Slideshare.net (beta)

Home My Slidespace Upload Community Tags Widgets

Latest | Most Viewed | Most Embedded | Featured | Most Favorited | Most Downloaded | Slidecasts

 
Post: 
Myspace Hi5 Friendster Xanga LiveJournal Facebook Blogger Tagged Typepad Freewebs BlackPlanet gigya icons
Download file



All comments

Add a comment on Slide 1

If you have a SlideShare account, login to comment; else you can comment as a guest


Showing 1-50 of 38 (more)

Implications Of OpenID (Google Tech Talk)

From simon, 1 year ago

32953 views  |  3 comments  |  36 favorites  |  634 downloads  |  4 embeds (Stats)
Share this slideshow
Download file
 

Tags

google googletechtalk openid identity simonwillison tech web simon willison cool authentication

 
 

Groups/Events

 
 

Privacy InfoNew!

This slideshow is Public

 
Embed in your blog
Embed (wordpress.com)
custom

Slideshow Statistics
Total Views: 32953
on Slideshare: 32940
from embeds: 13* * Views from embeds since 21 Aug, 07

Most viewed embeds:
  8 views: http://openid.in
  1 view  : http://reuver.net

Slideshow transcript

Slide 1: The implications of Simon Willison Google Tech Talk, 25th June 2007

Slide 2: Who here has used OpenID?

Slide 3: Who uses it regularly?

Slide 4: What is OpenID?

Slide 5: OpenID is a decentralised mechanism for Single Sign On

Slide 6: What problems does it solve?

Slide 7: “Too many passwords!”

Slide 8: “Someone else already grabbed my username”

Slide 9: “My online profile is scattered across dozens of sites”

Slide 10: What is an OpenID?

Slide 11: An OpenID is a URL

Slide 12: http://swillison.livejournal.com/

Slide 13: http://simonw.myopenid.com/

Slide 14: http://simonwillison.net/

Slide 15: http://openid.aol.com/simonwillison/

Slide 16: What can you do with an OpenID?

Slide 17: You can claim that you own it

Slide 18: You can prove that claim

Slide 19: Why is that useful?

Slide 20: You can use it for authentication

Slide 21: “Who the heck are you?!”

Slide 22: “I’m simonwillison.net”

Slide 23: “prove it!”

Slide 24: (magic happens)

Slide 25: “OK, you’re in!”

Slide 26: So it’s a bit like Microsoft Passport, then?

Slide 27: Yes, but you don’t need to ask their permission to implement it

Slide 28: And Microsoft don’t get to own your credentials

Slide 29: Who does get to own them?

Slide 30: You, the user, decide.

Slide 31: You pick your own provider

Slide 32: (just like e-mail)

Slide 33: So I’m still giving someone the keys to my kingdom?

Slide 34: Yes, but it can be someone you trust

Slide 35: If you have the ability to run your own server software, you can do it for yourself.

Slide 36: OK, how do I use it?

Slide 42: So my users don’t have to sign up for an account?

Slide 43: Not necessarily

Slide 44: An OpenID tells you very little about a user

Slide 45: You don’t know their name

Slide 46: You don’t know their e-mail address

Slide 47: You don’t know if they’re a person or an evil robot

Slide 48: (or a dog)

Slide 49: Where do I get that information from?

Slide 50: You ask them!

Slide 51: OpenID can even help them answer

Slide 56: How can I tell if they’re an evil spambot?

Slide 57: Same as usual: challenge them with a CAPTCHA

Slide 58: So how does OpenID actually work?

Slide 61: <link rel=\"openid.server\" href=\"http://www.myopenid.com/server\" />

Slide 62: “I’m simonwillison.myopenid.com”

Slide 63: Site fetches HTML, discovers identity provider

Slide 64: Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)

Slide 65: Redirects you to the identity provider

Slide 66: If you’re logged in there, you get redirected back

Slide 67: How does my identity provider know who I am?

Slide 68: OpenID deliberately doesn’t specify

Slide 69: username/password is common

Slide 70: But providers can use other methods if they want to

Slide 71: Client SSL certificates

Slide 72: Out of band authentication via SMS, e-mail or Jabber

Slide 73: IP based login restrictions

Slide 74: (one guy set that up using DynDNS)

Slide 75: SecurID keyfobs

Slide 76: No authentication at all (just say “Yes”)

Slide 77: Just say “yes”?

Slide 78: Yup. That’s the OpenID version of bugmenot.com

Slide 79: http://www.jkg.in/openid/

Slide 80: Users can give away their passwords today - this is just the OpenID equivalent

Slide 81: What if I decide I hate my provider?

Slide 82: Use your own domain name

Slide 83: Delegate to a provider you trust

Slide 86: <link rel=\"openid.server\" href=\"http://www.livejournal.com/openid/server.bml\"> <link rel=\"openid.delegate\" href=\"http://swillison.livejournal.com/\">

Slide 87: Support for delegation is compulsory

Slide 88: This minimises lock in

Slide 89: So everyone will end up with one OpenID that they use for everything?

