0
Overview:


            David Recordon
        drecordon@verisign.com


                July 2007
Who am I?
David Recordon

VeriSign Employee since
May of 2006

OpenID Foundation
Vice-Chair

Co-Author of various
OpenID s...
Web 2.0
What is
   Web 2.0?
Users in control
Data sharing
Social collaboration
Lightweight business models
Perpetual beta
Applicat...
The Long Tail
For the Economists
      The 80% tail matters
      Virtual shelf space is limitless


quot;We sold more books today that ...
For Everyone Else
Mass social networks vs. niché social
networks
Allows access to information that
otherwise would be quot...
What is OpenID?
Single sign-on for the web
Simple and light-weight
(not going to replace your bank card pin)

Easy to use ...
An OpenID is a URI
URLs are globally unique
and ubiquitous

OpenID allows proving
ownership of an URI

People already have...
Problems it Solves
Too many usernames and passwords
  or the lack of different passwords
Someone took my desired username
...
How Does it Work?
My OpenID




quot;openid.serverquot; points to my OpenID Provider
1. Site fetches the HTML of my OpenID

2. Finds quot;openid.serverquot;

3. Establishes a shared secret with the
   Provid...
O
      M
 E
Using OpenID


D
quot;Hasn't this been done before?quot;


     Great for
                    Centralized   Centralized
   the enterprise
History
History 2005 & 2006
Created by Brad Fitzpatrick (Summer 2005)
Yadis Discovery protocol (Jan 2006)
VeriSign launches OpenID...
History Q1 2007
Mozilla announces intent to support OpenID in FireFox 3
(Jan.)
Microsoft support expressed by Bill Gates a...
History Q2 2007
Plone 3.0 ships with OpenID support (May)
Sun Microsystems adopts OpenID in enterprise product
and provide...
The OpenID Foundation
The purpose of the OpenID Foundation is
 to foster and promote the development
and adoption of OpenID as a framework
 for ...
Founding Board
Scott Kveton         David Recordon
Chair                Vice-Chair
scott@kveton.com     drecordon@verisign...
Current Efforts
Develop an IPR policy and process for OpenID
specifications to keep OpenID free and patent
unencumbered
Dev...
Adoption Trends
~120 million OpenIDs
  (including every AOL and livedoor user)




                                            OpenID 1.1 ...
Total Relying Parties     (aka places you can login with OpenID)




                                                     ...
Key Benefits
Users
Fewer usernames and passwords to
remember
Ability to strongly protect your accounts
anywhere OpenID is accepted
Glob...
Relying Parties
Simplified account creation
 Users don't need to create a new password
 Easy to ask for, or discover, profil...
Creating an OpenID

    English           Korean            Japanese
                     www.idtail.com
pip.VeriSignLabs....
Done!
Time to create an OpenID:

       ~1 minute

 and you may already have one
O
          M
 E
Creating an OpenID on
  your own domain


D
Configure Delegation
                           (source of www.davidrecordon.com)
<html xmlns=quot;http://www.w3.org/1999/x...
Done!
Time to create an OpenID on your own domain:

               ~5 minutes
Security and Trust
Protocol Security
Use SSL correctly throughout the protocol
 Protects against man-in-the-middle and
 eavesdropping attacks...
Trust
quot;Trust first requires identityquot; - Brad Fitzpatrick


OpenID does not tell you if a user
  is good, bad, or ev...
Scaling Up OpenID
OpenID Provider Authentication Policy
Extension, draft published June 2006
Relying Parties can ask for a...
VeriSign's OpenID Provider
      http://pip.verisignlabs.com
Substantial upgrade this week
Personal Identity Provider
   Free OpenID Provider run by VeriSign
   Support for OpenID 1.1 & 2.0
   Strong security feat...
Protect Your Account
Consumer strong authentication and
fraud detection network

Deployed for the likes of PayPal, eBay,
and Charles Schwab

Ge...
VIP Protected Login
Manage Multiple OpenIDs
Manage Your Profile
Use Your Profile
VeriSign's OpenID SeatBelt
(an OpenID convenience and security add-on for Firefox)




                      works with
Phishing

An untrusted site redirects you
   to your trusted provider

    Not just a problem for OpenID,
  but also for P...
Passwords Can be Phished
   Replace passwords
     Tokens
     SMS, Jabber, etc
     Client Side Certificates
     Mutual a...
SeatBelt
Provide contextual information
 Am I currently logged in and if so as whom?

 Is it safe to login?

Remove phishi...
Provide Context
Remove Opportunities
Protect
Thanks!
     Questions?

   http://openid.net/
http://planet.openid.net/


    David Recordon
       Innovation
drecordon@...
Resources
http://www.notsorelevant.com/2007-04-26/five-articles-on-
openid-you-should-know/

http://www.intertwingly.net/bl...
OpenID Overview - Seoul July 2007
OpenID Overview - Seoul July 2007
Upcoming SlideShare
Loading in...5
×

OpenID Overview - Seoul July 2007

20,827

Published on

Overview presentation on OpenID and VeriSign's OpenID Provider given by David Recordon at AhnLab in Seoul, Korea.

