OpenID and decentralised social networks

and decentralised social networks Simon Willison Webstock 15th February 2008

One year ago...

A OL Supports OpenID Symantec Unveils Cons umer Identity Strategy O penID Gets a Boost Fr om Mic rosoft

The last few weeks...

OpenID announces powerhouse boa rd: MSFT, GOOG, IBM, others Yahoo! backs! OpenID! oundatio n Co-opts OpenID F icrosoft A nd Yahoo Google, M

Decentralised social networks or who will save us from ? http://www.ﬂickr.com/photos/87846746@N00/2235550137/

The username and password problem

What’s my password again? What’s my username again?

The Web needs Single Sign On

? Windows Live ID

SSO with a single controlling authority betrays the principles of the Web

OpenID is a decentralised mechanism for Single Sign On

It’s like e-mail - no one company controls it, but users with different e- mail providers can still talk to each other

An OpenID is a URL (an identiﬁer)

http://swillison.livejournal.com/

http://simonw.myopenid.com/

http://simonwillison.net/

http://openid.aol.com/simonwillison/

URLs are globally unique

The OpenID protocol lets you prove that you own a speciﬁc URL

Which means an OpenID can be used as an authentication credential

“Who are you?”

“I’m simonwillison.net”

“prove it!”

(magic happens)

“OK, you’re in!”

Picking an OpenID is like picking an e-mail provider - you ﬁnd a company that you trust

Or if you have the ability to run your own server software, you can do it for yourself

(mobile phones can run web servers now)

How to use OpenID

? What happens to my organisation’s user account database?

OpenID augments existing account mechanisms; it does not replace them

The ﬁrst time you see a speciﬁc OpenID, you create an account for that user

OpenID can even help users create their initial proﬁle

OpenID 1.1: Simple Registration OpenID 2.0: Attribute Exchange

? So how does OpenID actually work?

“I’m simonwillison.myopenid.com”

Site fetches HTML, discovers identity provider

Establishes shared secret with identity provider (Using Difﬁe-Hellman key exchange)

Redirects you to the identity provider

If you’re logged in there, you get redirected back

(Discovery in OpenID 2.0 is more complicated, but the concept is much the same)

? How does my identity provider know who I am?

OpenID deliberately doesn’t specify

username/password is the most common

But providers can use other methods if they want to

Client SSL certiﬁcates

Out of band authentication via SMS, e-mail or Jabber

Hardware tokens

Vidoop.com

?Will everyone end up with one OpenID that they use for everything?

Almost certainly not

(I have half a dozen OpenIDs already)

People like maintaining multiple online personas

professional social secret ...

OpenID makes it easier to manage multiple online personas

Three accounts is much better than three dozen

An OpenID provider can provide more than just an OpenID

My AOL OpenID incorporates my AIM screen name

An OpenID from sun.com proves that someone is a current Sun employee

An OpenID from a university can assert my staff/student status

Some providers might even provide guarantees that OpenIDs belong to speciﬁc people

Problems with OpenID

Phishing

lolcats ‘r’ us Sign in with your OpenID for even more lolcats! OpenID: Sign in http://www.flickr.com/photos/earthandeden/395466458/ http://www.flickr.com/photos/endbradley/306280569/ http://www.flickr.com/photos/duygu/115528187/

Fake edition Your identity provider Username and password, please! Username: Password: Log in

Your account gets stolen

An untrusted site redirects you to your trusted provider

PayPal Google Checkout Yahoo!, Flickr, Facebook

One solution: don’t let the user log in on the identity provider “landing page”

Better solutions

Yahoo! sign-in seal

VeriSign SeatBelt (a browser extension)

Windows CardSpace

Competition between providers on security

? Outsourcing the security of your users to a third party

OpenID is functionally equivalent to a lost password e-mail mechanism

If e-mail is secure enough for your user’s authentication, then so is OpenID

In other cases, a whitelist of trusted providers may make sense

Usability challenges

Many people have no idea what a URL is

(but they do know where their MySpace page is)

OpenID 2.0 introduces directed identity

Linking identities together

Identity projection

Upcoming last.fm

XFN rel=quot;mequot; lets me publicly point to my accounts on other services

Portable contact lists

I don’t want to have to re- add my friends on every social application I use

But... I don’t want to automatically add my high school friends to a business network

The correct model is pick-from-import: show me a list of options and let me decide

The state of the art in contact import is asking for the user’s webmail password The contact import anti-pattern

The good way: XFN and FOAF Public data, already published

The Google Social Graph API

A safe way to import private contacts?

oauth.net

Completing our decentralised social network

The Facebook news feed

Flickr photos from your contacts

Your Twitter friends

Decentralised news feed?

XMPP (Jabber)

We have the ingredients • OpenID • OAuth • XFN and FOAF • XMPP Now we just need to make the pie

People of Webstock! • Go forth and implement OpenID • Support these emerging standards • Set your users free

http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/

OpenID and decentralised social networks

by Simon Willison on Mar 11, 2008

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 5

Statistics

OpenID and decentralised social networks Presentation Transcript

http://www.slideshare.net	2
http://lanyrd.com	2
http://lanyrd.dev	1