{"id":993,"date":"2008-06-23T17:32:35","date_gmt":"2008-06-24T01:32:35","guid":{"rendered":"\/?p=993"},"modified":"2008-06-24T08:04:30","modified_gmt":"2008-06-24T16:04:30","slug":"healthvault-moves-forward-with-openid","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=993","title":{"rendered":"HealthVault moves forward with OpenID"},"content":{"rendered":"<p>Via <a href=\"http:\/\/self-issued.info\/?p=75\">Mike Jones<\/a>,\u00a0here&#39;s a\u00a0<a href=\"http:\/\/blogs.msdn.com\/familyhealthguy\/archive\/2008\/06\/22\/openid-comes-to-healthvault.aspx\">blog post<\/a>\u00a0on identity issues by <a href=\"http:\/\/blogs.msdn.com\/familyhealthguy\/\">Sean Nolan<\/a>, chief architect of Microsoft\u2019s <a href=\"http:\/\/healthvault.com\/\" class=\"broken_link\">HealthVault<\/a> service:\u00a0\u00a0\u00a0\u00a0\u00a0<\/p>\n<p style=\"padding-left: 30px;\"><a href=\"http:\/\/openid.net\/\"><img loading=\"lazy\" src=\"\/wp-content\/images\/2008\/06\/openid-icon.png\" border=\"0\" alt=\"\" hspace=\"4\" vspace=\"4\" width=\"100\" height=\"100\" align=\"right\" \/><\/a> My plan had been to blog about this when the feature goes live later in the week. But there&#39;s been some <a href=\"http:\/\/scott.blomqui.st\/2008\/06\/secure-openid-matters-to-microsoft\/\">online discussion<\/a> already, and I&#39;m sitting here at the <a href=\"http:\/\/www.triplerisehorseshows.com\/show_es2.html\">horse show<\/a> in waiting mode anyway, so it seems like now is as good a time as any to join the conversation.<\/p>\n<p style=\"padding-left: 30px;\">The deal is &#8212; as of our next release in the next few days, users will have a new way to identify themselves to HealthVault. In addition to <a href=\"http:\/\/www.pasport.net\">Windows Live ID<\/a>, they will be given the option of using <a href=\"http:\/\/openid.net\">OpenID<\/a> accounts from <a href=\"http:\/\/pip.verisignlabs.com\" class=\"broken_link\">Verisign<\/a> or <a href=\"http:\/\/www.trustbearer.com\" class=\"broken_link\">TrustBearer<\/a>.<\/p>\n<p style=\"padding-left: 30px;\">As we&#39;ve always said, HealthVault is about consumer control &#8212; empowering individuals with tools that let them choose how to share and safeguard their personal health information. OpenID support is a natural fit for this approach, because it allows users to choose the &#8220;locksmith&#8221; that they are most comfortable with.<\/p>\n<p style=\"padding-left: 30px;\">You can certainly expect to see more such options in the future. For example, we are in the process of building in native support for <a href=\"http:\/\/msdn.microsoft.com\/en-us\/netframework\/aa663320.aspx\">Information Cards<\/a>, which provide some unique advantages, in particular around foiling phishing attempts.<\/p>\n<p style=\"padding-left: 30px;\">But why just two providers? When we were making our plans here, <a href=\"http:\/\/www.christremonte.com\/\" class=\"broken_link\">Chris<\/a> on our partner team asked me, &#8220;Isn&#39;t this more like sort-of-OpenID?&#8221; The same question has <a href=\"http:\/\/scott.blomqui.st\/2008\/06\/secure-openid-matters-to-microsoft\/#comment-70\">come up online<\/a> as well.*** Really, there&#39;s a very simple answer here. OpenID is a new and maturing technology, and HealthVault is frankly the most sensitive relying party in the OpenID ecosystem. It just makes sense for us to take our first steps carefully.<\/p>\n<p style=\"padding-left: 30px;\">Both TrustBearer and Verisign have taken their obligations very seriously with their OpenID implementations. Beyond basic must-have safeguards like SSL, each offers a variety of second-factor options that provide a step up over traditional passwords &#8212; through the use of physical tokens or, in Verisign&#39;s case, the ability to associate an Information Card with an OpenID. This isn&#39;t meant to imply that there aren&#39;t other great providers out there &#8212; there are. This is just a start.<\/p>\n<p style=\"padding-left: 30px;\">As we learn more, and as OpenID continues to mature, we fully expect to broaden the set of providers that work with HealthVault. We believe that a critical part of that expansion is the formalization and adoption of <a href=\"http:\/\/openid.net\/specs\/openid-provider-authentication-policy-extension-1_0-02.html\">PAPE<\/a>, which gives relying parties a richer set of tools to determine if they are comfortable with the policies of an identity provider.<\/p>\n<p style=\"padding-left: 30px;\">This is exciting stuff &#8212; in a geeky way perhaps, but anything that begins to put strong identity technology in the hands of real users is a good thing, not just for those users, but for HealthVault and the Internet overall. Woo hoo!<\/p>\n<p style=\"padding-left: 30px;\"><em>*** BTW, I am clearly all about being cool and buzzword-compliant! \ud83d\ude42<\/em><\/p>\n<p>It&#39;s great to see an architect like Sean, who lives in Internet time and has a thousand other\u00a0things on his mind,\u00a0paying so much\u00a0personal attention to\u00a0identity issues.\u00a0\u00a0He&#39;s showing leadership through his commitment to phishing resistant solutions (like OpenID&#39;s PAPE and Information Cards).\u00a0 And he clearly embraces giving\u00a0people\u00a0choice.\u00a0<\/p>\n<p>The privacy requirements of the information he is protecting mean he\u00a0HAS to do everything possible to protect peoples&#8217; privacy.\u00a0 It makes complete sense to move incrementally.\u00a0 I hope the other OpenID providers who have clearly demonstrated their committment to strong security\u00a0see the wisdom in\u00a0this approach.\u00a0 He&#39;s opening doors.\u00a0 And this is the beginning of a process, not the end.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sean Nolan explains his approach to user-centric identity<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[16,10,8,22,61],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/993"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=993"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/993\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=993"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=993"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=993"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}