Slide 90: Probably not

Slide 91: (I have half a dozen OpenIDs already)

Slide 92: People like maintaining multiple online personas

Slide 93: professional social secret ...

Slide 94: OpenID makes it easier to manage multiple online personas

Slide 95: Three accounts is still better than three dozen

Slide 96: If an OpenID is just a URL, is there anything else interesting you can do with it?

Slide 97: Yes. Different OpenIDs can express different things

Slide 98: My AOL OpenID proves my AIM screen name

Slide 99: An OpenID from sun.com proves that someone is a current Sun employee

Slide 100: A last.fm OpenID could incorporate my taste in music

Slide 101: My LiveJournal OpenID tells you where to find my blog

Slide 102: ... and a FOAF file listing my friends

Slide 103: doxory.com uses this for contact imports

Slide 104: Why is OpenID worth implementing over all the other identity standards?

Slide 105: It’s simple

Slide 106: Unix philosophy: It solves one, tiny problem

Slide 107: It’s a dumb network

Slide 108: Many of the competing standards are now on board

Slide 109: Isn’t putting all my eggs in one basket a really bad idea?

Slide 110: Bad news: chances are you already do

Slide 111: “I forgot my password” means your e-mail account is already an SSO mechanism

Slide 112: OpenID just makes this a bit more obvious

Slide 113: What about phishing?

Slide 114: Phishing is a problem

Slide 115: I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in http://icanhascheezburger.com/2007/05/16/i-has-a-backpack/

Slide 116: Fake edition Your identity provider Username and password, please! Username: Password: Log in

Slide 117: Identity theft :(

Slide 118: An untrusted site redirects you to your trusted provider

Slide 119: Sound familiar?

Slide 120: PayPal Yahoo! BBAuth Google Auth Google Checkout

Slide 121: You guys already need to solve that problem!

Slide 122: One solution: don’t let the user log in on the identity provider “landing page”

Slide 124: Better solutions

Slide 125: CardSpace

Slide 126: Native browser support for OpenID (e.g. SeatBelt)

Slide 127: Competition between providers

Slide 128: Permanent cookie set using out-of-band token

Slide 129: Best practices for OpenID consumers?

Slide 130: “I forgot my password” becomes “I can’t sign in with my OpenID”

Slide 131: Allow multiple OpenIDs to be associated with a single account

Slide 132: People can still sign in if one of their providers is down

Slide 133: People can un-associate an OpenID without locking themselves out

Slide 134: You can take advantage of site-specific services around each of their OpenIDs

Slide 135: Any other neat tricks?

Slide 136: Portable contact lists

Slide 137: Facebook (and others) currently ask for the user’s Google username and password

Slide 138: I don’t need to tell you why that’s a horrible idea

Slide 139: Lightweight accounts

Slide 140: Pre-approved accounts

Slide 141: Social whitelists

Slide 142: OpenID and microformats

Slide 143: Decentralised social networks?

Slide 144: “People keep asking me to join the LinkedIn network, but I’m already part of a network, it’s called the Internet.” Gary McGraw, via Jon Udell, via Gavin Bell

Slide 145: Doesn’t this outsource the security of my users to untrusted third parties?

Slide 146: Yes it does. But...

Slide 147: ... so do “forgotten password” e-mails!

Slide 148: If e-mail is secure enough for your user’s authentication, so is OpenID

Slide 149: Password e-mails are essentially SSO with a deliberately bad user experience

Slide 150: What are the privacy implications?

Slide 151: Cross correlation of accounts

Slide 152: Don’t publish a user’s OpenID without making it clear that you’re going to do that

Slide 153: Allow users to opt-out of sharing their OpenID

Slide 154: The online equivalent of a credit reporting agency?

Slide 155: This could be built today by sites conspiring to share e-mail addresses

Slide 156: IANAL, but legal protections against this already exist

Slide 157: “Directed identity” in OpenID 2.0 makes it easy to use a different OpenID for every site

Slide 158: Patents?

Slide 159: Sun and VeriSign have both announced “patent covenants”

Slide 160: They won’t smack you down with their patents for using OpenID 1.1

Slide 161: They will smack down anyone else who asserts their own patents against OpenID

Slide 162: Who else is involved?

Slide 163: (Slide borrowed from David Recordon)

Slide 164: AOL - provider, full consumer by end of July

Slide 165: Microsoft: Bill Gates expressed their interest at the RSA conference

Slide 166: (mainly as good PR for CardSpace?)

Slide 167: Sun: Patent Covenant, 33,000 employees

Slide 168: Six Apart

Slide 169: VeriSign

Slide 170: JanRain

Slide 171: Yahoo! - indirectly

Slide 173: Google?

Slide 174: http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/

Slide 175: Thank you

© 2008 SlideShare Inc. All Rights Reserved.
Vidya-ss is serving you.