Loading...
Flash Player 9 (or above) is needed to view slideshows. We have detected that you do not have it on your computer.To install it, go here
 
Post to Twitter Post to Twitter
Myspace Hi5 Friendster Xanga LiveJournal Facebook Blogger Tagged Typepad Freewebs BlackPlanet gigya icons
« Prev Comments 1 - 7 of 7 Next »
Add a comment If you have a SlideShare account, login to comment; otherwise comment as a guest.
    SlideShare is now available on LinkedIn. Add it to your LinkedIn profile.

    OpenID Bootcamp Tutorial

    From daveman692, 2 years ago Add as contact

    Simon Willison and David Recordon's OpenID tutorial from O'Reilly's OSCON 07.

    92031 views | 7 comments | 57 favorites | 1395 downloads | 35 embeds (Stats)

    Categories

    Technology

    Tags

    Groups/Events

    Embed in your blog options close
    Embed (wordpress.com) Exclude related slideshows Embed in your blog

    More Info

    This slideshow is Public
    Total Views: 92031 on Slideshare: 91531 from embeds: 500
    Flagged as inappropriate Flag as inappropriate

    Flag as inappropriate

    Select your reason for flagging this slideshow as inappropriate.

    If needed, use the feedback form to let us know more details.

    Slideshow Transcript

    1. Slide 1: Bootcamp Simon Willison David Recordon simonwillison.net davidrecordon.com simon@simonwillison.net drecordon@verisign.com OSCON July 24th, 2007
    2. Slide 2: Who are We? • David Recordon • VeriSign Employee since May of 2006 • OpenID Foundation Vice- Chair • Co-Author of various OpenID specifications • Past employee of Six Apart, where OpenID was created
    3. Slide 3: Who are We? • Simon Willison • Ex-Yahoo!, now freelance • “Europe’s first OpenID consultant” • Co-creator of the Django Web Framework
    4. Slide 4: The Plan • Basic concepts of OpenID • Hands on - Creating and using an OpenID • Adoption, history, and status • Security concerns • Break • Security solutions • Clever and creative hacks • OpenID in code • Q&A
    5. Slide 5: What is OpenID?
    6. Slide 6: OpenID is a decentralised mechanism for Single Sign On
    7. Slide 7: What problems does it solve?
    8. Slide 8: “Too many passwords!”
    9. Slide 9: “Someone else already grabbed my username”
    10. Slide 10: “My online profile is scattered across dozens of sites”
    11. Slide 11: What is an OpenID?
    12. Slide 12: An OpenID is a URI
    13. Slide 13: http://swillison.livejournal.com/
    14. Slide 14: http://simonw.myopenid.com/
    15. Slide 15: http://openid.aol.com/simonwillison/
    16. Slide 16: http://simonwillison.net/
    17. Slide 17: What can you do with an OpenID?
    18. Slide 18: You can claim that you own it
    19. Slide 19: You can prove that claim
    20. Slide 20: Why is that useful?
    21. Slide 21: You can use it for authentication
    22. Slide 22: “Who the heck are you?!” Login? Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo Search Welcome to ExpoCal! Go Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friends are going to see, or tag surf your way to serependity. My Schedule By Day You need to be logged in to keep a SUNDAY, APRIL 15, MONDAY, APRIL 16, WEDNESDAY, APRIL 18, TUESDAY, APRIL 17, 2007 list of talks and sessions you are 2007 2007 2007 interested in attending. Popular Today Popular Today Popular Today Popular Today \"Building Social \"Conference Welcome\" Tim \"Mobile 2.0\" Ajit Jaokar Mike \"Welcome\" Tim O'Reilly login | sign up Applications\" Stowe Boyd O'Reilly McCue; Ilkka Raiskinen; \"Jeff Weiner in Conversation \"High Performance \"A Conversation with Jeff Paola Tonelli with John Battelle\" Jeff Webpages\" Steve Bezos\" Jeffrey P. Bezos \"State of the Web 2.0: Weiner John B... Souders Tenni Theurer \"Built to Last or Built to Measuring the Participatory \"Web 2.0 for the Enterprise: Is \"Ignite\" Sell: Is There a Difference? Web\" Bill Tancer It Soup Yet?