0
and decentralised
social networks
Simon Willison
Webstock
15th February 2008
One year ago...
A OL Supports OpenID
Symantec Unveils Cons
                      umer
    Identity Strategy

O penID Gets a Boost
   Fr om...
The last few weeks...
OpenID   announces powerhouse
 boa rd: MSFT, GOOG, IBM, others

Yahoo! backs! OpenID!

         oundatio  n Co-opts
OpenID...
Decentralised social networks
                                                       or
                                  ...
The username and
password problem
What’s my password again?


             What’s my
           username again?
The Web needs
Single Sign On
?
?
Windows
Live ID
SSO with a single
controlling authority
betrays the principles
     of the Web
OpenID is a
decentralised mechanism
   for Single Sign On
It’s like e-mail - no one
company controls it, but
  users with different e-
 mail providers can still
     talk to each o...
An OpenID is a URL
   (an identifier)
http://swillison.livejournal.com/
http://simonw.myopenid.com/
http://simonwillison.net/
http://openid.aol.com/simonwillison/
URLs are globally unique
The OpenID protocol
lets you prove that you
  own a specific URL
Which means an OpenID
   can be used as an
authentication credential
“Who are you?”
“I’m simonwillison.net”
“prove it!”
(magic happens)
“OK, you’re in!”
Picking an OpenID is
 like picking an e-mail
 provider - you find a
company that you trust
Or if you have the ability
to run your own server
 software, you can do it
       for yourself
(mobile phones can run
  web servers now)
How to use OpenID
?  What happens to
   my organisation’s
user account database?
OpenID augments
   existing account
mechanisms; it does not
    replace them
The first time you see a
specific OpenID, you create
  an account for that user
OpenID can even help users
 create their initial profile
OpenID 1.1: Simple Registration

OpenID 2.0: Attribute Exchange
?
So how does OpenID
    actually work?
<link rel=quot;openid.serverquot;
 href=quot;http://www.myopenid.com/serverquot; />
“I’m simonwillison.myopenid.com”
Site fetches HTML,
discovers identity provider
Establishes shared secret
 with identity provider
   (Using Diffie-Hellman key exchange)
Redirects you to the
 identity provider
If you’re logged in there,
you get redirected back
(Discovery in OpenID 2.0 is
 more complicated, but the
 concept is much the same)
? How does my identity
provider know who I am?
OpenID deliberately
  doesn’t specify
username/password
is the most common
But providers can
use other methods if
    they want to
Client SSL certificates
Out of band
authentication via SMS,
   e-mail or Jabber
Hardware tokens
Vidoop.com
?Will everyone end up
 with one OpenID that
they use for everything?
Almost certainly not
(I have half a dozen
 OpenIDs already)
People like maintaining
multiple online personas
professional
   social
   secret
     ...
OpenID makes it easier
 to manage multiple
   online personas
Three accounts is much
better than three dozen
An OpenID provider
can provide more than
   just an OpenID
My AOL OpenID
incorporates my AIM
    screen name
An OpenID from
 sun.com proves that
someone is a current
    Sun employee
An OpenID from a
university can assert my
  staff/student status
Some providers might
even provide guarantees
that OpenIDs belong to
     specific people
Problems with OpenID
Phishing
lolcats ‘r’ us



  Sign in with your OpenID for even more lolcats!
  OpenID:                                             ...
Fake edition
Your identity provider
Username and password, please!
 Username:
 Password:
                         Log in
Your account
 gets stolen
An untrusted site
redirects you to your
  trusted provider
PayPal
   Google Checkout
Yahoo!, Flickr, Facebook
One solution: don’t let
the user log in on the
  identity provider
    “landing page”
Better solutions
Yahoo! sign-in seal
VeriSign SeatBelt (a browser extension)
Windows CardSpace
Competition between
providers on security
?  Outsourcing the
security of your users
   to a third party
OpenID is functionally
equivalent to a lost password
     e-mail mechanism
If e-mail is secure enough for
  your user’s authentication,
      then so is OpenID
In other cases, a whitelist
of trusted providers may
       make sense
Usability challenges
Many people have
no idea what a URL is
(but they do know where
  their MySpace page is)
OpenID 2.0 introduces
  directed identity
Linking identities
    together
Identity projection
Upcoming


