Overview:
David Recordon
drecordon@verisign.com
July 2007

Who am I?
David Recordon
VeriSign Employee since
May of 2006
OpenID Foundation
Vice-Chair
Co-Author of various
OpenID specifications
Past employee of
Six Apart, where
OpenID was created

Web 2.0

What is
Web 2.0?
Users in control
Data sharing
Social collaboration
Lightweight business models
Perpetual beta
Application platform
The Long Tail

The Long Tail

For the Economists
The 80% tail matters
Virtual shelf space is limitless
\"We sold more books today that didn't sell at
all yesterday than we sold today of all the
books that did sell yesterday.\"
Amazon.com
http://longtail.typepad.com/the_long_tail/2005/01/definitions_fin.html

For Everyone Else
Mass social networks vs. niché social
networks
Allows access to information that
otherwise would be \"unimportant\"
Delivered content vs. discovered content
Found be me
Recommended by my friends

What is OpenID?
Single sign-on for the web
Simple and light-weight
(not going to replace your bank card pin)
Easy to use and deploy
Built upon proven existing technologies
(DNS, HTTP, SSL/TLS, Diffie-Hellman)
Decentralized
(no single point of failure in the protocol)
Free!

An OpenID is a URI
URLs are globally unique
and ubiquitous
OpenID allows proving
ownership of an URI
People already have
identity at URLs via
blogs, photos, MySpace,
FaceBook, DAUM, etc

Problems it Solves
Too many usernames and passwords
or the lack of different passwords
Someone took my desired username
My online profile is spread across the
Internet without my control
and I can't benefit from it when I go
somewhere new
Account management is hard to do right

How Does it Work?

My OpenID
\"openid.server\" points to my OpenID Provider

1. Site fetches the HTML of my OpenID
2. Finds \"openid.server\"
3. Establishes a shared secret with the
Provider
4. Redirects my browser to the Provider
where I authenticate and allow the OpenID
login
5. Provider redirects my browser back to the
site with an OpenID response
6. Site verifies the signature and logs me in

O
M
E
Using OpenID
D

\"Hasn't this been done before?\"
Great for
Centralized Centralized
the enterprise

History

History 2005 & 2006
Created by Brad Fitzpatrick (Summer 2005)
Yadis Discovery protocol (Jan 2006)
VeriSign launches OpenID Provider (May)
Convergence with i-names (July)
Convergence with Sxip (Aug.)
$50,000 USD Developer Bounty (Aug.)
Technorati adopts OpenID (Oct.)
Tutorials by Simon Willison (Dec.)

History Q1 2007
Mozilla announces intent to support OpenID in FireFox 3
(Jan.)
Microsoft support expressed by Bill Gates and Craig Mundie
at RSA Conference keynote (Feb.)
AOL add OpenID to every one of their ~60M accounts
(Feb.)
Symantec announces upcoming OpenID products (Feb.)
Digg and NetVibes announce OpenID support (Feb.)
Wordpress.com and 37Signals adopt OpenID (March)
USA Today publishes OpenID article on the Money section
front-page (March)

History Q2 2007
Plone 3.0 ships with OpenID support (May)
Sun Microsystems adopts OpenID in enterprise product
and provides employees with OpenID (May)
livedoor adds OpenID support (May)
OpenID wins Next Web Award (June)
Leo Laporte and Steve Gibson discuss OpenID (June)
OpenID wins CNET Webware 100 award (June)
Atlassian (makers of enterprise wiki software) supports OpenID (June)
Drupal 6 ships with OpenID support (June)

The OpenID Foundation

The purpose of the OpenID Foundation is
to foster and promote the development
and adoption of OpenID as a framework
for user-centric identity on the Internet.

Founding Board
Scott Kveton David Recordon
Chair Vice-Chair
scott@kveton.com drecordon@verisign.com
Dick Hardt Martin Atkins
Treasurer Secretary
dick@sxip.com mart@degeneration.co.uk
Johannes Ernst Drummond Reed
jernst@netmesh.us drummond.reed@cordance.net
Bill Washburn
Artur Bergman
Executive Director
sky@crucially.net
bill@oidf.org

Current Efforts
Develop an IPR policy and process for OpenID
specifications to keep OpenID free and patent
unencumbered
Develop a trademark policy that supports the
extended OpenID community
Develop core messaging for OpenID and
websites oriented toward developers, users,
and other potential adopters
Coordinate World-wide joint marketing and
evangelism

Adoption Trends

~120 million OpenIDs
(including every AOL and livedoor user)
OpenID 1.1 - Estimated from various services

Total Relying Parties (aka places you can login with OpenID)
o
L
p
AO
y
Ex
nt
ou
0
&
2.
/B
T
SF
eb
ip
M
W
Sx
4,000
3,000
2,000
1,000
0
'05
ct
ov
ec
'06
b
ar
r
ay
e
ly
g
p
ct
ov
ec
'07
b
ar
r
ay
e
16
Ap
Ap
Au
n
n
Fe
Se
Fe
Ju
O
O
M
M
M
M
D
D
N
Ju
N
Ju
ly
p
Jan
Jan
Ju
Se
OpenID 1.1 - As viewed by MyOpenID.com

Key Benefits

Users
Fewer usernames and passwords to
remember
Ability to strongly protect your accounts
anywhere OpenID is accepted
Globally unique, \"is that the same David?\"
Ability to create a reputation that can be
taken with you from site to site
Ability to know where you've shared
information

Relying Parties
Simplified account creation
Users don't need to create a new password
Easy to ask for, or discover, profile information
Simplified account management
No more forgotten passwords
OpenID Provider specifics such as IM an
AOL OpenID user or know a Sun OpenID
user is a current employee

Creating an OpenID
English Korean Japanese
www.idtail.com
pip.VeriSignLabs.com www.myid.net
www.openid.ne.jp
MyOpenID.com www.idpia.com
www.ohmyid.com
http://openid.net/wiki/index.php/OpenIDServers

Done!
Time to create an OpenID:
~1 minute
and you may already have one

O
M
E
Creating an OpenID on
your own domain
D

Configure Delegation
(source of www.davidrecordon.com)
<html xmlns=\"http://www.w3.org/1999/xhtml\">
<head>
<title>David Recordon</title>
<style>
div {
text-align: center;
color: #C0C0C0;
}
img {
border: 0px;
}
a {
color: #C0C0C0;
}
</style>
<link rel=\"openid.server\" href=\"https://jpip.verisignlabs.com/server\" />
<link rel=\"openid.delegate\" href=\"https://recordond.jpip.verisignlabs.com\" />
</head>

Done!
Time to create an OpenID on your own domain:
~5 minutes

Security and Trust

Protocol Security
Use SSL correctly throughout the protocol
Protects against man-in-the-middle and
eavesdropping attacks
Generate strong MAC keys and re-negotiate
as needed
Used to verify data integrity and authenticity of
OpenID responses
Verify NONCEs
Protects against replay attacks

Trust
\"Trust first requires identity\" - Brad Fitzpatrick
OpenID does not tell you if a user
is good, bad, or even human
Challenge them via a CAPTCHA or
email verification
Use whitelists and blacklists
Ask someone else whom you trust

Scaling Up OpenID
OpenID Provider Authentication Policy
Extension, draft published June 2006
Relying Parties can ask for authentication
policies such as \"phishing resistant\" or
\"multi-factor\"
Providers can respond with policies the
user complied with, time since they
authenticated, and strength of the
credential(s) used per NIST guidelines

VeriSign's OpenID Provider
http://pip.verisignlabs.com

Substantial upgrade this week

Personal Identity Provider
Free OpenID Provider run by VeriSign
Support for OpenID 1.1 & 2.0
Strong security features
One-time password tokens
Microsoft CardSpace
Out-of-band authentication via SMS
Manage multiple OpenID URLs
Easily manage your profile information

Protect Your Account

Consumer strong authentication and
fraud detection network
Deployed for the likes of PayPal, eBay,
and Charles Schwab
Get one token and use it anywhere in
the network

VIP Protected Login

Manage Multiple OpenIDs

Manage Your Profile

Use Your Profile

VeriSign's OpenID SeatBelt
(an OpenID convenience and security add-on for Firefox)
works with

Phishing
An untrusted site redirects you
to your trusted provider
Not just a problem for OpenID,
but also for PayPal, Google Auth
and Checkout, Yahoo! BBAuth,
AOL OpenAuth

Passwords Can be Phished
Replace passwords
Tokens
SMS, Jabber, etc
Client Side Certificates
Mutual authentication
Microsoft CardSpace or Novell Bandit
Passwords are still widely used
Browsers have poor support for alternative means

SeatBelt
Provide contextual information
Am I currently logged in and if so as whom?
Is it safe to login?
Remove phishing opportunities
Login when my browser opens
Take me to my Provider if I'm not logged in
Protect against common attacks
Validate SSL certificates when interacting with my Provider
Watch where the RP is sending my browser

Provide Context

Remove Opportunities

Protect

Thanks!
Questions?
http://openid.net/
http://planet.openid.net/
David Recordon
Innovation
drecordon@verisign.com

Resources
http://www.notsorelevant.com/2007-04-26/five-articles-on-
openid-you-should-know/
http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-
SuperUsers
http://www.sixapart.com/about/news/2006/12/
openids_growing.html
http://blogs.zdnet.com/digitalID/?p=78
http://blogs.zdnet.com/digitalID/?p=85
http://dev.aol.com/openid-value-of-connnected-identity
http://www.usatoday.com/tech/webguide/internetlife/
2007-03-15-openid_N.htm