OpenID - What is it, and what does it mean to me?

What is it ... and what does it mean to me? David Orrell [email_address] 9 Aug 2007

What's this about?
Learn about what OpenID is.
See how web identity systems are changing.
Hopefully be convinced that it's a good thing!

What is OpenID?
“OpenID is an open, decentralized, free framework for user-centric digital identity.”
(from OpenID.net)
(...for the Web)
(...for Web 2.0)

What is an OpenID?
http://dno.myopenid.com
or
http://openid.eduserv.org.uk/dno

An OpenID is itself a web entity.

It's an identity system using Web technologies.

It's scalable.

It's scalable.
It's elegant and really simple!

Open and Decentralised
The 3 key qualities...

(1) No one provider holds key to the OpenID network.
A sustainable foundation to the system, with the user in control.

(2) Pervasively Open Source.
Providers don't have to worry about technology and vendor lock-in.

(3) Light-weight enough to be 'layered' with other technologies.

What's in an OpenID?
http:// dno.myopenid.com
me my identity provider

Why users should care...

A user can choose who holds their identity.

http://openid.net/wiki/index.php/OpenIDServers
lists around 60 providers.
Or your employer, college might provide one.
Why not run your own?

Users get single sign on between resources.
- common username
- common password
- sign on once
(or client certificates: MyOpenID / certifi.ca)

Users get single sign on between resources.
- common username
- common password
- sign on once
(or client certificates: MyOpenID / certifi.ca)
Their credentials are only stored by their identity provider(s).

Users can easily register for services.
OpenID has a 'simple registration extension'.

Easy registration for light-weight purposes, like posting comments on blogs.

Better than persistent cookies.

Better than persistent cookies.
Can associate an OpenID with an existing account.

Users can choose their identity
dno.myopenid.com
I'm not forced to use
'dno34562' at someconsumer.com and 'dno234' at someotherconumer.com

Users can choose their identity
dno.myopenid.com
I'm not forced to use
'dno34562' at someconsumer.com and 'dno234' at someotherconumer.com
Even better if I am my identity provider

OK, this sounds great, but...

A URL as an identity?
Isn't a URL a counter-intuitive form of identity?

A URL as an identity?
Isn't a URL a counter-intuitive form of identity?
Perhaps, but think of a blog, or MySpace... a URL is very much an identity.

A URL can imply more....
http://openid.eduserv.org.uk/dno
I am an employee of Eduserv

In theory, a URL says much more...

An OpenID is much richer than a username in what it can say (or imply) about a user.

An OpenID is much richer than a username in what it can say (or imply) about a user.
Can delegate your identity from any URL: eg. your blog.

An OpenID is globally unique so could form the basis of decentralised social networks. Add support for microformats... xfn, hCard, MicroID? Check out... http://microformats.org http://microid.org http://simonwillison.net

What about privacy?
Identity vs Privacy

What about privacy?
OpenID does not solve problems around privacy.
Again, keep in mind the context here: Web 2.0, social networks and the blogosphere.

Phishing
A 'bad' consumer can easily perform a phishing attack.
OpenID does not necessarily make things better or worse!

Set you identity provider as your homepage or a bookmark and sign in first.

Verisign PIP SeatBelt Firefox extension Firefox 3 to have 'OpenID support'

Trust!
2 schools of thought....
(though not necessarily mutually exclusive)

(1)
OpenID is what is it because it doesn't do trust.

(1)
Consumers and identity providers need no prior agreements.

(1)
Consumers and identity providers need no prior agreements.
Ad-hoc trust can still be achieved.

“This is not a trust system. Trust requires identity first.”
(from OpenID.net)

(2)
OpenID is simple and is there to be built on. Adding trust is a natural extension.

(2)
OpenID is simple and is there to be built on. Adding trust is a natural extension.
Consumers can white-list 'good' identity providers.

Relations with SAML/Shibboleth
Don't they address the same thing!

Can co-exist.

Can co-exist.
OpenID comes from a different angle, for different applications and for non-specific user-bases.

Open Standards and Patents
Patents => not so Open?

Open Standards and Patents
Patents => not so Open?
Sun, Verisign and JanRain have all issued patent-covenants: patents will not be enforced against implementations of OpenID.

So, who's using it? All AOL users have an OpenID (even if they don't know it). 63 million users. All 33 000 Sun employees.

digg.com announced support. General theme is that there are more providers than consumers.

http://openid.net (Specifications) http://www.openiddirectory.com/ (Directory of resources) http://www.openidenabled.com/ (OpenID implementations) [email_address]

OpenID - What is it, and what does it mean to me?

by david.orrell on Aug 12, 2007

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 5

Statistics

OpenID - What is it, and what does it mean to me? — Presentation Transcript

http://www.slideshare.net	3
http://www.davidorrell.net	2