last.fm
XFN rel=quot;mequot; lets me
   publicly point to my
accounts on other services
Portable contact lists
I don’t want to have to re-
  add my friends on every
   social application I use
But... I don’t want to
 automatically add my
high school friends to a
   business network
The correct model is
   pick-from-import:
show me a list of options
   and let me decide
The state of the art in
 contact import is asking
  for the user’s webmail
         password
The contact import anti-pattern
The good way: XFN and FOAF
 Public data, already published
The Google Social Graph API
A safe way to import
  private contacts?
oauth.net
Completing our
decentralised social
     network
The Facebook news feed
Flickr photos from your contacts
Your Twitter friends
Decentralised news feed?
XMPP
(Jabber)
We have the ingredients
• OpenID
• OAuth
• XFN and FOAF
• XMPP
Now we just need to make the pie
People of Webstock!


• Go forth and implement OpenID
• Support these emerging standards
• Set your users free
http://openid.net/

  http://www.openidenabled.com/

http://simonwillison.net/tags/openid/
OpenID and decentralised social networks
OpenID and decentralised social networks
OpenID and decentralised social networks
OpenID and decentralised social networks
OpenID and decentralised social networks
OpenID and decentralised social networks
OpenID and decentralised social networks
OpenID and decentralised social networks
OpenID and decentralised social networks
OpenID and decentralised social networks
OpenID and decentralised social networks
OpenID and decentralised social networks
OpenID and decentralised social networks
OpenID and decentralised social networks
OpenID and decentralised social networks
Upcoming SlideShare
Loading in...5
×

OpenID and decentralised social networks

4,666

Published on

Presented at Webstock '08 on February 15th in Wellington, New Zealand. Social networks are an unavoidable part of life on the Web today, but most exist as walled gardens with interactions and identities trapped in a silo. OpenID is one of a number of initiatives that are trying to break down these walls and enable new social applications to bootstrap off each other.

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,666
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
99
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

Transcript of "OpenID and decentralised social networks"

