Your SlideShare is downloading. ×
0
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
The Implications of OpenID
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The Implications of OpenID

29,497

Published on

Published in: Technology
7 Comments
45 Likes
Statistics
Notes
  • Many of us used OpenID for easier logging. I’m Ana Mui Stanley, working on my latest site on lyrics, www.lyrics-search.org/ . I enjoy reading the slide.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I have learned a couple of things from your presentation. Nicely done!

    http://www.riding-mower.org/

    http://www.riding-mower.org/la105-john-deere-lawn-tractor/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Very clear presentation on OpenID. Bookmarked.

    John.
    www.freeringtones.ws/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • outstanding display..convinced me to have a hardlook at my business model..great
    Teisha
    http://dashinghealth.com http://healthimplants.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello.. sound good.. great sharing

    Regards
    Anisa
    http://phonehut.info
    http://www.jpolls.net
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
29,497
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
753
Comments
7
Likes
45
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The implications of Simon Willison XTech, 18th May 2007
  • 2. This talk is not about identity
  • 3. “identity” implies lots of unanswered questions
  • 4. I’m bored of unanswered questions
  • 5. I’m going to answer as many questions as possible
  • 6. (To keep things easy, I get to ask them)
  • 7. Who here has used OpenID?
  • 8. Who uses it regularly?
  • 9. What is OpenID?
  • 10. OpenID is a decentralised mechanism for Single Sign On
  • 11. What problems does it solve?
  • 12. “Too many passwords!”
  • 13. “Someone else nabbed my username”
  • 14. “My online profile is scattered across dozens of sites” (potentially, at least)
  • 15. What is an OpenID?
  • 16. An OpenID is a URL
  • 17. http://swillison.livejournal.com/
  • 18. http://simonw.myopenid.com/
  • 19. http://simonwillison.net/
  • 20. http://openid.aol.com/simonwillison/
  • 21. What can you do with an OpenID?
  • 22. You can claim that you own it
  • 23. You can prove that claim
  • 24. Why is that useful?
  • 25. You can use it for authentication
  • 26. “Who the heck are you?!”
  • 27. “I’m simonwillison.net”
  • 28. “prove it!”
  • 29. (magic happens)
  • 30. “OK, you’re in!”
  • 31. So it’s a bit like Microsoft Passport, then?
  • 32. Yes, but Microsoft don’t get to own your credentials
  • 33. Who does get to own them, then?
  • 34. You, the user, decide.
  • 35. You pick a provider
  • 36. (just like e-mail)
  • 37. So I’m still giving someone the keys to my kingdom?
  • 38. Yes, but it can be someone you trust
  • 39. If you have the ability to run your own server software, you can do it for yourself.
  • 40. OK, how do I use it?
  • 41. So my users don’t have to sign up for an account?
  • 42. Not necessarily
  • 43. An OpenID tells you very little about a user
  • 44. You don’t know their name
  • 45. You don’t know their e-mail address
  • 46. You don’t know if they’re a person or an evil robot
  • 47. (or a dog)
  • 48. Where do I get that information from?
  • 49. You ask them!
  • 50. OpenID can even help them answer
  • 51. How can I tell if they’re an evil spambot?
  • 52. Same as usual: challenge them with a CAPTCHA
  • 53. botbouncer.com can tell you if their OpenID has passed a CAPTCHA before
  • 54. (assuming you trust botbouncer.com)
  • 55. So how does OpenID actually work?
  • 56. <link rel=quot;openid.serverquot; href=quot;http://www.myopenid.com/serverquot; />
  • 57. “I’m simonwillison.myopenid.com”
  • 58. Site fetches HTML, discovers identity provider
  • 59. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
  • 60. Redirects you to the identity provider
  • 61. If you’re logged in there, you get redirected back
  • 62. How does my identity provider know who I am?
  • 63. OpenID deliberately doesn’t specify
  • 64. username/password is common
  • 65. But providers can use other methods if they want to
  • 66. Client SSL certificates
  • 67. Out of band authentication via SMS, e-mail or Jabber
  • 68. IP based login restrictions
  • 69. (one guy set that up using DynDNS)
  • 70. SecurID keyfobs
  • 71. No authentication at all (just say “Yes”)
  • 72. Just say “yes”?
  • 73. Yup. That’s the OpenID version of bugmenot.com
  • 74. http://www.jkg.in/openid/