\" Dan Farber \" John Batt... \"Eric Schmidt in Conversation Satish Dha... Today: All with John Battelle\" Eric Today: All Today: All Schmidt John... Today: All Popular: Tags Popular: Speaker Community Design and User Ajit Jaokar Bill Tancer Brian Mulloy Charlene Ajax Li Dan Farber David Knight Dirk-Willem van Experience Keynotes Marketing Gulik Dmitry Dimov Eric Schmidt Ilkka and Community Strategy and Raiskinen James Baty Jay Adelson Jay Business Models Web 2.0 Bhatti Jeff Weiner Jeffrey P. Bezos Joe Fundamentals Web 2.0 Services John Battelle Kathy Sierra Kelly Kraus and Platforms Web Operations advertising Goto Kerry Fleming Kevin Lynch Luke Sontag business design digitalid django experience Mike McCue Mena Trott Paola Tonelli flickr free google javascript marketing microformats products and services Rich Skrenta Ross Mayfield Satish openid php Dharmaraj Subrah Iyar Tim O'Reilly rails search skypejournal social syndication all tags yahoo everybody! Random People ChrisC1971 alexiskold atomsplitter billvision brady emccm Everything! gervasio goodsboy gustav heinika hienhuynh hotwheel http://jalanoly.pip.verisignlabs.com/ Find: all talks, the all speakers, all tags, or users. http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/ jessie jggaines leeclw maisany markgoines nborwankar pbuder philip ron_topright shameer shua slevine timknight tomas wilsonminer
    23. Slide 23: “I’m simonwillison.net”
    24. Slide 24: “prove it!” Login? Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo Search Welcome to ExpoCal! Go Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friends are going to see, or tag surf your way to serependity. My Schedule By Day You need to be logged in to keep a SUNDAY, APRIL 15, MONDAY, APRIL 16, WEDNESDAY, APRIL 18, TUESDAY, APRIL 17, 2007 list of talks and sessions you are 2007 2007 2007 interested in attending. Popular Today Popular Today Popular Today Popular Today \"Building Social \"Conference Welcome\" Tim \"Mobile 2.0\" Ajit Jaokar Mike \"Welcome\" Tim O'Reilly login | sign up Applications\" Stowe Boyd O'Reilly McCue; Ilkka Raiskinen; \"Jeff Weiner in Conversation \"High Performance \"A Conversation with Jeff Paola Tonelli with John Battelle\" Jeff Webpages\" Steve Bezos\" Jeffrey P. Bezos \"State of the Web 2.0: Weiner John B... Souders Tenni Theurer \"Built to Last or Built to Measuring the Participatory \"Web 2.0 for the Enterprise: Is \"Ignite\" Sell: Is There a Difference? Web\" Bill Tancer It Soup Yet?\" Dan Farber \" John Batt... \"Eric Schmidt in Conversation Satish Dha... Today: All with John Battelle\" Eric Today: All Today: All Schmidt John... Today: All Popular: Tags Popular: Speaker Community Design and User Ajit Jaokar Bill Tancer Brian Mulloy Charlene Ajax Li Dan Farber David Knight Dirk-Willem van Experience Keynotes Marketing Gulik Dmitry Dimov Eric Schmidt Ilkka and Community Strategy and Raiskinen James Baty Jay Adelson Jay Business Models Web 2.0 Bhatti Jeff Weiner Jeffrey P. Bezos Joe Fundamentals Web 2.0 Services John Battelle Kathy Sierra Kelly Kraus and Platforms Web Operations advertising Goto Kerry Fleming Kevin Lynch Luke Sontag business design digitalid django experience Mike McCue Mena Trott Paola Tonelli flickr free google javascript marketing microformats products and services Rich Skrenta Ross Mayfield Satish openid php Dharmaraj Subrah Iyar Tim O'Reilly rails search skypejournal social syndication all tags yahoo everybody! Random People ChrisC1971 alexiskold atomsplitter billvision brady emccm Everything! gervasio goodsboy gustav heinika hienhuynh hotwheel http://jalanoly.pip.verisignlabs.com/ Find: all talks, the all speakers, all tags, or users. http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/ jessie jggaines leeclw maisany markgoines nborwankar pbuder philip ron_topright shameer shua slevine timknight tomas wilsonminer
    25. Slide 25: (crypto happens)
    26. Slide 26: “OK, you’re in!” Login? Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo Search Welcome to ExpoCal! Go Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friends are going to see, or tag surf your way to serependity. My Schedule By Day You need to be logged in to keep a SUNDAY, APRIL 15, MONDAY, APRIL 16, WEDNESDAY, APRIL 18, TUESDAY, APRIL 17, 2007 list of talks and sessions you are 2007 2007 2007 interested in attending. Popular Today Popular Today Popular Today Popular Today \"Building Social \"Conference Welcome\" Tim \"Mobile 2.0\" Ajit Jaokar Mike \"Welcome\" Tim O'Reilly login | sign up Applications\" Stowe Boyd O'Reilly McCue; Ilkka Raiskinen; \"Jeff Weiner in Conversation \"High Performance \"A Conversation with Jeff Paola Tonelli with John Battelle\" Jeff Webpages\" Steve Bezos\" Jeffrey P. Bezos \"State of the Web 2.0: Weiner John B... Souders Tenni Theurer \"Built to Last or Built to Measuring the Participatory \"Web 2.0 for the Enterprise: Is \"Ignite\" Sell: Is There a Difference? Web\" Bill Tancer It Soup Yet?