Slideshare.net (beta)

Home Browse My Slidespace Upload Community Tags Widgets

Latest | Most Viewed | Most Embedded | Featured | Most Favorited | Most Downloaded | Slidecasts

 
Post to TwitterPost to Twitter
Post: 
Myspace Hi5 Friendster Xanga LiveJournal Facebook Blogger Tagged Typepad Freewebs BlackPlanet gigya icons

All comments

Add a comment on Slide 1

If you have a SlideShare account, login to comment; else you can comment as a guest


Showing 1-50 of 45 (more)

The Implications of OpenID

From simon, 2 years ago

18569 views  |  4 comments  |  42 favorites  |  622 downloads  |  19 embeds (Stats)
 

Categories

Add Category
 
 

Tags

openid xtech xtech2007 simonwillison identity web security online architecture sso

more

 
 

Groups / Events

 
Embed
options

More Info

This slideshow is Public
Total Views: 18569
on Slideshare: 18355
from embeds: 214

Slideshow transcript

Slide 1: The implications of Simon Willison XTech, 18th May 2007

Slide 2: This talk is not about identity

Slide 3: “identity” implies lots of unanswered questions

Slide 4: I’m bored of unanswered questions

Slide 5: I’m going to answer as many questions as possible

Slide 6: (To keep things easy, I get to ask them)

Slide 7: Who here has used OpenID?

Slide 8: Who uses it regularly?

Slide 10: What is OpenID?

Slide 11: OpenID is a decentralised mechanism for Single Sign On

Slide 12: What problems does it solve?

Slide 13: “Too many passwords!”

Slide 14: “Someone else nabbed my username”

Slide 15: “My online profile is scattered across dozens of sites” (potentially, at least)

Slide 16: What is an OpenID?

Slide 17: An OpenID is a URL

Slide 18: http://swillison.livejournal.com/

Slide 19: http://simonw.myopenid.com/

Slide 20: http://simonwillison.net/

Slide 21: http://openid.aol.com/simonwillison/

Slide 22: What can you do with an OpenID?

Slide 23: You can claim that you own it

Slide 24: You can prove that claim

Slide 25: Why is that useful?

Slide 26: You can use it for authentication

Slide 27: “Who the heck are you?!”

Slide 28: “I’m simonwillison.net”

Slide 29: “prove it!”

Slide 30: (magic happens)

Slide 31: “OK, you’re in!”

Slide 32: So it’s a bit like Microsoft Passport, then?

Slide 33: Yes, but Microsoft don’t get to own your credentials

Slide 34: Who does get to own them, then?

Slide 35: You, the user, decide.

Slide 36: You pick a provider

Slide 37: (just like e-mail)

Slide 38: So I’m still giving someone the keys to my kingdom?

Slide 39: Yes, but it can be someone you trust

Slide 40: If you have the ability to run your own server software, you can do it for yourself.

Slide 41: OK, how do I use it?

Slide 47: So my users don’t have to sign up for an account?

Slide 48: Not necessarily

Slide 49: An OpenID tells you very little about a user

Slide 50: You don’t know their name

Slide 51: You don’t know their e-mail address

Slide 52: You don’t know if they’re a person or an evil robot

Slide 53: (or a dog)

Slide 54: Where do I get that information from?

Slide 55: You ask them!

Slide 56: OpenID can even help them answer

Slide 61: How can I tell if they’re an evil spambot?

Slide 62: Same as usual: challenge them with a CAPTCHA

Slide 63: botbouncer.com can tell you if their OpenID has passed a CAPTCHA before

Slide 64: (assuming you trust botbouncer.com)

Slide 65: So how does OpenID actually work?

Slide 68: <link rel=\"openid.server\" href=\"http://www.myopenid.com/server\" />

Slide 69: “I’m simonwillison.myopenid.com”

Slide 70: Site fetches HTML, discovers identity provider

Slide 71: Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)

Slide 72: Redirects you to the identity provider

Slide 73: If you’re logged in there, you get redirected back

Slide 74: How does my identity provider know who I am?

Slide 75: OpenID deliberately doesn’t specify

Slide 76: username/password is common

Slide 77: But providers can use other methods if they want to

Slide 78: Client SSL certificates

Slide 79: Out of band authentication via SMS, e-mail or Jabber

Slide 80: IP based login restrictions

Slide 81: (one guy set that up using DynDNS)

Slide 82: SecurID keyfobs

Slide 83: No authentication at all (just say “Yes”)

Slide 84: Just say “yes”?

Slide 85: Yup. That’s the OpenID version of bugmenot.com

Slide 86: http://www.jkg.in/openid/

Slide 87: Users can give away their passwords today - this is just the OpenID equivalent

Slide 88: What if I decide I hate my provider?

