The Implications of OpenID
Upcoming SlideShare
Loading in...5
×
 

The Implications of OpenID

on

  • 39,749 views

 

Statistics

Views

Total Views
39,749
Views on SlideShare
34,276
Embed Views
5,473

Actions

Likes
44
Downloads
744
Comments
7

39 Embeds 5,473

http://www.openid.it 4891
http://feeds.feedburner.com 194
http://blog.openid.it 113
http://retrorock.info 112
http://simonwillison.net 40
http://localhost 19
http://lifein360.blogspot.com 16
http://gnuband.org 14
http://www.xslf.com 10
http://www.slideshare.net 9
http://www.gnuband.org 7
http://wilburhimself.local 5
https://www.linkedin.com 4
http://webcache.googleusercontent.com 4
http://doc.javastaff.com 3
http://www.filescon.com 2
http://www.linkedin.com 2
http://feeds.simonwillison.net 2
http://www.cs.man.ac.uk 2
http://www.techbangalore.net 2
http://techmag.biz 2
http://www.onofftips.com 2
http://raffaeledoti.blogspot.com 2
http://www.oplahol.com 1
http://wildfire.gigya.com 1
http://comkids.blogspot.com 1
http://it.bing.com 1
https://truffles.ogilvy.com 1
http://www.stalkked.com 1
http://66.196.80.202 1
http://www.comkids.co.il 1
http://newshutch.com 1
http://64.233.169.104 1
file:// 1
http://androidrental.com 1
http://bookmarkingwebsites.com 1
http://headbandcomputer.com 1
http://celebrityrobot.com 1
http://psiriwardena.blogspot.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

15 of 7 Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Many of us used OpenID for easier logging. I’m Ana Mui Stanley, working on my latest site on lyrics, www.lyrics-search.org/ . I enjoy reading the slide.
    Are you sure you want to
    Your message goes here
    Processing…
  • I have learned a couple of things from your presentation. Nicely done!

    http://www.riding-mower.org/

    http://www.riding-mower.org/la105-john-deere-lawn-tractor/
    Are you sure you want to
    Your message goes here
    Processing…
  • Very clear presentation on OpenID. Bookmarked.

    John.
    www.freeringtones.ws/
    Are you sure you want to
    Your message goes here
    Processing…
  • outstanding display..convinced me to have a hardlook at my business model..great
    Teisha
    http://dashinghealth.com http://healthimplants.com
    Are you sure you want to
    Your message goes here
    Processing…
  • Hello.. sound good.. great sharing

    Regards
    Anisa
    http://phonehut.info
    http://www.jpolls.net
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