\" Dan Farber \" John Batt... \"Eric Schmidt in Conversation Satish Dha... Today: All with John Battelle\" Eric Today: All Today: All Schmidt John... Today: All Popular: Tags Popular: Speaker Community Design and User Ajit Jaokar Bill Tancer Brian Mulloy Charlene Ajax Li Dan Farber David Knight Dirk-Willem van Experience Keynotes Marketing Gulik Dmitry Dimov Eric Schmidt Ilkka and Community Strategy and Raiskinen James Baty Jay Adelson Jay Business Models Web 2.0 Bhatti Jeff Weiner Jeffrey P. Bezos Joe Fundamentals Web 2.0 Services John Battelle Kathy Sierra Kelly Kraus and Platforms Web Operations advertising Goto Kerry Fleming Kevin Lynch Luke Sontag business design digitalid django experience Mike McCue Mena Trott Paola Tonelli flickr free google javascript marketing microformats products and services Rich Skrenta Ross Mayfield Satish openid php Dharmaraj Subrah Iyar Tim O'Reilly rails search skypejournal social syndication all tags yahoo everybody! Random People ChrisC1971 alexiskold atomsplitter billvision brady emccm Everything! gervasio goodsboy gustav heinika hienhuynh hotwheel http://jalanoly.pip.verisignlabs.com/ Find: all talks, the all speakers, all tags, or users. http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/ jessie jggaines leeclw maisany markgoines nborwankar pbuder philip ron_topright shameer shua slevine timknight tomas wilsonminer
    27. Slide 27: So it’s a bit like Microsoft Passport, then?
    28. Slide 28: Yes, at a high level
    29. Slide 29: But you don’t need to ask Microsoft’s permission to implement it
    30. Slide 30: One organisation doesn’t get to own everyone’s credentials
    31. Slide 31: And the standard isn’t owned by any one company or group
    32. Slide 32: Who does get to own them?
    33. Slide 33: You, the user, decide.
    34. Slide 34: You pick your own provider
    35. Slide 35: (just like e-mail)
    36. Slide 36: So I’m still giving someone the keys to my kingdom?
    37. Slide 37: Yes, but it can be someone you trust
    38. Slide 38: If you have the ability to run your own server software, you can do it for yourself
    39. Slide 39: We'll show you how to do that a little later on
    40. Slide 40: OK, how do I use it?
    41. Slide 45: So my users don’t have to sign up for an account?
    42. Slide 46: Not necessarily
    43. Slide 47: An OpenID tells you very little about a user
    44. Slide 48: You don’t know their name
    45. Slide 49: You don’t know their e-mail address
    46. Slide 50: You don’t know if they’re a person or a spambot
    47. Slide 51: (or a dog)
    48. Slide 52: Where do I get that information from?
    49. Slide 53: You ask them!
    50. Slide 54: OpenID augments your regular sign-up process; it doesn't replace it
    51. Slide 55: The simple registration extension can help users fill out your registration form
    52. Slide 58: How can I tell if they’re an evil spambot?
    53. Slide 59: Same as usual: challenge them with a CAPTCHA
    54. Slide 60: botbouncer.com lets you outsource your CAPTCHAs
    55. Slide 62: So how does OpenID actually work?
    56. Slide 65: <link rel=\"openid.server\" href=\"http://www.myopenid.com/server\" />
    57. Slide 66: “I’m simonwillison.myopenid.com”
    58. Slide 67: Site fetches HTML, discovers identity provider
    59. Slide 68: Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
    60. Slide 69: Redirects you to the identity provider
    61. Slide 70: If you’re logged in there, you get redirected back
    62. Slide 71: How does my identity provider know who I am?
    63. Slide 72: OpenID deliberately doesn’t specify
    64. Slide 73: username/password is common
    65. Slide 74: But providers can use other methods if they want to
    66. Slide 75: Client SSL certificates
    67. Slide 76: Out of band authentication via SMS, e-mail or Jabber