  1. 1. and decentralised social networks Simon Willison Webstock 15th February 2008
  2. 2. One year ago...
  3. 3. A OL Supports OpenID Symantec Unveils Cons umer Identity Strategy O penID Gets a Boost Fr om Mic rosoft
  4. 4. The last few weeks...
  5. 5. OpenID announces powerhouse boa rd: MSFT, GOOG, IBM, others Yahoo! backs! OpenID! oundatio n Co-opts OpenID F icrosoft A nd Yahoo Google, M
  6. 6. Decentralised social networks or who will save us from ? http://www.flickr.com/photos/87846746@N00/2235550137/
  7. 7. The username and password problem
  8. 8. What’s my password again? What’s my username again?
  9. 9. The Web needs Single Sign On
  10. 10. ?
  11. 11. ? Windows Live ID
  12. 12. SSO with a single controlling authority betrays the principles of the Web
  13. 13. OpenID is a decentralised mechanism for Single Sign On
  14. 14. It’s like e-mail - no one company controls it, but users with different e- mail providers can still talk to each other
  15. 15. An OpenID is a URL (an identifier)
  16. 16. http://swillison.livejournal.com/
  17. 17. http://simonw.myopenid.com/
  18. 18. http://simonwillison.net/
  19. 19. http://openid.aol.com/simonwillison/
  20. 20. URLs are globally unique
  21. 21. The OpenID protocol lets you prove that you own a specific URL
  22. 22. Which means an OpenID can be used as an authentication credential
  23. 23. “Who are you?”
  24. 24. “I’m simonwillison.net”
  25. 25. “prove it!”
  26. 26. (magic happens)
  27. 27. “OK, you’re in!”
  28. 28. Picking an OpenID is like picking an e-mail provider - you find a company that you trust
  29. 29. Or if you have the ability to run your own server software, you can do it for yourself
  30. 30. (mobile phones can run web servers now)
  31. 31. How to use OpenID
  32. 32. ? What happens to my organisation’s user account database?
  33. 33. OpenID augments existing account mechanisms; it does not replace them
  34. 34. The first time you see a specific OpenID, you create an account for that user
  35. 35. OpenID can even help users create their initial profile
  36. 36. OpenID 1.1: Simple Registration OpenID 2.0: Attribute Exchange
  37. 37. ? So how does OpenID actually work?
  38. 38. <link rel=quot;openid.serverquot; href=quot;http://www.myopenid.com/serverquot; />
  39. 39. “I’m simonwillison.myopenid.com”
  40. 40. Site fetches HTML, discovers identity provider
  41. 41. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
  42. 42. Redirects you to the identity provider
  43. 43. If you’re logged in there, you get redirected back
  44. 44. (Discovery in OpenID 2.0 is more complicated, but the concept is much the same)
  45. 45. ? How does my identity provider know who I am?
  46. 46. OpenID deliberately doesn’t specify
  47. 47. username/password is the most common
  48. 48. But providers can use other methods if they want to
  49. 49. Client SSL certificates
  50. 50. Out of band authentication via SMS, e-mail or Jabber
  51. 51. Hardware tokens
  52. 52. Vidoop.com
  53. 53. ?Will everyone end up with one OpenID that they use for everything?
  54. 54. Almost certainly not
  55. 55. (I have half a dozen OpenIDs already)
  56. 56. People like maintaining multiple online personas
  57. 57. professional social secret ...
  58. 58. OpenID makes it easier to manage multiple online personas
  59. 59. Three accounts is much better than three dozen
  60. 60. An OpenID provider can provide more than just an OpenID
  61. 61. My AOL OpenID incorporates my AIM screen name
  62. 62. An OpenID from sun.com proves that someone is a current Sun employee
  63. 63. An OpenID from a university can assert my staff/student status
  64. 64. Some providers might even provide guarantees that OpenIDs belong to specific people
  65. 65. Problems with OpenID
  66. 66. Phishing
  67. 67. lolcats ‘r’ us Sign in with your OpenID for even more lolcats! OpenID: Sign in http://www.flickr.com/photos/earthandeden/395466458/ http://www.flickr.com/photos/endbradley/306280569/ http://www.flickr.com/photos/duygu/115528187/
  68. 68. Fake edition Your identity provider Username and password, please! Username: Password: Log in
  69. 69. Your account gets stolen
  70. 70. An untrusted site redirects you to your trusted provider
  71. 71. PayPal Google Checkout Yahoo!, Flickr, Facebook
  72. 72. One solution: don’t let the user log in on the identity provider “landing page”
  73. 73. Better solutions
  74. 74. Yahoo! sign-in seal
  75. 75. VeriSign SeatBelt (a browser extension)
  76. 76. Windows CardSpace
  77. 77. Competition between providers on security
  78. 78. ? Outsourcing the security of your users to a third party
  79. 79. OpenID is functionally equivalent to a lost password e-mail mechanism
  80. 80. If e-mail is secure enough for your user’s authentication, then so is OpenID
  81. 81. In other cases, a whitelist of trusted providers may make sense
  82. 82. Usability challenges
  83. 83. Many people have no idea what a URL is
  84. 84. (but they do know where their MySpace page is)
  85. 85. OpenID 2.0 introduces directed identity
  86. 86. Linking identities together
  87. 87. Identity projection
  88. 88. Upcoming last.fm
  89. 89. XFN rel=quot;mequot; lets me publicly point to my accounts on other services
  90. 90. Portable contact lists
  91. 91. I don’t want to have to re- add my friends on every social application I use
  92. 92. But... I don’t want to automatically add my high school friends to a business network
  93. 93. The correct model is pick-from-import: show me a list of options and let me decide
  94. 94. The state of the art in contact import is asking for the user’s webmail password The contact import anti-pattern
  95. 95. The good way: XFN and FOAF Public data, already published
  96. 96. The Google Social Graph API
  97. 97. A safe way to import private contacts?
  98. 98. oauth.net
  99. 99. Completing our decentralised social network
  100. 100. The Facebook news feed
  101. 101. Flickr photos from your contacts
  102. 102. Your Twitter friends
  103. 103. Decentralised news feed?
  104. 104. XMPP (Jabber)
  105. 105. We have the ingredients • OpenID • OAuth • XFN and FOAF • XMPP Now we just need to make the pie
  106. 106. People of Webstock! • Go forth and implement OpenID • Support these emerging standards • Set your users free
  107. 107. http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×