The Identity Problem of the Web and how to solve itPresentation Transcript
Bastian HofmannResearchGate GmbHThe Identity Problem of the Weband how to solve it
Only one identity?
Identity is conveyed by communicationIdentity is not ﬁxed but recreated by everycommunication with your fellowsExpectations of different people result indifferent identitiesLothar Krappmann
Sign up again and again
Passwords are brokenSame password for more than one service Saved unsecurely in the browser Names, birthdays, car brand, ... Disclosed to others Too short, too simple Sent over non encrypted connections
Single Sign On
Microsoft Live IDLaunched 1999 as .net Passport
And there are much more
HTTP POST http://bhofmann.myopenid.comstackoverﬂow.com
bhofmann.myopenid. com HTTP POST http://bhofmann.myopenid.comstackoverﬂow.com HTTP GET
bhofmann.myopenid. com HTTP POST http://bhofmann.myopenid.comstackoverﬂow.com <link rel="openid2.provider" href="http:// www.myopenid.com/server" />
myopenid.com/ server HTTP POST http://bhofmann.myopenid.comstackoverﬂow.com Establish shared secret (Difﬁe-Hellman)
„OpenID has been a burden on supportsince the day it was launched.“„Fewer than 1% of all 37signals users arecurrently using OpenID.“http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html
„OpenID is the worst possible "solution"I have ever seen in my entire life to aproblem that most people dont reallyhave.“Yishan Wong (Facebook)http://www.quora.com/What-s-wrong-with-OpenID
Failures of OpenID 2.0 Complex to implement No marketingDo you have an OpenID? What is it? URL as identiﬁer => Bad User Experience
Facebook Connect250,000,000 monthly users
So let‘s all use Facebook?
How to ﬁx it?
Easier to implement Better user experienceBuilt on top of OAuth 2.0 More simple speciﬁcation wider adption
What‘s new in OAuth2? (Draft 10) No signaturesCookie-like Bearer Token Different client proﬁles No Token Secrets No Request Tokens Mandatory TSL/SSL Much more ﬂexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2
Pre Registration of Client atTwitter: twitter.com- Shared Client ID- Shared Client Secret- Redirect URI lanyrd.com
Summing it up• We need a single sign on system for the web• Proprietary solutions are bad for users, site owners and developers• OpenID is cool, but has some problems• A new more simple and ﬂexible spec is coming up• Browser vendors are working to solve this problem in the browser