    68. Slide 77: IP based login restrictions
    69. Slide 78: SecurID keyfobs
    70. Slide 79: The provider’s business is authentication: they can invest much more effort than regular sites
    71. Slide 80: It’s also possible for a provider to just say “yes” to every query
    72. Slide 81: Just say “yes”?
    73. Slide 82: http://www.jkg.in/openid/ does this
    74. Slide 83: Users can give away their passwords today - this is the OpenID equivalent
    75. Slide 84: It's similar to bugmenot.com
    76. Slide 85: What if I decide I hate my provider?
    77. Slide 86: Use your own domain name
    78. Slide 87: Delegate to a provider you trust
    79. Slide 90: <link rel=\"openid.server\" href=\"http://www.livejournal.com/openid/server.bml\"> <link rel=\"openid.delegate\" href=\"http://swillison.livejournal.com/\">
    80. Slide 91: This minimises lock in and ensures easy portability
    81. Slide 92: So everyone will end up with one OpenID that they use for everything?
    82. Slide 93: Probably not
    83. Slide 94: (I have half a dozen OpenIDs already)
    84. Slide 95: People like maintaining multiple online personas
    85. Slide 96: professional social secret ...
    86. Slide 97: OpenID makes it easier to manage multiple online personas
    87. Slide 98: Three accounts is still better than three dozen
    88. Slide 99: Some providers let you host multiple OpenIDs, or create a new one for every site you sign in to
    89. Slide 100: Why is OpenID worth implementing over all the other identity standards?
    90. Slide 101: It’s simple
    91. Slide 102: Unix philosophy: It solves one, tiny problem
    92. Slide 103: It’s a dumb network
    93. Slide 104: Many of the competing standards are now on board
    94. Slide 105: Isn’t putting all my eggs in one basket a really bad idea?
    95. Slide 106: Bad news: chances are you already do
    96. Slide 107: “I forgot my password” means your e-mail account is already an SSO mechanism
    97. Slide 108: OpenID just makes this a bit more obvious
    98. Slide 109: What about phishing?
    99. Slide 110: Phishing is a problem
    100. Slide 111: I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in http://icanhascheezburger.com/2007/05/16/i-has-a-backpack/
    101. Slide 112: Fake edition Your identity provider Username and password, please! Username: Password: Log in
    102. Slide 113: Identity theft :(
    103. Slide 114: An untrusted site redirects you to your trusted provider
    104. Slide 115: Sound familiar?
    105. Slide 116: PayPal Yahoo! BBAuth Google Auth Google Checkout
    106. Slide 117: We'll talk about some potential solutions later
    107. Slide 118: Doesn’t this outsource the security of my users to untrusted third parties?
    108. Slide 119: Yes it does. But...
    109. Slide 120: ... so do “forgotten password” e-mails!
    110. Slide 121: If e-mail is secure enough for your user’s authentication, so is OpenID
    111. Slide 122: Password e-mails are essentially SSO with a bad user experience
    112. Slide 123: What are the privacy implications?
    113. Slide 124: Cross correlation of accounts
    114. Slide 125: Don’t publish a user’s OpenID without making it clear that you’re going to do that
    115. Slide 126: Allow users to opt-out of sharing their OpenID
    116. Slide 127: The online equivalent of a credit reporting agency?
    117. Slide 128: This could be built today by sites conspiring to share e-mail addresses
    118. Slide 129: IANAL, but legal protections against this already exist
    119. Slide 130: “Directed identity” in OpenID 2.0 makes it easy to use a different OpenID for every site
    120. Slide 131: Patents?
    121. Slide 132: Sun,VeriSign and JanRain have both announced “patent covenants”
    122. Slide 133: They won’t smack you down with their patents for using OpenID 1.1
    123. Slide 134: They will smack down anyone else who asserts their own patents against OpenID
    124. Slide 135: The OpenID Foundation is working on an IPR Policy
    125. Slide 136: Who else is involved?
    126. Slide 137: ~120M OpenIDs
    127. Slide 138: ~4200 RPs
    128. Slide 139: AOL - provider, full consumer very soon
    129. Slide 140: Microsoft: Bill Gates expressed their interest at