really important, OpenID doesn't have to solve the world's problems.  It just has to do this one common-identifier thing really well.  And it does.  That's what I love about it.

CardSpace doesn't address the same problem.  CardSpace plus OpenID solve it together. 

Yahoo! announcement on OpenID

Yahoo! has launched the public beta of its OpenID Provider service.  Congratulations to the Yahoo! identity team!  Here's part of the announcement

Today, we are launching the public beta of the much-anticipated Yahoo! OpenID Provider service. This means that users with a Yahoo! account – all 248 million of them – will be able to sign in to any website that supports OpenID 2.0, the latest version of the OpenID specification.

In case you are curious, here are the key features of this release:

Usability – Users will not have to understand the technical details of OpenID simply to use the technology. Thanks to features introduced in the OpenID 2.0 specification, users will not have to type their OpenID URL while signing in to websites. They can simply type yahoo.com in the OpenID textbox or, if the Relying Party website provides it, click a button that takes them to Yahoo!. By not requiring users to understand the meaning of an OpenID URL, we hope that more users will be able to overcome the initial hurdles of using this new echnology. For those of you who want to set up a custom URL, we will provide a way to do so, including the ability to use your Flickr photos page as your OpenID URL.  [Interesting – Kim]. 

User education – We have spent a great deal of time thinking about educating users on the proper use of OpenID and you will see some of these thoughts implemented throughout our service – whether it's an explanation of the benefits of OpenID, our OpenID tour, or messaging on the safe use of OpenID at various locations.

Anti-phishing measures – We suggest that users of the Yahoo! OpenID service set up and look for their Sign-in Seal to confirm that they are entering their password on a genuine Yahoo! page. A Sign-in Seal is a user-created image or a message that will only appear on genuine Yahoo! pages. We hope to continue working with the OpenID community to combat phishing and provide more secure experiences to users.

We are also actively working on non-US English versions of the service. It is already available for 17 countries and we expect to roll out even more international support in the very near future.

If you'd like to use the Yahoo! OpenID service, feel free to start at Plaxo, Jyte, Pibb, or any other OpenID 2.0-compliant website (this list is growing everyday). Alternatively, visit http://openid.yahoo.com to set up your account for OpenID access. We would love to hear your feedback!

We'd like to take this opportunity to thank the OpenID community for educating us over the past 1 year and helping us make this happen. In particular, we'd like to say “Thank you” to Bill Washburn, Brian Ellin, David Recordon, Dick Hardt, Johannes Ernst, Johnny Bufu, Joseph Smarr, Josh Hoyt, Kaliya Hamlin, Kevin Turner, Larry Drebes, Mike Graves, Scott Kveton, and Simon Willison.

(More here…)