and decentralised
social networks
Simon Willison
Webstock
15th February 2008

One year ago...

A OL Supports OpenID
Symantec Unveils Cons
umer
Identity Strategy
O penID Gets a Boost
Fr om Mic rosoft

The last few weeks...

OpenID announces powerhouse
boa rd: MSFT, GOOG, IBM, others
Yahoo! backs! OpenID!
oundatio n Co-opts
OpenID F
icrosoft A nd Yahoo
Google, M

Decentralised social networks
or
who will save us from
?
http://www.flickr.com/photos/87846746@N00/2235550137/

The username and
password problem

What’s my password again?
What’s my
username again?

The Web needs
Single Sign On

?

?
Windows
Live ID

SSO with a single
controlling authority
betrays the principles
of the Web

OpenID is a
decentralised mechanism
for Single Sign On

It’s like e-mail - no one
company controls it, but
users with different e-
mail providers can still
talk to each other

An OpenID is a URL
(an identifier)

http://swillison.livejournal.com/

http://simonw.myopenid.com/

http://simonwillison.net/

http://openid.aol.com/simonwillison/

URLs are globally unique

The OpenID protocol
lets you prove that you
own a specific URL

Which means an OpenID
can be used as an
authentication credential

“Who are you?”

“I’m simonwillison.net”

“prove it!”

(magic happens)

“OK, you’re in!”

Picking an OpenID is
like picking an e-mail
provider - you find a
company that you trust

Or if you have the ability
to run your own server
software, you can do it
for yourself

(mobile phones can run
web servers now)

How to use OpenID

? What happens to
my organisation’s
user account database?

OpenID augments
existing account
mechanisms; it does not
replace them

The first time you see a
specific OpenID, you create
an account for that user

OpenID can even help users
create their initial profile

OpenID 1.1: Simple Registration
OpenID 2.0: Attribute Exchange

?
So how does OpenID
actually work?

<link rel=\"openid.server\"
href=\"http://www.myopenid.com/server\" />

“I’m simonwillison.myopenid.com”

Site fetches HTML,
discovers identity provider

Establishes shared secret
with identity provider
(Using Diffie-Hellman key exchange)

Redirects you to the
identity provider

If you’re logged in there,
you get redirected back

(Discovery in OpenID 2.0 is
more complicated, but the
concept is much the same)

? How does my identity
provider know who I am?

OpenID deliberately
doesn’t specify

username/password
is the most common

But providers can
use other methods if
they want to

Client SSL certificates

Out of band
authentication via SMS,
e-mail or Jabber

Hardware tokens

Vidoop.com

?Will everyone end up
with one OpenID that
they use for everything?

Almost certainly not

(I have half a dozen
OpenIDs already)

People like maintaining
multiple online personas

professional
social
secret
...

OpenID makes it easier
to manage multiple
online personas

Three accounts is much
better than three dozen

An OpenID provider
can provide more than
just an OpenID

My AOL OpenID
incorporates my AIM
screen name

An OpenID from
sun.com proves that
someone is a current
Sun employee

An OpenID from a
university can assert my
staff/student status

Some providers might
even provide guarantees
that OpenIDs belong to
specific people

Problems with OpenID

Phishing

lolcats ‘r’ us
Sign in with your OpenID for even more lolcats!
OpenID: Sign in
http://www.flickr.com/photos/earthandeden/395466458/
http://www.flickr.com/photos/endbradley/306280569/
http://www.flickr.com/photos/duygu/115528187/

Fake edition
Your identity provider
Username and password, please!
Username:
Password:
Log in

Your account
gets stolen

An untrusted site
redirects you to your
trusted provider

PayPal
Google Checkout
Yahoo!, Flickr, Facebook

One solution: don’t let
the user log in on the
identity provider
“landing page”

Better solutions

Yahoo! sign-in seal

VeriSign SeatBelt (a browser extension)

Windows CardSpace

Competition between
providers on security

? Outsourcing the
security of your users
to a third party

OpenID is functionally
equivalent to a lost password
e-mail mechanism

If e-mail is secure enough for
your user’s authentication,
then so is OpenID

In other cases, a whitelist
of trusted providers may
make sense

Usability challenges

Many people have
no idea what a URL is

(but they do know where
their MySpace page is)

OpenID 2.0 introduces
directed identity

Linking identities
together

Identity projection

Upcoming
last.fm

XFN rel=\"me\" lets me
publicly point to my
accounts on other services

Portable contact lists

I don’t want to have to re-
add my friends on every
social application I use

But... I don’t want to
automatically add my
high school friends to a
business network

The correct model is
pick-from-import:
show me a list of options
and let me decide

The state of the art in
contact import is asking
for the user’s webmail
password
The contact import anti-pattern

The good way: XFN and FOAF
Public data, already published

The Google Social Graph API

A safe way to import
private contacts?

oauth.net

Completing our
decentralised social
network

The Facebook news feed

Flickr photos from your contacts

Your Twitter friends

Decentralised news feed?

XMPP
(Jabber)

We have the ingredients
• OpenID
• OAuth
• XFN and FOAF
• XMPP
Now we just need to make the pie

People of Webstock!
• Go forth and implement OpenID
• Support these emerging standards
• Set your users free

http://openid.net/
http://www.openidenabled.com/
http://simonwillison.net/tags/openid/