The Implications of OpenID

  • 29,102 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Many of us used OpenID for easier logging. I’m Ana Mui Stanley, working on my latest site on lyrics, www.lyrics-search.org/ . I enjoy reading the slide.
    Are you sure you want to
    Your message goes here
  • I have learned a couple of things from your presentation. Nicely done!

    http://www.riding-mower.org/

    http://www.riding-mower.org/la105-john-deere-lawn-tractor/
    Are you sure you want to
    Your message goes here
  • Very clear presentation on OpenID. Bookmarked.

    John.
    www.freeringtones.ws/
    Are you sure you want to
    Your message goes here
  • outstanding display..convinced me to have a hardlook at my business model..great
    Teisha
    http://dashinghealth.com http://healthimplants.com
    Are you sure you want to
    Your message goes here
  • Hello.. sound good.. great sharing

    Regards
    Anisa
    http://phonehut.info
    http://www.jpolls.net
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
29,102
On Slideshare
0
From Embeds
0
Number of Embeds
7

Actions

Shares
Downloads
748
Comments
7
Likes
44

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. The implications of Simon Willison XTech, 18th May 2007
  • 2. This talk is not about identity
  • 3. “identity” implies lots of unanswered questions
  • 4. I’m bored of unanswered questions
  • 5. I’m going to answer as many questions as possible
  • 6. (To keep things easy, I get to ask them)
  • 7. Who here has used OpenID?
  • 8. Who uses it regularly?
  • 9. What is OpenID?
  • 10. OpenID is a decentralised mechanism for Single Sign On
  • 11. What problems does it solve?
  • 12. “Too many passwords!”
  • 13. “Someone else nabbed my username”
  • 14. “My online profile is scattered across dozens of sites” (potentially, at least)
  • 15. What is an OpenID?
  • 16. An OpenID is a URL
  • 17. http://swillison.livejournal.com/
  • 18. http://simonw.myopenid.com/
  • 19. http://simonwillison.net/
  • 20. http://openid.aol.com/simonwillison/
  • 21. What can you do with an OpenID?
  • 22. You can claim that you own it
  • 23. You can prove that claim
  • 24. Why is that useful?
  • 25. You can use it for authentication
  • 26. “Who the heck are you?!”
  • 27. “I’m simonwillison.net”
  • 28. “prove it!”
  • 29. (magic happens)
  • 30. “OK, you’re in!”
  • 31. So it’s a bit like Microsoft Passport, then?
  • 32. Yes, but Microsoft don’t get to own your credentials
  • 33. Who does get to own them, then?
  • 34. You, the user, decide.
  • 35. You pick a provider
  • 36. (just like e-mail)
  • 37. So I’m still giving someone the keys to my kingdom?
  • 38. Yes, but it can be someone you trust
  • 39. If you have the ability to run your own server software, you can do it for yourself.
  • 40. OK, how do I use it?
  • 41. So my users don’t have to sign up for an account?
  • 42. Not necessarily
  • 43. An OpenID tells you very little about a user
  • 44. You don’t know their name
  • 45. You don’t know their e-mail address
  • 46. You don’t know if they’re a person or an evil robot
  • 47. (or a dog)
  • 48. Where do I get that information from?
  • 49. You ask them!
  • 50. OpenID can even help them answer
  • 51. How can I tell if they’re an evil spambot?
  • 52. Same as usual: challenge them with a CAPTCHA
  • 53. botbouncer.com can tell you if their OpenID has passed a CAPTCHA before
  • 54. (assuming you trust botbouncer.com)
  • 55. So how does OpenID actually work?
  • 56. <link rel=quot;openid.serverquot; href=quot;http://www.myopenid.com/serverquot; />
  • 57. “I’m simonwillison.myopenid.com”
  • 58. Site fetches HTML, discovers identity provider
  • 59. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
  • 60. Redirects you to the identity provider
  • 61. If you’re logged in there, you get redirected back
  • 62. How does my identity provider know who I am?
  • 63. OpenID deliberately doesn’t specify
  • 64. username/password is common
  • 65. But providers can use other methods if they want to
  • 66. Client SSL certificates
  • 67. Out of band authentication via SMS, e-mail or Jabber
  • 68. IP based login restrictions
  • 69. (one guy set that up using DynDNS)
  • 70. SecurID keyfobs
  • 71. No authentication at all (just say “Yes”)
  • 72. Just say “yes”?
  • 73. Yup. That’s the OpenID version of bugmenot.com
  • 74. http://www.jkg.in/openid/
  • 75. Users can give away their passwords today - this is just the OpenID equivalent