Published in: Technology
0 Comments
18 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
20,827
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
788
Comments
0
Likes
18
Embeds 0
No embeds

No notes for slide

Transcript of "OpenID Overview - Seoul July 2007"

  1. 1. Overview: David Recordon drecordon@verisign.com July 2007
  2. 2. Who am I? David Recordon VeriSign Employee since May of 2006 OpenID Foundation Vice-Chair Co-Author of various OpenID specifications Past employee of Six Apart, where OpenID was created
  3. 3. Web 2.0
  4. 4. What is Web 2.0? Users in control Data sharing Social collaboration Lightweight business models Perpetual beta Application platform The Long Tail
  5. 5. The Long Tail
  6. 6. For the Economists The 80% tail matters Virtual shelf space is limitless quot;We sold more books today that didn't sell at all yesterday than we sold today of all the books that did sell yesterday.quot; Amazon.com http://longtail.typepad.com/the_long_tail/2005/01/definitions_fin.html
  7. 7. For Everyone Else Mass social networks vs. niché social networks Allows access to information that otherwise would be quot;unimportantquot; Delivered content vs. discovered content Found be me Recommended by my friends
  8. 8. What is OpenID? Single sign-on for the web Simple and light-weight (not going to replace your bank card pin) Easy to use and deploy Built upon proven existing technologies (DNS, HTTP, SSL/TLS, Diffie-Hellman) Decentralized (no single point of failure in the protocol) Free!
  9. 9. An OpenID is a URI URLs are globally unique and ubiquitous OpenID allows proving ownership of an URI People already have identity at URLs via blogs, photos, MySpace, FaceBook, DAUM, etc
  10. 10. Problems it Solves Too many usernames and passwords or the lack of different passwords Someone took my desired username My online profile is spread across the Internet without my control and I can't benefit from it when I go somewhere new Account management is hard to do right
  11. 11. How Does it Work?
  12. 12. My OpenID quot;openid.serverquot; points to my OpenID Provider
  13. 13. 1. Site fetches the HTML of my OpenID 2. Finds quot;openid.serverquot; 3. Establishes a shared secret with the Provider 4. Redirects my browser to the Provider where I authenticate and allow the OpenID login 5. Provider redirects my browser back to the site with an OpenID response 6. Site verifies the signature and logs me in
  14. 14. O M E Using OpenID D
  15. 15. quot;Hasn't this been done before?quot; Great for Centralized Centralized the enterprise
  16. 16. History
  17. 17. History 2005 & 2006 Created by Brad Fitzpatrick (Summer 2005) Yadis Discovery protocol (Jan 2006) VeriSign launches OpenID Provider (May) Convergence with i-names (July) Convergence with Sxip (Aug.) $50,000 USD Developer Bounty (Aug.) Technorati adopts OpenID (Oct.) Tutorials by Simon Willison (Dec.)
  18. 18. History Q1 2007 Mozilla announces intent to support OpenID in FireFox 3 (Jan.) Microsoft support expressed by Bill Gates and Craig Mundie at RSA Conference keynote (Feb.) AOL add OpenID to every one of their ~60M accounts (Feb.) Symantec announces upcoming OpenID products (Feb.) Digg and NetVibes announce OpenID support (Feb.) Wordpress.com and 37Signals adopt OpenID (March) USA Today publishes OpenID article on the Money section front-page (March)
  19. 19. History Q2 2007 Plone 3.0 ships with OpenID support (May) Sun Microsystems adopts OpenID in enterprise product and provides employees with OpenID (May) livedoor adds OpenID support (May) OpenID wins Next Web Award (June) Leo Laporte and Steve Gibson discuss OpenID (June) OpenID wins CNET Webware 100 award (June) Atlassian (makers of enterprise wiki software) supports OpenID (June) Drupal 6 ships with OpenID support (June)
  20. 20. The OpenID Foundation
  21. 21. The purpose of the OpenID Foundation is to foster and promote the development and adoption of OpenID as a framework for user-centric identity on the Internet.
  22. 22. Founding Board Scott Kveton David Recordon Chair Vice-Chair scott@kveton.com drecordon@verisign.com Dick Hardt Martin Atkins Treasurer Secretary dick@sxip.com mart@degeneration.co.uk Johannes Ernst Drummond Reed jernst@netmesh.us drummond.reed@cordance.net Bill Washburn Artur Bergman Executive Director sky@crucially.net bill@oidf.org
  23. 23. Current Efforts Develop an IPR policy and process for OpenID specifications to keep OpenID free and patent unencumbered Develop a trademark policy that supports the extended OpenID community Develop core messaging for OpenID and websites oriented toward developers, users, and other potential adopters Coordinate World-wide joint marketing and evangelism
  24. 24. Adoption Trends
  25. 25. ~120 million OpenIDs (including every AOL and livedoor user) OpenID 1.1 - Estimated from various services
