0
Building the
Social Web with

        Simon Willison
 PyCon UK, 8th September 2007
Who here has used
   OpenID?
Who uses it regularly?
Four problems

• Usernames and passwords suck
• Signing up for new accounts is a pain
• My online identity exists in dozen...
Four problems
       (and their OpenID related solutions)


• Usernames and passwords suck
• Signing up for new accounts i...
Usernames and
passwords suck
“We want to make you aware that media of ours
that contained a backup of a portion of the reddit
 database was stolen rece...
Two lessons

• Don’t store plaintext passwords in
  your application’s database

• Don’t use the same password
  on more t...
The Web needs
Single Sign On
?
SSO with a single
controlling authority
betrays the principles
     of the Web
OpenID is a
decentralised mechanism
   for Single Sign On
An OpenID is a URL
http://swillison.livejournal.com/
http://simonw.myopenid.com/
http://simonwillison.net/
http://openid.aol.com/simonwillison/
The OpenID protocol
lets you prove that you
  own a specific URL
An OpenID can be used as
an authentication credential
“Who the heck are you?!”
“I’m simonwillison.net”
“prove it!”
(magic happens)
“OK, you’re in!”
Picking an OpenID is
 like picking an e-mail
provider - you find one
     that you trust
If you have the ability to
  run your own server
 software, you can do it
       for yourself
http://siege.org/projects/phpMyID/
So how do I use it?
So my users don’t
have to sign up for an
      account?
Not necessarily
An OpenID tells you
very little about a user
You don’t know
  their name
You don’t know
their e-mail address
You don’t know
if they’re a person
  or an evil robot
Where do I get that
information from?
You ask them!
OpenID can help them answer
So how does OpenID
    actually work?
<link rel=quot;openid.serverquot;
 href=quot;http://www.myopenid.com/serverquot; />
“I’m simonwillison.myopenid.com”
Site fetches HTML,
discovers identity provider
Establishes shared secret
 with identity provider
   (Using Diffie-Hellman key exchange)
Redirects you to the
 identity provider
If you’re logged in there,
you get redirected back
How does my identity
provider know who I am?
OpenID deliberately
  doesn’t specify
username/password
    is common
But providers can
use other methods if
    they want to
Client SSL certificates
Out of band
authentication via SMS,
   e-mail or Jabber
SecurID keyfobs
No authentication at all
   (just say “Yes”)
Just say “yes”?
Yup. That’s the OpenID
version of bugmenot.com
http://www.jkg.in/openid/
Users can give away
their passwords today -
this is just the OpenID
        equivalent
What if I decide I
hate my provider?
Use your own
domain name
Delegate to a
provider you trust
<link rel=quot;openid.serverquot;
 href=quot;http://www.livejournal.com/openid/server.bmlquot;>
<link rel=quot;openid.dele...
Support for delegation
  is compulsory
This minimises lock in
So everyone will end up
 with one OpenID that
they use for everything?
Probably not
(I have half a dozen
 OpenIDs already)
People like maintaining
multiple online personas
professional
   social
   secret
     ...
OpenID makes it easier
 to manage multiple
   online personas
Three accounts is still
better than three dozen
If an OpenID is a URL, is
there anything else interesting
       you can do with it?
Yes. Different OpenIDs can
  express different things
My AOL OpenID proves
 my AIM screen name
An OpenID from
 sun.com proves that
someone is a current
    Sun employee
A last.fm OpenID
could incorporate
my taste in music
My LiveJournal OpenID
tells you where to find
        my blog
OpenID and web
 service APIs naturally
complement each other
What about phishing?
Phishing is a problem
I can has lolcats!?                          BETA


