OpenID and decentralised social networks

4,780
-1

Published on

Presented at Webstock '08 on February 15th in Wellington, New Zealand. Social networks are an unavoidable part of life on the Web today, but most exist as walled gardens with interactions and identities trapped in a silo. OpenID is one of a number of initiatives that are trying to break down these walls and enable new social applications to bootstrap off each other.

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,780
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
99
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

OpenID and decentralised social networks

  1. 1. and decentralised social networks Simon Willison Webstock 15th February 2008
  2. 2. One year ago...
  3. 3. A OL Supports OpenID Symantec Unveils Cons umer Identity Strategy O penID Gets a Boost Fr om Mic rosoft
  4. 4. The last few weeks...
  5. 5. OpenID announces powerhouse boa rd: MSFT, GOOG, IBM, others Yahoo! backs! OpenID! oundatio n Co-opts OpenID F icrosoft A nd Yahoo Google, M
  6. 6. Decentralised social networks or who will save us from ? http://www.flickr.com/photos/87846746@N00/2235550137/
  7. 7. The username and password problem
  8. 8. What’s my password again? What’s my username again?
  9. 9. The Web needs Single Sign On
  10. 10. ?
  11. 11. ? Windows Live ID
  12. 12. SSO with a single controlling authority betrays the principles of the Web
  13. 13. OpenID is a decentralised mechanism for Single Sign On
  14. 14. It’s like e-mail - no one company controls it, but users with different e- mail providers can still talk to each other
  15. 15. An OpenID is a URL (an identifier)
  16. 16. http://swillison.livejournal.com/
  17. 17. http://simonw.myopenid.com/
  18. 18. http://simonwillison.net/
  19. 19. http://openid.aol.com/simonwillison/
  20. 20. URLs are globally unique
  21. 21. The OpenID protocol lets you prove that you own a specific URL
  22. 22. Which means an OpenID can be used as an authentication credential
  23. 23. “Who are you?”
  24. 24. “I’m simonwillison.net”
  25. 25. “prove it!”
  26. 26. (magic happens)
  27. 27. “OK, you’re in!”
  28. 28. Picking an OpenID is like picking an e-mail provider - you find a company that you trust
  29. 29. Or if you have the ability to run your own server software, you can do it for yourself
  30. 30. (mobile phones can run web servers now)
  31. 31. How to use OpenID
  32. 32. ? What happens to my organisation’s user account database?
  33. 33. OpenID augments existing account mechanisms; it does not replace them
  34. 34. The first time you see a specific OpenID, you create an account for that user
  35. 35. OpenID can even help users create their initial profile
  36. 36. OpenID 1.1: Simple Registration OpenID 2.0: Attribute Exchange
  37. 37. ? So how does OpenID actually work?
  38. 38. <link rel=quot;openid.serverquot; href=quot;http://www.myopenid.com/serverquot; />
  39. 39. “I’m simonwillison.myopenid.com”
  40. 40. Site fetches HTML, discovers identity provider
  41. 41. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
  42. 42. Redirects you to the identity provider
  43. 43. If you’re logged in there, you get redirected back
  44. 44. (Discovery in OpenID 2.0 is more complicated, but the concept is much the same)
  45. 45. ? How does my identity provider know who I am?
  46. 46. OpenID deliberately doesn’t specify
  47. 47. username/password is the most common
  48. 48. But providers can use other methods if they want to
  49. 49. Client SSL certificates
  50. 50. Out of band authentication via SMS, e-mail or Jabber
  51. 51. Hardware tokens
  52. 52. Vidoop.com
  53. 53. ?Will everyone end up with one OpenID that they use for everything?
  54. 54. Almost certainly not
  55. 55. (I have half a dozen OpenIDs already)
  56. 56. People like maintaining multiple online personas
  57. 57. professional social secret ...
  58. 58. OpenID makes it easier to manage multiple online personas
  59. 59. Three accounts is much better than three dozen
  60. 60. An OpenID provider can provide more than just an OpenID
  61. 61. My AOL OpenID incorporates my AIM screen name
  62. 62. An OpenID from sun.com proves that someone is a current Sun employee
  63. 63. An OpenID from a university can assert my staff/student status
  64. 64. Some providers might even provide guarantees that OpenIDs belong to specific people
  65. 65. Problems with OpenID
  66. 66. Phishing
  67. 67. lolcats ‘r’ us Sign in with your OpenID for even more lolcats! OpenID: Sign in http://www.flickr.com/photos/earthandeden/395466458/ http://www.flickr.com/photos/endbradley/306280569/ http://www.flickr.com/photos/duygu/115528187/
  68. 68. Fake edition Your identity provider Username and password, please! Username: Password: Log in
  69. 69. Your account gets stolen
  70. 70. An untrusted site redirects you to your trusted provider
  71. 71. PayPal Google Checkout Yahoo!, Flickr, Facebook
  72. 72. One solution: don’t let the user log in on the identity provider “landing page”
  73. 73. Better solutions
  74. 74. Yahoo! sign-in seal
  75. 75. VeriSign SeatBelt (a browser extension)
  76. 76. Windows CardSpace
  77. 77. Competition between providers on security
  78. 78. ? Outsourcing the security of your users to a third party
  79. 79. OpenID is functionally equivalent to a lost password e-mail mechanism
  80. 80. If e-mail is secure enough for your user’s authentication, then so is OpenID
  81. 81. In other cases, a whitelist of trusted providers may make sense
  82. 82. Usability challenges
  83. 83. Many people have no idea what a URL is
  84. 84. (but they do know where their MySpace page is)
  85. 85. OpenID 2.0 introduces directed identity
  86. 86. Linking identities together
  87. 87. Identity projection
  88. 88. Upcoming last.fm
  89. 89. XFN rel=quot;mequot; lets me publicly point to my accounts on other services
  90. 90. Portable contact lists
  91. 91. I don’t want to have to re- add my friends on every social application I use
  92. 92. But... I don’t want to automatically add my high school friends to a business network
  93. 93. The correct model is pick-from-import: show me a list of options and let me decide
  94. 94. The state of the art in contact import is asking for the user’s webmail password The contact import anti-pattern
  95. 95. The good way: XFN and FOAF Public data, already published
  96. 96. The Google Social Graph API
  97. 97. A safe way to import private contacts?
  98. 98. oauth.net
  99. 99. Completing our decentralised social network
  100. 100. The Facebook news feed
  101. 101. Flickr photos from your contacts
  102. 102. Your Twitter friends
  103. 103. Decentralised news feed?
  104. 104. XMPP (Jabber)
  105. 105. We have the ingredients • OpenID • OAuth • XFN and FOAF • XMPP Now we just need to make the pie
  106. 106. People of Webstock! • Go forth and implement OpenID • Support these emerging standards • Set your users free
  107. 107. http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/

×