Slideshare.net (beta)

Home My Slidespace Upload Community Tags Widgets

Latest | Most Viewed | Most Embedded | Featured | Most Favorited | Most Downloaded | Slidecasts

 

All comments

Add a comment on Slide 1

If you have a SlideShare account, login to comment; else you can comment as a guest


Showing 1-50 of 2 (more)

OpenID and decentralised social networks

From simon, 5 months ago

Presented at Webstock '08 on February 15th in Wellington, New Zeal more

1460 views  |  0 comments  |  2 favorites  |  29 downloads
 

Tags

webstock08 portablesocialnetworks openid decentralized socialnetwork web2.0 social

 
 

Groups / Events

 

 
Embed
options

More Info

This slideshow is Public
Total Views: 1460
on Slideshare: 1460
from embeds: 0

Slideshow transcript

Slide 1: and decentralised social networks Simon Willison Webstock 15th February 2008

Slide 2: One year ago...

Slide 3: A OL Supports OpenID Symantec Unveils Cons umer Identity Strategy O penID Gets a Boost Fr om Mic rosoft

Slide 4: The last few weeks...

Slide 5: OpenID announces powerhouse boa rd: MSFT, GOOG, IBM, others Yahoo! backs! OpenID! oundatio n Co-opts OpenID F icrosoft A nd Yahoo Google, M

Slide 6: Decentralised social networks or who will save us from ? http://www.flickr.com/photos/87846746@N00/2235550137/

Slide 7: The username and password problem

Slide 9: What’s my password again? What’s my username again?

Slide 10: The Web needs Single Sign On

Slide 11: ?

Slide 12: ? Windows Live ID

Slide 13: SSO with a single controlling authority betrays the principles of the Web

Slide 14: OpenID is a decentralised mechanism for Single Sign On

Slide 15: It’s like e-mail - no one company controls it, but users with different e- mail providers can still talk to each other

Slide 16: An OpenID is a URL (an identifier)

Slide 17: http://swillison.livejournal.com/

Slide 18: http://simonw.myopenid.com/

Slide 19: http://simonwillison.net/

Slide 20: http://openid.aol.com/simonwillison/

Slide 21: URLs are globally unique

Slide 22: The OpenID protocol lets you prove that you own a specific URL

Slide 23: Which means an OpenID can be used as an authentication credential

Slide 24: “Who are you?”

Slide 25: “I’m simonwillison.net”

Slide 26: “prove it!”

Slide 27: (magic happens)

Slide 28: “OK, you’re in!”

Slide 29: Picking an OpenID is like picking an e-mail provider - you find a company that you trust

Slide 30: Or if you have the ability to run your own server software, you can do it for yourself

Slide 31: (mobile phones can run web servers now)

Slide 32: How to use OpenID

Slide 37: ? What happens to my organisation’s user account database?

Slide 38: OpenID augments existing account mechanisms; it does not replace them

Slide 39: The first time you see a specific OpenID, you create an account for that user

Slide 40: OpenID can even help users create their initial profile

Slide 43: OpenID 1.1: Simple Registration OpenID 2.0: Attribute Exchange

Slide 44: ? So how does OpenID actually work?

Slide 47: <link rel="openid.server" href="http://www.myopenid.com/server" />

Slide 48: “I’m simonwillison.myopenid.com”

Slide 49: Site fetches HTML, discovers identity provider

Slide 50: Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)

Slide 51: Redirects you to the identity provider

Slide 52: If you’re logged in there, you get redirected back

Slide 53: (Discovery in OpenID 2.0 is more complicated, but the concept is much the same)

Slide 54: ? How does my identity provider know who I am?

Slide 55: OpenID deliberately doesn’t specify

Slide 56: username/password is the most common

Slide 57: But providers can use other methods if they want to

Slide 58: Client SSL certificates

Slide 59: Out of band authentication via SMS, e-mail or Jabber

Slide 60: Hardware tokens

Slide 61: Vidoop.com

Slide 62: ?Will everyone end up with one OpenID that they use for everything?

Slide 63: Almost certainly not

Slide 64: (I have half a dozen OpenIDs already)

Slide 65: People like maintaining multiple online personas

Slide 66: professional social secret ...

Slide 67: OpenID makes it easier to manage multiple online personas

Slide 68: Three accounts is much better than three dozen

Slide 69: An OpenID provider can provide more than just an OpenID

Slide 70: My AOL OpenID incorporates my AIM screen name

Slide 71: An OpenID from sun.com proves that someone is a current Sun employee

Slide 72: An OpenID from a university can assert my staff/student status

Slide 73: Some providers might even provide guarantees that OpenIDs belong to specific people

Slide 74: Problems with OpenID

Slide 75: Phishing

Slide 76: lolcats ‘r’ us Sign in with your OpenID for even more lolcats! OpenID: Sign in http://www.flickr.com/photos/earthandeden/395466458/ http://www.flickr.com/photos/endbradley/306280569/ http://www.flickr.com/photos/duygu/115528187/

Slide 77: Fake edition Your identity provider Username and password, please! Username: Password: Log in

Slide 78: Your account gets stolen

Slide 79: An untrusted site redirects you to your trusted provider

Slide 80: PayPal Google Checkout Yahoo!, Flickr, Facebook

Slide 81: One solution: don’t let the user log in on the identity provider “landing page”

Slide 83: Better solutions

Slide 84: Yahoo! sign-in seal

Slide 85: VeriSign SeatBelt (a browser extension)

Slide 86: Windows CardSpace

Slide 87: Competition between providers on security

Slide 88: ? Outsourcing the security of your users to a third party

Slide 89: OpenID is functionally equivalent to a lost password e-mail mechanism

Slide 90: If e-mail is secure enough for your user’s authentication, then so is OpenID

Slide 91: In other cases, a whitelist of trusted providers may make sense

Slide 92: Usability challenges

Slide 93: Many people have no idea what a URL is

Slide 94: (but they do know where their MySpace page is)

Slide 95: OpenID 2.0 introduces directed identity

Slide 99: Linking identities together

Slide 101: Identity projection

Slide 102: Upcoming last.fm

Slide 103: XFN rel="me" lets me publicly point to my accounts on other services

Slide 104: Portable contact lists

Slide 105: I don’t want to have to re- add my friends on every social application I use

Slide 106: But... I don’t want to automatically add my high school friends to a business network

Slide 107: The correct model is pick-from-import: show me a list of options and let me decide

Slide 108: The state of the art in contact import is asking for the user’s webmail password The contact import anti-pattern

Slide 109: The good way: XFN and FOAF Public data, already published

Slide 110: The Google Social Graph API

Slide 111: A safe way to import private contacts?

Slide 113: oauth.net

Slide 114: Completing our decentralised social network

Slide 115: The Facebook news feed

Slide 116: Flickr photos from your contacts

Slide 117: Your Twitter friends

Slide 118: Decentralised news feed?

Slide 119: XMPP (Jabber)

Slide 120: We have the ingredients • OpenID • OAuth • XFN and FOAF • XMPP Now we just need to make the pie

Slide 121: People of Webstock! • Go forth and implement OpenID • Support these emerging standards • Set your users free

Slide 122: http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/

© 2008 SlideShare Inc. All Rights Reserved.
App08 is serving you.