Make your own lolcats! lol
Sign in with your OpenID:
OpenID:          ...
Fake edition
Your identity provider
Username and password, please!
 Username:
 Password:
                         Log in
Identity theft :(
An untrusted site
redirects you to your
  trusted provider
Sound familiar?
PayPal
 Yahoo! BBAuth
  Google Auth
Google Checkout
One solution: don’t let
the user log in on the
  identity provider
    “landing page”
Better solutions
CardSpace
Native browser
support for OpenID
(Firefox 3, Seatbelt)
Competition between
    providers
Doesn’t this outsource the
 security of my users to
 untrusted third parties?
Yes it does. But...
... so do “forgotten
password” e-mails!
If e-mail is secure
enough for your user’s
 authentication, so is
       OpenID
Password e-mails are
  just SSO with an
unavoidably bad user
     experience
Best practices for
OpenID consumers?
“I forgot my password”
becomes “I can’t sign in
    with my OpenID”
Allow multiple OpenIDs
to be associated with a
     single account
People can still sign
  in if one of their
 providers is down
People can un-associate
  an OpenID without
locking themselves out
You can take advantage
of site-specific services
 around each of their
        OpenIDs
What are the privacy
  implications?
Cross correlation of
     accounts
Don’t publish a user’s
OpenID without making
it clear that you’re going
        to do that
Allow users to opt-out
of sharing their OpenID
Any other neat tricks?
My online identity exists in
dozens of different places
I can use OpenID to tie
 these profiles together
Portable contact lists
Facebook (and others)
  currently ask for the
user’s webmail username
      and password
Lightweight accounts
Pre-approved accounts
Social whitelists
OpenID and
microformats
Identity projection
Decentralised social
    networks
“People keep asking me to join
 the LinkedIn network, but I’m
 already part of a network, it’s
      called the Internet.”...
An open alternative?
Who else is involved?
0
                875
                      1,750
                              2,625
                                    ...
How do I build it in to my
  Python application?
Open Source libraries
   from JanRain
OpenID


Smart hackers needed
http://openid.net/

  http://www.openidenabled.com/

http://simonwillison.net/tags/openid/
Thank you
Questions?
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Building the Social Web with OpenID
Upcoming SlideShare
Loading in...5
×

Building the Social Web with OpenID

15,607

Published on

Slides from my keynote at PyCon UK 2007.

Published in: Technology
0 Comments
38 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
15,607
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
439
Comments
0
Likes
38
Embeds 0
No embeds

No notes for slide

Transcript of "Building the Social Web with OpenID"