The Implications of OpenID The Implications of OpenID Presentation Transcript

  • The implications of Simon Willison XTech, 18th May 2007
  • This talk is not about identity
  • “identity” implies lots of unanswered questions
  • I’m bored of unanswered questions
  • I’m going to answer as many questions as possible
  • (To keep things easy, I get to ask them)
  • Who here has used OpenID?
  • Who uses it regularly?
  • What is OpenID?
  • OpenID is a decentralised mechanism for Single Sign On
  • What problems does it solve?
  • “Too many passwords!”
  • “Someone else nabbed my username”
  • “My online profile is scattered across dozens of sites” (potentially, at least)
  • What is an OpenID?
  • An OpenID is a URL
  • http://swillison.livejournal.com/
  • http://simonw.myopenid.com/
  • http://simonwillison.net/
  • http://openid.aol.com/simonwillison/
  • What can you do with an OpenID?
  • You can claim that you own it
  • You can prove that claim
  • Why is that useful?
  • You can use it for authentication
  • “Who the heck are you?!”
  • “I’m simonwillison.net”
  • “prove it!”
  • (magic happens)
  • “OK, you’re in!”
  • So it’s a bit like Microsoft Passport, then?
  • Yes, but Microsoft don’t get to own your credentials
  • Who does get to own them, then?
  • You, the user, decide.
  • You pick a provider
  • (just like e-mail)
  • So I’m still giving someone the keys to my kingdom?
  • Yes, but it can be someone you trust
  • If you have the ability to run your own server software, you can do it for yourself.
  • OK, how do I use it?
  • So my users don’t have to sign up for an account?
  • Not necessarily
  • An OpenID tells you very little about a user
  • You don’t know their name
  • You don’t know their e-mail address
  • You don’t know if they’re a person or an evil robot
  • (or a dog)
  • Where do I get that information from?
  • You ask them!
  • OpenID can even help them answer
  • How can I tell if they’re an evil spambot?
  • Same as usual: challenge them with a CAPTCHA
  • botbouncer.com can tell you if their OpenID has passed a CAPTCHA before
  • (assuming you trust botbouncer.com)
  • So how does OpenID actually work?
  • <link rel=quot;openid.serverquot; href=quot;http://www.myopenid.com/serverquot; />
  • “I’m simonwillison.myopenid.com”
  • Site fetches HTML, discovers identity provider
  • Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
  • Redirects you to the identity provider
  • If you’re logged in there, you get redirected back
  • How does my identity provider know who I am?
  • OpenID deliberately doesn’t specify
  • username/password is common
  • But providers can use other methods if they want to
  • Client SSL certificates
  • Out of band authentication via SMS, e-mail or Jabber
  • IP based login restrictions
  • (one guy set that up using DynDNS)
  • SecurID keyfobs
  • No authentication at all (just say “Yes”)
  • Just say “yes”?
  • Yup. That’s the OpenID version of bugmenot.com
  • http://www.jkg.in/openid/
  • Users can give away their passwords today - this is just the OpenID equivalent
  • What if I decide I hate my provider?
  • Use your own domain name
  • Delegate to a provider you trust
  • <link rel=quot;openid.serverquot; href=quot;http://www.livejournal.com/openid/server.bmlquot;> <link rel=quot;openid.delegatequot; href=quot;http://swillison.livejournal.com/quot;>
  • Support for delegation is compulsory
  • Minimise lock in
  • So everyone will end up with one OpenID that they use for everything?
  • Probably not
  • (I have half a dozen OpenIDs already)
  • People like maintaining multiple online personas
  • professional social secret ...
  • OpenID makes it easier to manage multiple online personas
  • Different OpenIDs can express different things
  • My AOL OpenID proves my AIM screen name
  • A last.fm OpenID could incorporate my taste in music
  • My LiveJournal OpenID tells you where to find my blog
  • ... and a FOAF file listing my friends
  • doxory.com uses this for contact imports
  • An OpenID from sun.com proves that someone is a current Sun employee
  • Why is OpenID worth implementing over all the other identity standards?
  • It’s simple
  • Unix philosophy: It solves one, tiny problem
  • It’s a dumb network
  • Many of the competing standards are now on board
  • Isn’t putting all my eggs in one basket a really bad idea?
  • Bad news: chances are you already do
  • “I forgot my password” means your e-mail account is already an SSO mechanism
  • OpenID just makes this a bit more obvious
  • What about phishing?
  • Phishing is a problem
  • I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in
  • Fake edition Your identity provider Username and password, please! Username: Password: Log in
  • Identity theft :(
  • An untrusted site redirects you to your trusted provider
  • Sound familiar?
  • That’s how Paypal works!
  • It still sucks though
  • One solution: don’t let the user log in on the identity provider “landing page”
  • Better solutions
  • CardSpace
  • Seat belt
  • Native browser support for OpenID
  • Competition between providers
  • How do I implement OpenID on my site?
  • As a consumer...
  • Grab an OpenID library for your chosen language or platform
  • www.openidenabled.com
  • Allow your existing users to associate their accounts with one or more OpenIDs
  • (make sure you authenticate the OpenIDs first)
  • Allow people to kick- start the registration process with their OpenID
  • Make passwords optional during signup if an OpenID has already been confirmed
  • As a provider...
  • Figure out your anti- phishing mechanism
  • Read the spec!
  • Why allow multiple OpenIDs per account?
  • People can still sign in if one of their providers is down
  • People can un-associate an OpenID without locking themselves out
  • You can take advantage of site-specific services around OpenID
  • Any other neat tricks?
  • Yes, lots!
  • Lightweight accounts
  • Pre-approved accounts
  • Social whitelists
  • OpenID and hCard
  • Decentralised social networks?
  • “People keep asking me to join the LinkedIn network, but I’m already part of a network, it’s called the Internet.” Gary McGraw, via Jon Udell, via Gavin Bell
  • What are the privacy implications?
  • Cross correlation of accounts
  • Don’t publish a user’s OpenID without explicit permission
  • The online equivalent of a credit reporting agency?
  • This could be built today by sites conspiring to share e-mail addresses
  • IANAL, but legal protections against this already exist
  • OpenID 2.0 makes it trivial to use a different OpenID for every site
  • Patents?
  • Sun have pre-announced a “patent covenant”
  • They won’t clobber OpenID with their patents
  • They’ll clobber anyone else who tries to
  • Who else is involved?
  • AOL - provider, full consumer by end of June
  • Microsoft: Bill Gates expressed their interest
  • (Mainly as good PR for CardSpace)
  • Sun: Patent Covenant, 33,000 employees
  • Six Apart
  • VeriSign
  • JanRain
  • You?
  • http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/
  • Thank you