  26. 26. Total Relying Parties (aka places you can login with OpenID) o L p AO y Ex nt ou 0 & 2. /B T SF eb ip M W Sx 4,000 3,000 2,000 1,000 0 '05 ct ov ec '06 b ar r ay e ly g p ct ov ec '07 b ar r ay e 16 Ap Ap Au n n Fe Se Fe Ju O O M M M M D D N Ju N Ju ly p Jan Jan Ju Se OpenID 1.1 - As viewed by MyOpenID.com
  27. 27. Key Benefits
  28. 28. Users Fewer usernames and passwords to remember Ability to strongly protect your accounts anywhere OpenID is accepted Globally unique, quot;is that the same David?quot; Ability to create a reputation that can be taken with you from site to site Ability to know where you've shared information
  29. 29. Relying Parties Simplified account creation Users don't need to create a new password Easy to ask for, or discover, profile information Simplified account management No more forgotten passwords OpenID Provider specifics such as IM an AOL OpenID user or know a Sun OpenID user is a current employee
  30. 30. Creating an OpenID English Korean Japanese www.idtail.com pip.VeriSignLabs.com www.myid.net www.openid.ne.jp MyOpenID.com www.idpia.com www.ohmyid.com http://openid.net/wiki/index.php/OpenIDServers
  31. 31. Done! Time to create an OpenID: ~1 minute and you may already have one
  32. 32. O M E Creating an OpenID on your own domain D
  33. 33. Configure Delegation (source of www.davidrecordon.com) <html xmlns=quot;http://www.w3.org/1999/xhtmlquot;> <head> <title>David Recordon</title> <style> div { text-align: center; color: #C0C0C0; } img { border: 0px; } a { color: #C0C0C0; } </style> <link rel=quot;openid.serverquot; href=quot;https://jpip.verisignlabs.com/serverquot; /> <link rel=quot;openid.delegatequot; href=quot;https://recordond.jpip.verisignlabs.comquot; /> </head>
  34. 34. Done! Time to create an OpenID on your own domain: ~5 minutes
  35. 35. Security and Trust
  36. 36. Protocol Security Use SSL correctly throughout the protocol Protects against man-in-the-middle and eavesdropping attacks Generate strong MAC keys and re-negotiate as needed Used to verify data integrity and authenticity of OpenID responses Verify NONCEs Protects against replay attacks
  37. 37. Trust quot;Trust first requires identityquot; - Brad Fitzpatrick OpenID does not tell you if a user is good, bad, or even human Challenge them via a CAPTCHA or email verification Use whitelists and blacklists Ask someone else whom you trust
  38. 38. Scaling Up OpenID OpenID Provider Authentication Policy Extension, draft published June 2006 Relying Parties can ask for authentication policies such as quot;phishing resistantquot; or quot;multi-factorquot; Providers can respond with policies the user complied with, time since they authenticated, and strength of the credential(s) used per NIST guidelines
  39. 39. VeriSign's OpenID Provider http://pip.verisignlabs.com
  40. 40. Substantial upgrade this week
  41. 41. Personal Identity Provider Free OpenID Provider run by VeriSign Support for OpenID 1.1 & 2.0 Strong security features One-time password tokens Microsoft CardSpace Out-of-band authentication via SMS Manage multiple OpenID URLs Easily manage your profile information
  42. 42. Protect Your Account
  43. 43. Consumer strong authentication and fraud detection network Deployed for the likes of PayPal, eBay, and Charles Schwab Get one token and use it anywhere in the network
  44. 44. VIP Protected Login
  45. 45. Manage Multiple OpenIDs
  46. 46. Manage Your Profile
  47. 47. Use Your Profile
  48. 48. VeriSign's OpenID SeatBelt (an OpenID convenience and security add-on for Firefox) works with
  49. 49. Phishing An untrusted site redirects you to your trusted provider Not just a problem for OpenID, but also for PayPal, Google Auth and Checkout, Yahoo! BBAuth, AOL OpenAuth
  50. 50. Passwords Can be Phished Replace passwords Tokens SMS, Jabber, etc Client Side Certificates Mutual authentication Microsoft CardSpace or Novell Bandit Passwords are still widely used Browsers have poor support for alternative means
  51. 51. SeatBelt Provide contextual information Am I currently logged in and if so as whom? Is it safe to login? Remove phishing opportunities Login when my browser opens Take me to my Provider if I'm not logged in Protect against common attacks Validate SSL certificates when interacting with my Provider Watch where the RP is sending my browser
  52. 52. Provide Context
  53. 53. Remove Opportunities
  54. 54. Protect
  55. 55. Thanks! Questions? http://openid.net/ http://planet.openid.net/ David Recordon Innovation drecordon@verisign.com
  56. 56. Resources http://www.notsorelevant.com/2007-04-26/five-articles-on- openid-you-should-know/ http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non- SuperUsers http://www.sixapart.com/about/news/2006/12/ openids_growing.html http://blogs.zdnet.com/digitalID/?p=78 http://blogs.zdnet.com/digitalID/?p=85 http://dev.aol.com/openid-value-of-connnected-identity http://www.usatoday.com/tech/webguide/internetlife/ 2007-03-15-openid_N.htm
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×