  1. 1. Building the Social Web with Simon Willison PyCon UK, 8th September 2007
  2. 2. Who here has used OpenID?
  3. 3. Who uses it regularly?
  4. 4. Four problems • Usernames and passwords suck • Signing up for new accounts is a pain • My online identity exists in dozens of different places • Social software suffers from too much overhead
  5. 5. Four problems (and their OpenID related solutions) • Usernames and passwords suck • Signing up for new accounts is a pain • My online identity exists in dozens of different places • Social software suffers from too much overhead
  6. 6. Usernames and passwords suck
  7. 7. “We want to make you aware that media of ours that contained a backup of a portion of the reddit database was stolen recently [...] we wanted to alert you to the possibility that your username, password, and -- in some cases -- e-mail address may have been compromised. ” Steve Huffman, reddit.com
  8. 8. Two lessons • Don’t store plaintext passwords in your application’s database • Don’t use the same password on more than one site!
  9. 9. The Web needs Single Sign On
  10. 10. ?
  11. 11. SSO with a single controlling authority betrays the principles of the Web
  12. 12. OpenID is a decentralised mechanism for Single Sign On
  13. 13. An OpenID is a URL
  14. 14. http://swillison.livejournal.com/
  15. 15. http://simonw.myopenid.com/
  16. 16. http://simonwillison.net/
  17. 17. http://openid.aol.com/simonwillison/
  18. 18. The OpenID protocol lets you prove that you own a specific URL
  19. 19. An OpenID can be used as an authentication credential
  20. 20. “Who the heck are you?!”
  21. 21. “I’m simonwillison.net”
  22. 22. “prove it!”
  23. 23. (magic happens)
  24. 24. “OK, you’re in!”
  25. 25. Picking an OpenID is like picking an e-mail provider - you find one that you trust
  26. 26. If you have the ability to run your own server software, you can do it for yourself
  27. 27. http://siege.org/projects/phpMyID/
  28. 28. So how do I use it?
  29. 29. So my users don’t have to sign up for an account?
  30. 30. Not necessarily
  31. 31. An OpenID tells you very little about a user
  32. 32. You don’t know their name
  33. 33. You don’t know their e-mail address
  34. 34. You don’t know if they’re a person or an evil robot
  35. 35. Where do I get that information from?
  36. 36. You ask them!
  37. 37. OpenID can help them answer
  38. 38. So how does OpenID actually work?
  39. 39. <link rel=quot;openid.serverquot; href=quot;http://www.myopenid.com/serverquot; />
  40. 40. “I’m simonwillison.myopenid.com”
  41. 41. Site fetches HTML, discovers identity provider
  42. 42. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
  43. 43. Redirects you to the identity provider
  44. 44. If you’re logged in there, you get redirected back
  45. 45. How does my identity provider know who I am?
  46. 46. OpenID deliberately doesn’t specify
  47. 47. username/password is common
  48. 48. But providers can use other methods if they want to
  49. 49. Client SSL certificates
  50. 50. Out of band authentication via SMS, e-mail or Jabber
  51. 51. SecurID keyfobs
  52. 52. No authentication at all (just say “Yes”)
  53. 53. Just say “yes”?
  54. 54. Yup. That’s the OpenID version of bugmenot.com
  55. 55. http://www.jkg.in/openid/
  56. 56. Users can give away their passwords today - this is just the OpenID equivalent
  57. 57. What if I decide I hate my provider?
  58. 58. Use your own domain name
  59. 59. Delegate to a provider you trust
  60. 60. <link rel=quot;openid.serverquot; href=quot;http://www.livejournal.com/openid/server.bmlquot;> <link rel=quot;openid.delegatequot; href=quot;http://swillison.livejournal.com/quot;>
  61. 61. Support for delegation is compulsory
  62. 62. This minimises lock in
  63. 63. So everyone will end up with one OpenID that they use for everything?
  64. 64. Probably not
  65. 65. (I have half a dozen OpenIDs already)
  66. 66. People like maintaining multiple online personas
  67. 67. professional social secret ...
  68. 68. OpenID makes it easier to manage multiple online personas
  69. 69. Three accounts is still better than three dozen
  70. 70. If an OpenID is a URL, is there anything else interesting you can do with it?
  71. 71. Yes. Different OpenIDs can express different things
  72. 72. My AOL OpenID proves my AIM screen name
  73. 73. An OpenID from sun.com proves that someone is a current Sun employee
  74. 74. A last.fm OpenID could incorporate my taste in music
  75. 75. My LiveJournal OpenID tells you where to find my blog
  76. 76. OpenID and web service APIs naturally complement each other
  77. 77. What about phishing?
  78. 78. Phishing is a problem
  79. 79. I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in http://icanhascheezburger.com/2007/05/16/i-has-a-backpack/
  80. 80. Fake edition Your identity provider Username and password, please! Username: Password: Log in
  81. 81. Identity theft :(
  82. 82. An untrusted site redirects you to your trusted provider
  83. 83. Sound familiar?
  84. 84. PayPal Yahoo! BBAuth Google Auth Google Checkout
  85. 85. One solution: don’t let the user log in on the identity provider “landing page”
  86. 86. Better solutions
  87. 87. CardSpace
  88. 88. Native browser support for OpenID (Firefox 3, Seatbelt)
  89. 89. Competition between providers
  90. 90. Doesn’t this outsource the security of my users to untrusted third parties?
  91. 91. Yes it does. But...
  92. 92. ... so do “forgotten password” e-mails!
  93. 93. If e-mail is secure enough for your user’s authentication, so is OpenID
  94. 94. Password e-mails are just SSO with an unavoidably bad user experience
  95. 95. Best practices for OpenID consumers?
  96. 96. “I forgot my password” becomes “I can’t sign in with my OpenID”
  97. 97. Allow multiple OpenIDs to be associated with a single account
  98. 98. People can still sign in if one of their providers is down
  99. 99. People can un-associate an OpenID without locking themselves out
  100. 100. You can take advantage of site-specific services around each of their OpenIDs
  101. 101. What are the privacy implications?
  102. 102. Cross correlation of accounts
  103. 103. Don’t publish a user’s OpenID without making it clear that you’re going to do that
  104. 104. Allow users to opt-out of sharing their OpenID
  105. 105. Any other neat tricks?
  106. 106. My online identity exists in dozens of different places
  107. 107. I can use OpenID to tie these profiles together
  108. 108. Portable contact lists
  109. 109. Facebook (and others) currently ask for the user’s webmail username and password
  110. 110. Lightweight accounts
  111. 111. Pre-approved accounts
  112. 112. Social whitelists
  113. 113. OpenID and microformats
  114. 114. Identity projection
  115. 115. Decentralised social networks
  116. 116. “People keep asking me to join the LinkedIn network, but I’m already part of a network, it’s called the Internet.” Gary McGraw, via Jon Udell, via Gavin Bell
  117. 117. An open alternative?
  118. 118. Who else is involved?
  119. 119. 0 875 1,750 2,625 3,500 Se p '05 O ct N ov D ec Jan '06 Fe b M ar Ap r M ay Ju ne Ju ly Au g Se p O ct N ov D ec Jan '07 Fe b Total Relying Parties M ar Ap r M ay Ju ne
  120. 120. How do I build it in to my Python application?
  121. 121. Open Source libraries from JanRain
  122. 122. OpenID Smart hackers needed
  123. 123. http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/
  124. 124. Thank you
  125. 125. Questions?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×