OpenID and decentralised social networks

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    3 Favorites

    OpenID and decentralised social networks - Presentation Transcript

    1. and decentralised social networks Simon Willison Webstock 15th February 2008
    2. One year ago...
    3. A OL Supports OpenID Symantec Unveils Cons umer Identity Strategy O penID Gets a Boost Fr om Mic rosoft
    4. The last few weeks...
    5. OpenID announces powerhouse boa rd: MSFT, GOOG, IBM, others Yahoo! backs! OpenID! oundatio n Co-opts OpenID F icrosoft A nd Yahoo Google, M
    6. Decentralised social networks or who will save us from ? http://www.flickr.com/photos/87846746@N00/2235550137/
    7. The username and password problem
    8. What’s my password again? What’s my username again?
    9. The Web needs Single Sign On
    10. ?
    11. ? Windows Live ID
    12. SSO with a single controlling authority betrays the principles of the Web
    13. OpenID is a decentralised mechanism for Single Sign On
    14. It’s like e-mail - no one company controls it, but users with different e- mail providers can still talk to each other
    15. An OpenID is a URL (an identifier)
    16. http://swillison.livejournal.com/
    17. http://simonw.myopenid.com/
    18. http://simonwillison.net/
    19. http://openid.aol.com/simonwillison/
    20. URLs are globally unique
    21. The OpenID protocol lets you prove that you own a specific URL
    22. Which means an OpenID can be used as an authentication credential
    23. “Who are you?”
    24. “I’m simonwillison.net”
    25. “prove it!”
    26. (magic happens)
    27. “OK, you’re in!”
    28. Picking an OpenID is like picking an e-mail provider - you find a company that you trust
    29. Or if you have the ability to run your own server software, you can do it for yourself
    30. (mobile phones can run web servers now)
    31. How to use OpenID
    32. ? What happens to my organisation’s user account database?
    33. OpenID augments existing account mechanisms; it does not replace them
    34. The first time you see a specific OpenID, you create an account for that user
    35. OpenID can even help users create their initial profile
    36. OpenID 1.1: Simple Registration OpenID 2.0: Attribute Exchange
    37. ? So how does OpenID actually work?
    38. <link rel=\"openid.server\" href=\"http://www.myopenid.com/server\" />
    39. “I’m simonwillison.myopenid.com”
    40. Site fetches HTML, discovers identity provider
    41. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
    42. Redirects you to the identity provider
    43. If you’re logged in there, you get redirected back
    44. (Discovery in OpenID 2.0 is more complicated, but the concept is much the same)
    45. ? How does my identity provider know who I am?
    46. OpenID deliberately doesn’t specify
    47. username/password is the most common
    48. But providers can use other methods if they want to
    49. Client SSL certificates
    50. Out of band authentication via SMS, e-mail or Jabber
    51. Hardware tokens
    52. Vidoop.com
    53. ?Will everyone end up with one OpenID that they use for everything?
    54. Almost certainly not
    55. (I have half a dozen OpenIDs already)
    56. People like maintaining multiple online personas
    57. professional social secret ...
    58. OpenID makes it easier to manage multiple online personas
    59. Three accounts is much better than three dozen
    60. An OpenID provider can provide more than just an OpenID
    61. My AOL OpenID incorporates my AIM screen name
    62. An OpenID from sun.com proves that someone is a current Sun employee
    63. An OpenID from a university can assert my staff/student status
    64. Some providers might even provide guarantees that OpenIDs belong to specific people
    65. Problems with OpenID
    66. Phishing
    67. lolcats ‘r’ us Sign in with your OpenID for even more lolcats! OpenID: Sign in http://www.flickr.com/photos/earthandeden/395466458/ http://www.flickr.com/photos/endbradley/306280569/ http://www.flickr.com/photos/duygu/115528187/
    68. Fake edition Your identity provider Username and password, please! Username: Password: Log in
    69. Your account gets stolen
    70. An untrusted site redirects you to your trusted provider
    71. PayPal Google Checkout Yahoo!, Flickr, Facebook
    72. One solution: don’t let the user log in on the identity provider “landing page”
    73. Better solutions
    74. Yahoo! sign-in seal
    75. VeriSign SeatBelt (a browser extension)
    76. Windows CardSpace
    77. Competition between providers on security
    78. ? Outsourcing the security of your users to a third party
    79. OpenID is functionally equivalent to a lost password e-mail mechanism
    80. If e-mail is secure enough for your user’s authentication, then so is OpenID
    81. In other cases, a whitelist of trusted providers may make sense
    82. Usability challenges
    83. Many people have no idea what a URL is
    84. (but they do know where their MySpace page is)
    85. OpenID 2.0 introduces directed identity
    86. Linking identities together
    87. Identity projection
    88. Upcoming last.fm
    89. XFN rel=\"me\" lets me publicly point to my accounts on other services
    90. Portable contact lists
    91. I don’t want to have to re- add my friends on every social application I use
    92. But... I don’t want to automatically add my high school friends to a business network
    93. The correct model is pick-from-import: show me a list of options and let me decide
    94. The state of the art in contact import is asking for the user’s webmail password The contact import anti-pattern
    95. The good way: XFN and FOAF Public data, already published
    96. The Google Social Graph API
    97. A safe way to import private contacts?
    98. oauth.net
    99. Completing our decentralised social network
    100. The Facebook news feed
    101. Flickr photos from your contacts
    102. Your Twitter friends
    103. Decentralised news feed?
    104. XMPP (Jabber)
    105. We have the ingredients • OpenID • OAuth • XFN and FOAF • XMPP Now we just need to make the pie
    106. People of Webstock! • Go forth and implement OpenID • Support these emerging standards • Set your users free
    107. http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/

    + simonsimon, 2 years ago

    custom

    2540 views, 3 favs, 0 embeds more stats

    Presented at Webstock '08 on February 15th in Welli more

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 2540
      • 2540 on SlideShare
      • 0 from embeds
    • Comments 0
    • Favorites 3
    • Downloads 52
    Most viewed embeds

    more

    All embeds

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories