OpenId Foundation Activities

From IPEN Wiki
Revision as of 20:57, 28 October 2015 by Antoniok (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


The objective of this page is to provide a high-level view of activities related to privacy standards in the OpenId foundation.

"The OpenID Foundation (OIDF) promotes, protects and nurtures the OpenID community and technologies. The OpenID Foundation is a non-profit international standardization organization of individuals and companies committed to enabling, promoting and protecting OpenID technologies. Formed in June 2007, the foundation serves as a public trust organization representing the open community of developers, vendors, and users. OIDF assists the community by providing needed infrastructure and help in promoting and supporting expanded adoption of OpenID. This entails managing intellectual property and brand marks as well as fostering viral growth and global participation in the proliferation of OpenID."

Current working groups and projects related to privacy standards

Heart WG


The HEART Working Group intends to harmonize and develop a set of privacy and security specifications that would enable an individual to manage the authorization, consent and release of their health related data via RESTful data sharing APIs, and to facilitate the development of interoperable implementations of these specifications by others
List of current working documents / projects are as follows:

  •  Health Relationship Trust Profile for OpenID Connect 1.0
  •  Health Relationship Trust Profile for OAuth 2.0
  •  Health Relationship Trust Profile for User Managed Access 1.0
  •  Health Relationship Trust Profile for
  •  Fast Healthcare Interoperability Resources (FHIR) OAuth 2.0 Scopes
Web pages

Risc WG


The goal of RISC is to provide data sharing schemas, privacy recommendations and protocols to:

  • Share information about important security events in order to thwart attackers from leveraging compromised accounts from one Service Provider to gain access to accounts on other Service Providers (mobile or web application developers and owners).
  • Enable users and providers to coordinate in order to securely restore accounts following a compromise.

Internet accounts that use email addresses or phone numbers as the primary identifier for the account will be the initial focus.

The working group is currently gathering the requirements and fit and gaps. One of the topics that the WG appreciate is the privacy aspect of the sharing of the account data.
In essence, the specification will be describing how to notify the relevant parties when higher account compromise risk were observed. For example, an email provider may provide that the email account now has elevated risk state that the service provider that uses the address as the account reset address may stop using it for the time being. This will prevent the account compromise chain among the service providers and will help maintain the user’s privacy.
If the relationship between the email provider above and the service provider is explicit and the user has opted in, then it should not be a problem. However, in most cases, they are implicit. It is conceivable to guide the user to opt-in to this kind of relationship at the next login, but the people who did not opted in will not be protected. If the opt-out was allowed, the first thing the attacker would do after compromising the account is to opt-out from the account risk information sharing so that he can take over the related accounts as well. From our evaluation, one of the best way is for the service provider to share the password reset etc. email address with the email provider in bulk and set up the information sharing path without opt-out option. This will give the greatest privacy protection / privacy risk ratio.

Web pages