  • 75. Users can give away their passwords today - this is just the OpenID equivalent
  • 76. What if I decide I hate my provider?
  • 77. Use your own domain name
  • 78. Delegate to a provider you trust
  • 79. <link rel=quot;openid.serverquot; href=quot;http://www.livejournal.com/openid/server.bmlquot;> <link rel=quot;openid.delegatequot; href=quot;http://swillison.livejournal.com/quot;>
  • 80. Support for delegation is compulsory
  • 81. Minimise lock in
  • 82. So everyone will end up with one OpenID that they use for everything?
  • 83. Probably not
  • 84. (I have half a dozen OpenIDs already)
  • 85. People like maintaining multiple online personas
  • 86. professional social secret ...
  • 87. OpenID makes it easier to manage multiple online personas
  • 88. Different OpenIDs can express different things
  • 89. My AOL OpenID proves my AIM screen name
  • 90. A last.fm OpenID could incorporate my taste in music
  • 91. My LiveJournal OpenID tells you where to find my blog
  • 92. ... and a FOAF file listing my friends
  • 93. doxory.com uses this for contact imports
  • 94. An OpenID from sun.com proves that someone is a current Sun employee
  • 95. Why is OpenID worth implementing over all the other identity standards?
  • 96. It’s simple
  • 97. Unix philosophy: It solves one, tiny problem
  • 98. It’s a dumb network
  • 99. Many of the competing standards are now on board
  • 100. Isn’t putting all my eggs in one basket a really bad idea?
  • 101. Bad news: chances are you already do
  • 102. “I forgot my password” means your e-mail account is already an SSO mechanism
  • 103. OpenID just makes this a bit more obvious
  • 104. What about phishing?
  • 105. Phishing is a problem
  • 106. I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in
  • 107. Fake edition Your identity provider Username and password, please! Username: Password: Log in
  • 108. Identity theft :(
  • 109. An untrusted site redirects you to your trusted provider
  • 110. Sound familiar?
  • 111. That’s how Paypal works!
  • 112. It still sucks though
  • 113. One solution: don’t let the user log in on the identity provider “landing page”
  • 114. Better solutions
  • 115. CardSpace
  • 116. Seat belt
  • 117. Native browser support for OpenID
  • 118. Competition between providers
  • 119. How do I implement OpenID on my site?
  • 120. As a consumer...
  • 121. Grab an OpenID library for your chosen language or platform
  • 122. www.openidenabled.com
  • 123. Allow your existing users to associate their accounts with one or more OpenIDs
  • 124. (make sure you authenticate the OpenIDs first)
  • 125. Allow people to kick- start the registration process with their OpenID
  • 126. Make passwords optional during signup if an OpenID has already been confirmed
  • 127. As a provider...
  • 128. Figure out your anti- phishing mechanism
  • 129. Read the spec!
  • 130. Why allow multiple OpenIDs per account?
  • 131. People can still sign in if one of their providers is down
  • 132. People can un-associate an OpenID without locking themselves out
  • 133. You can take advantage of site-specific services around OpenID
  • 134. Any other neat tricks?
  • 135. Yes, lots!
  • 136. Lightweight accounts
  • 137. Pre-approved accounts
  • 138. Social whitelists
  • 139. OpenID and hCard
  • 140. Decentralised social networks?
  • 141. “People keep asking me to join the LinkedIn network, but I’m already part of a network, it’s called the Internet.” Gary McGraw, via Jon Udell, via Gavin Bell
  • 142. What are the privacy implications?
  • 143. Cross correlation of accounts
  • 144. Don’t publish a user’s OpenID without explicit permission
  • 145. The online equivalent of a credit reporting agency?
  • 146. This could be built today by sites conspiring to share e-mail addresses
  • 147. IANAL, but legal protections against this already exist
  • 148. OpenID 2.0 makes it trivial to use a different OpenID for every site
  • 149. Patents?
  • 150. Sun have pre-announced a “patent covenant”
  • 151. They won’t clobber OpenID with their patents
  • 152. They’ll clobber anyone else who tries to
  • 153. Who else is involved?
  • 154. AOL - provider, full consumer by end of June
  • 155. Microsoft: Bill Gates expressed their interest
  • 156. (Mainly as good PR for CardSpace)
  • 157. Sun: Patent Covenant, 33,000 employees
  • 158. Six Apart
  • 159. VeriSign
  • 160. JanRain
  • 161. You?
  • 162. http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/
  • 163. Thank you

×