• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
15,443
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
437
Comments
0
Likes
38

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Building the Social Web with Simon Willison PyCon UK, 8th September 2007
  • 2. Who here has used OpenID?
  • 3. Who uses it regularly?
  • 4. Four problems • Usernames and passwords suck • Signing up for new accounts is a pain • My online identity exists in dozens of different places • Social software suffers from too much overhead
  • 5. Four problems (and their OpenID related solutions) • Usernames and passwords suck • Signing up for new accounts is a pain • My online identity exists in dozens of different places • Social software suffers from too much overhead
  • 6. Usernames and passwords suck
  • 7. “We want to make you aware that media of ours that contained a backup of a portion of the reddit database was stolen recently [...] we wanted to alert you to the possibility that your username, password, and -- in some cases -- e-mail address may have been compromised. ” Steve Huffman, reddit.com
  • 8. Two lessons • Don’t store plaintext passwords in your application’s database • Don’t use the same password on more than one site!
  • 9. The Web needs Single Sign On
  • 10. ?
  • 11. SSO with a single controlling authority betrays the principles of the Web
  • 12. OpenID is a decentralised mechanism for Single Sign On
  • 13. An OpenID is a URL
  • 14. http://swillison.livejournal.com/
  • 15. http://simonw.myopenid.com/
  • 16. http://simonwillison.net/
  • 17. http://openid.aol.com/simonwillison/
  • 18. The OpenID protocol lets you prove that you own a specific URL
  • 19. An OpenID can be used as an authentication credential
  • 20. “Who the heck are you?!”
  • 21. “I’m simonwillison.net”
  • 22. “prove it!”
  • 23. (magic happens)
  • 24. “OK, you’re in!”
  • 25. Picking an OpenID is like picking an e-mail provider - you find one that you trust
  • 26. If you have the ability to run your own server software, you can do it for yourself
  • 27. http://siege.org/projects/phpMyID/
  • 28. So how do I use it?
  • 29. So my users don’t have to sign up for an account?
  • 30. Not necessarily
  • 31. An OpenID tells you very little about a user
  • 32. You don’t know their name
  • 33. You don’t know their e-mail address
  • 34. You don’t know if they’re a person or an evil robot
  • 35. Where do I get that information from?
  • 36. You ask them!
  • 37. OpenID can help them answer
  • 38. So how does OpenID actually work?
  • 39. <link rel=quot;openid.serverquot; href=quot;http://www.myopenid.com/serverquot; />
  • 40. “I’m simonwillison.myopenid.com”
  • 41. Site fetches HTML, discovers identity provider
  • 42. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
  • 43. Redirects you to the identity provider
  • 44. If you’re logged in there, you get redirected back
  • 45. How does my identity provider know who I am?
  • 46. OpenID deliberately doesn’t specify
  • 47. username/password is common
  • 48. But providers can use other methods if they want to
  • 49. Client SSL certificates
  • 50. Out of band authentication via SMS, e-mail or Jabber
  • 51. SecurID keyfobs
  • 52. No authentication at all (just say “Yes”)
  • 53. Just say “yes”?
  • 54. Yup. That’s the OpenID version of bugmenot.com
  • 55. http://www.jkg.in/openid/
  • 56. Users can give away their passwords today - this is just the OpenID equivalent
  • 57. What if I decide I hate my provider?
  • 58. Use your own domain name
  • 59. Delegate to a provider you trust
  • 60. <link rel=quot;openid.serverquot; href=quot;http://www.livejournal.com/openid/server.bmlquot;> <link rel=quot;openid.delegatequot; href=quot;http://swillison.livejournal.com/quot;>
  • 61. Support for delegation is compulsory
  • 62. This minimises lock in
  • 63. So everyone will end up with one OpenID that they use for everything?
  • 64. Probably not
  • 65. (I have half a dozen OpenIDs already)
  • 66. People like maintaining multiple online personas
  • 67. professional social secret ...
  • 68. OpenID makes it easier to manage multiple online personas
  • 69. Three accounts is still better than three dozen
  • 70. If an OpenID is a URL, is there anything else interesting you can do with it?
  • 71. Yes. Different OpenIDs can express different things
  • 72. My AOL OpenID proves my AIM screen name
  • 73. An OpenID from sun.com proves that someone is a current Sun employee
  • 74. A last.fm OpenID could incorporate my taste in music
  • 75. My LiveJournal OpenID tells you where to find my blog
  • 76. OpenID and web service APIs naturally complement each other
  • 77. What about phishing?
  • 78. Phishing is a problem
  • 79. I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in http://icanhascheezburger.com/2007/05/16/i-has-a-backpack/
  • 80. Fake edition Your identity provider Username and password, please! Username: Password: Log in
  • 81. Identity theft :(
  • 82. An untrusted site redirects you to your trusted provider
  • 83. Sound familiar?
  • 84. PayPal Yahoo! BBAuth Google Auth Google Checkout
  • 85. One solution: don’t let the user log in on the identity provider “landing page”
  • 86. Better solutions
  • 87. CardSpace
  • 88. Native browser support for OpenID (Firefox 3, Seatbelt)
  • 89. Competition between providers
  • 90. Doesn’t this outsource the security of my users to untrusted third parties?
  • 91. Yes it does. But...
  • 92. ... so do “forgotten password” e-mails!
  • 93. If e-mail is secure enough for your user’s authentication, so is OpenID
  • 94. Password e-mails are just SSO with an unavoidably bad user experience
  • 95. Best practices for OpenID consumers?
  • 96. “I forgot my password” becomes “I can’t sign in with my OpenID”
  • 97. Allow multiple OpenIDs to be associated with a single account
  • 98. People can still sign in if one of their providers is down
  • 99. People can un-associate an OpenID without locking themselves out
  • 100. You can take advantage of site-specific services around each of their OpenIDs
  • 101. What are the privacy implications?
  • 102. Cross correlation of accounts
  • 103. Don’t publish a user’s OpenID without making it clear that you’re going to do that
  • 104. Allow users to opt-out of sharing their OpenID
  • 105. Any other neat tricks?
  • 106. My online identity exists in dozens of different places
  • 107. I can use OpenID to tie these profiles together
  • 108. Portable contact lists
  • 109. Facebook (and others) currently ask for the user’s webmail username and password
  • 110. Lightweight accounts
  • 111. Pre-approved accounts
  • 112. Social whitelists
  • 113. OpenID and microformats
  • 114. Identity projection
  • 115. Decentralised social networks
  • 116. “People keep asking me to join the LinkedIn network, but I’m already part of a network, it’s called the Internet.” Gary McGraw, via Jon Udell, via Gavin Bell
  • 117. An open alternative?
  • 118. Who else is involved?
  • 119. 0 875 1,750 2,625 3,500 Se p '05 O ct N ov D ec Jan '06 Fe b M ar Ap r M ay Ju ne Ju ly Au g Se p O ct N ov D ec Jan '07 Fe b Total Relying Parties M ar Ap r M ay Ju ne
  • 120. How do I build it in to my Python application?
  • 121. Open Source libraries from JanRain
  • 122. OpenID Smart hackers needed
  • 123. http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/
  • 124. Thank you
  • 125. Questions?