  • 76. What if I decide I hate my provider?
  • 77. Use your own domain name
  • 78. Delegate to a provider you trust
  • 79. <link rel=quot;openid.serverquot; href=quot;http://www.livejournal.com/openid/server.bmlquot;> <link rel=quot;openid.delegatequot; href=quot;http://swillison.livejournal.com/quot;>
  • 80. Support for delegation is compulsory
  • 81. Minimise lock in
  • 82. So everyone will end up with one OpenID that they use for everything?
  • 83. Probably not
  • 84. (I have half a dozen OpenIDs already)
  • 85. People like maintaining multiple online personas
  • 86. professional social secret ...
  • 87. OpenID makes it easier to manage multiple online personas
  • 88. Different OpenIDs can express different things
  • 89. My AOL OpenID proves my AIM screen name
  • 90. A last.fm OpenID could incorporate my taste in music
  • 91. My LiveJournal OpenID tells you where to find my blog
  • 92. ... and a FOAF file listing my friends
  • 93. doxory.com uses this for contact imports
  • 94. An OpenID from sun.com proves that someone is a current Sun employee
  • 95. Why is OpenID worth implementing over all the other identity standards?
  • 96. It’s simple
  • 97. Unix philosophy: It solves one, tiny problem
  • 98. It’s a dumb network
  • 99. Many of the competing standards are now on board
  • 100. Isn’t putting all my eggs in one basket a really bad idea?
  • 101. Bad news: chances are you already do
  • 102. “I forgot my password” means your e-mail account is already an SSO mechanism
  • 103. OpenID just makes this a bit more obvious
  • 104. What about phishing?
  • 105. Phishing is a problem
  • 106. I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in
  • 107. Fake edition Your identity provider Username and password, please! Username: Password: Log in
  • 108. Identity theft :(
  • 109. An untrusted site redirects you to your trusted provider
  • 110. Sound familiar?
  • 111. That’s how Paypal works!
  • 112. It still sucks though
  • 113. One solution: don’t let the user log in on the identity provider “landing page”
  • 114. Better solutions
  • 115. CardSpace
  • 116. Seat belt
  • 117. Native browser support for OpenID
  • 118. Competition between providers
  • 119. How do I implement OpenID on my site?
  • 120. As a consumer...
  • 121. Grab an OpenID library for your chosen language or platform
  • 122. www.openidenabled.com
  • 123. Allow your existing users to associate their accounts with one or more OpenIDs
  • 124. (make sure you authenticate the OpenIDs first)
  • 125. Allow people to kick- start the registration process with their OpenID
  • 126. Make passwords optional during signup if an OpenID has already been confirmed
  • 127. As a provider...
  • 128. Figure out your anti- phishing mechanism
  • 129. Read the spec!
  • 130. Why allow multiple OpenIDs per account?
  • 131. People can still sign in if one of their providers is down
  • 132. People can un-associate an OpenID without locking themselves out
  • 133. You can take advantage of site-specific services around OpenID
  • 134. Any other neat tricks?
  • 135. Yes, lots!
  • 136. Lightweight accounts
  • 137. Pre-approved accounts
  • 138. Social whitelists
  • 139. OpenID and hCard
  • 140. Decentralised social networks?
  • 141. “People keep asking me to join the LinkedIn network, but I’m already part of a network, it’s called the Internet.” Gary McGraw, via Jon Udell, via Gavin Bell
  • 142. What are the privacy implications?
  • 143. Cross correlation of accounts
  • 144. Don’t publish a user’s OpenID without explicit permission
  • 145. The online equivalent of a credit reporting agency?
  • 146. This could be built today by sites conspiring to share e-mail addresses
  • 147. IANAL, but legal protections against this already exist
  • 148. OpenID 2.0 makes it trivial to use a different OpenID for every site
  • 149. Patents?
  • 150. Sun have pre-announced a “patent covenant”
  • 151. They won’t clobber OpenID with their patents
  • 152. They’ll clobber anyone else who tries to
  • 153. Who else is involved?
  • 154. AOL - provider, full consumer by end of June
  • 155. Microsoft: Bill Gates expressed their interest
  • 156. (Mainly as good PR for CardSpace)
  • 157. Sun: Patent Covenant, 33,000 employees
  • 158. Six Apart
  • 159. VeriSign
  • 160. JanRain
  • 161. You?
  • 162. http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/
  • 163. Thank you