Slide 89: Use your own domain name

Slide 90: Delegate to a provider you trust

Slide 93: <link rel=\"openid.server\" href=\"http://www.livejournal.com/openid/server.bml\"> <link rel=\"openid.delegate\" href=\"http://swillison.livejournal.com/\">

Slide 94: Support for delegation is compulsory

Slide 95: Minimise lock in

Slide 96: So everyone will end up with one OpenID that they use for everything?

Slide 97: Probably not

Slide 98: (I have half a dozen OpenIDs already)

Slide 99: People like maintaining multiple online personas

Slide 100: professional social secret ...

Slide 101: OpenID makes it easier to manage multiple online personas

Slide 102: Different OpenIDs can express different things

Slide 103: My AOL OpenID proves my AIM screen name

Slide 104: A last.fm OpenID could incorporate my taste in music

Slide 105: My LiveJournal OpenID tells you where to find my blog

Slide 106: ... and a FOAF file listing my friends

Slide 107: doxory.com uses this for contact imports

Slide 108: An OpenID from sun.com proves that someone is a current Sun employee

Slide 109: Why is OpenID worth implementing over all the other identity standards?

Slide 110: It’s simple

Slide 111: Unix philosophy: It solves one, tiny problem

Slide 112: It’s a dumb network

Slide 113: Many of the competing standards are now on board

Slide 114: Isn’t putting all my eggs in one basket a really bad idea?

Slide 115: Bad news: chances are you already do

Slide 116: “I forgot my password” means your e-mail account is already an SSO mechanism

Slide 117: OpenID just makes this a bit more obvious

Slide 118: What about phishing?

Slide 119: Phishing is a problem

Slide 120: I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in

Slide 121: Fake edition Your identity provider Username and password, please! Username: Password: Log in

Slide 122: Identity theft :(

Slide 123: An untrusted site redirects you to your trusted provider

Slide 124: Sound familiar?

Slide 125: That’s how Paypal works!

Slide 126: It still sucks though

Slide 127: One solution: don’t let the user log in on the identity provider “landing page”

Slide 129: Better solutions

Slide 130: CardSpace

Slide 131: Seat belt

Slide 132: Native browser support for OpenID

Slide 133: Competition between providers

Slide 134: How do I implement OpenID on my site?

Slide 135: As a consumer...

Slide 136: Grab an OpenID library for your chosen language or platform

Slide 137: www.openidenabled.com

Slide 138: Allow your existing users to associate their accounts with one or more OpenIDs

Slide 139: (make sure you authenticate the OpenIDs first)

Slide 140: Allow people to kick- start the registration process with their OpenID

Slide 141: Make passwords optional during signup if an OpenID has already been confirmed

Slide 142: As a provider...

Slide 143: Figure out your anti- phishing mechanism

Slide 144: Read the spec!

Slide 145: Why allow multiple OpenIDs per account?

Slide 146: People can still sign in if one of their providers is down

Slide 147: People can un-associate an OpenID without locking themselves out

Slide 148: You can take advantage of site-specific services around OpenID

Slide 149: Any other neat tricks?

Slide 150: Yes, lots!

Slide 151: Lightweight accounts

Slide 152: Pre-approved accounts

Slide 153: Social whitelists

Slide 154: OpenID and hCard

Slide 155: Decentralised social networks?

Slide 156: “People keep asking me to join the LinkedIn network, but I’m already part of a network, it’s called the Internet.” Gary McGraw, via Jon Udell, via Gavin Bell

Slide 157: What are the privacy implications?

Slide 158: Cross correlation of accounts

Slide 159: Don’t publish a user’s OpenID without explicit permission

Slide 160: The online equivalent of a credit reporting agency?

Slide 161: This could be built today by sites conspiring to share e-mail addresses

Slide 162: IANAL, but legal protections against this already exist

Slide 163: OpenID 2.0 makes it trivial to use a different OpenID for every site

Slide 164: Patents?

Slide 165: Sun have pre-announced a “patent covenant”

Slide 166: They won’t clobber OpenID with their patents

Slide 167: They’ll clobber anyone else who tries to

Slide 168: Who else is involved?

Slide 169: AOL - provider, full consumer by end of June

Slide 170: Microsoft: Bill Gates expressed their interest

Slide 171: (Mainly as good PR for CardSpace)

Slide 172: Sun: Patent Covenant, 33,000 employees

Slide 173: Six Apart

Slide 174: VeriSign

Slide 175: JanRain

Slide 176: You?

Slide 177: http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/

Slide 178: Thank you