Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Who am I? Who are you? Who is anybody?

4,439 views

Published on

One of the most difficult decisions in developing a Web site is how to manage user identity. As a user you have to assess the implications of connecting your Twitter or Facebook user to other random services. Meanwhile, enterprises are challenged to evaluate ever more magical products for connecting their silos with other silos, often in direct conflict with any desire for a RESTful architecture. Did innovation in authentication on the Web stop at usernames, passwords, and the HTTP Cookie? Does Firesheep mean you should serve everything over HTTPS? What happened to OpenID? Can outsourcing your userbase to Twitter, Facebook, Google or some other commercial entity really be a good idea?

This talk has some answers, but mostly offers a wide-ranging and opinionated tour of the current state of identity on the Web. There will be URIs and angle-brackets, but mostly anecdotes involving venn diagrams, famous bridges, self-destructing kiosks and quantum computers.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Who am I? Who are you? Who is anybody?

  1. 1. Who are You?Who am I?Who is Anybody?
  2. 2. Who am I?Who are You?Who is Anybody?
  3. 3. Who am I?
  4. 4. I’m not ...
  5. 5. <a href="http://lanyrd.com/people/psd" rel="me" >Lanyrd</a>
  6. 6. http://tools.microformatic.com/help/xhtml/rel-lint/
  7. 7. http://socialgraph-resources.googlecode.com/svn/trunk/samples/findyours.html
  8. 8. Social Graph API
  9. 9. https://twitter.com/hotdogsladies/status/121634890612617216
  10. 10. FAIL!
  11. 11. http://inmaps.linkedinlabs.com/share/Paul_Downey/254787113202758123919768153472111744090
  12. 12. Who are you?
  13. 13. https://twitter.com/Jermolene/status/121537205608001536
  14. 14. https://twitter.com/paulmadsen/status/122271400336699392
  15. 15. Basic Authenticationhttp://en.wikipedia.org/wiki/Basic_access_authentication
  16. 16. Digest Authenticationhttp://en.wikipedia.org/wiki/Digest_access_authentication
  17. 17. PASSWORDREHABILITATION
  18. 18. sha1
  19. 19. Secret URIs• http://farm3.static.flickr.com/2291/1806225034_50df5b8ba4_o.png• http://inmaps.linkedinlabs.com/share/Paul_Downey/ 254787113202758123919768153472111744090
  20. 20. http://en.wikipedia.org/wiki/HTTP_cookie
  21. 21. http://softwareas.com/signing-up-to-websites-1999-2009-a-montage
  22. 22. https://github.com/hanssonlarsson/express-csrf
  23. 23. EU Privacy Directive on Cookies
  24. 24. http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-guide-to-25th- may-and-what-it-means-for-you.html
  25. 25. UX
  26. 26. MoreSecure Less pleasant to use
  27. 27. DNS Is B0rkenhttp://blog.icann.org/2008/11/why-the-dns-is-broken-in-plain-language/
  28. 28. HTTPS
  29. 29. $ openssl s_client -connect www.google.com:443 </dev/null | openssl x509 -outform DER | openssl sha1depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=ThawteSGC CAverify error:num=20:unable to get local issuercertificateverify return:0DONE405062e5befde4af97e9382af16cc87c8fb7c4e2$ dig +short405062e5befde4af97e9382af16cc87c8fb7c4e2.certs.googlednstest.com TXT"14867 15062 74" http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html
  30. 30. Client Certs?
  31. 31. http://codebutler.github.com/firesheep/
  32. 32. https://www.eff.org/https-everywhere
  33. 33. you have to opt-out .. .. in every browser .. .. this is evil .. .. and doomed to failurehttp://xauth.org/
  34. 34. http://en.wikipedia.org/wiki/OpenID
  35. 35. <XRD> <Subject>http://blog.example.com/article/id/314</Subject> <Alias>http://blog.example.com/cool_new_thing</Alias> <Expires>2010-01-30T09:30:00Z</Expires> <Type>http://blgx.example.net/ns/version/1.2</Type> <Type>http://blgx.example.net/ns/ext/language</Type> <Link> <Rel>author</Rel> <URI>http://blog.example.com/author/steve</URI> <MediaType>text/html</MediaType> </Link></XRD> http://hueniverse.com/2009/03/xrd-sneak-peek/
  36. 36. https://dev.twitter.com/docs/auth/oauth
  37. 37. Delegation UX
  38. 38. The “F” Word
  39. 39. Federated
  40. 40. https://twitter.com/hipsterhacker/status/77716476873801728
  41. 41. https://twitter.com/jtauber/status/60586912196460544
  42. 42. Transport Independence
  43. 43. ww .w3.org/ ss >http://w le.org/ <w sa:Addre ttp://examp dd ressing"> ustomer="h .org/2 005/08/a ers xmlns:c </ merKey> wsdl/"> .w3 et sto tt p://www eferenceParam </customer :Cu mlsoap.org/ / mln s:wsa="h ss><wsa:R 56789 m as.x rg /2006/01 eference x </wsa:Addre y>K ey#1234 lns="http://sche ttp://www.w3.o ce>< wsa:E ndpointR essing/none r :Cus tomerKe efinitions xm "h n xmlns= sa:EndpointRefe ren r me d tio 200 5/08/add tomer"><custo <wsa:Metada>< itions><descrip adata></w cus > n et Par ameters re! --></defi iption></wsa:M wsa:R eference of WSDL 1.1 he ! --></descr e <!-- load WSDL 2.0 her e wsdl"> <!-- mor
  44. 44. <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://sdk.bt.com/2007/01/WhiteLabelAuthentication"xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- HEADERS?utility-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <SOAP-ENV:Header> <wsse:Security> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#ac016ffe-a6e9-23d4-ebd1-ccef7ea31db7"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>bwlAKau7KQAubgGNJzysZoEEF8o=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#78223460-ef68-5501-83d6-a5edb6d452b6"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>kyBw9fnMjhi2I39+wfBIklyk8g4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>XW2FqP9o/A1J+NOg6Kv3ncn3PvSg5lzr2V4H/AQpRycXUSk7bzWK8kzhtMrlXUwkykrJ2AyEzw+xrRtSBIeaId1Iveme2KO02p21MTglr73cPCft/GHvEvAHZ4B6N6gSaX7NcGFrYnsYKP0nX5vT7jBh7WZ7Euqn0PyjCHyYxbU=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#CERTID"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp wsu:Id="ac016ffe-a6e9-23d4-ebd1-ccef7ea31db7"> <wsu:Created>2007-02-23T07:47:01Z</wsu:Created> <wsu:Expires>2007-02-23T08:47:01Z</wsu:Expires> </wsu:Timestamp> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"wsu:Id="CERTID">MIICdzCCAeCgAwIBAgICAX0wDQYJKoZIhvcNAQEEBQAwezEnMCUGA1UEChMeQnJpdGlzaCBUZWxlY29tbXVuaWNhdGlvbnMgUExDMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxDzANBgNVBAcTBkxmRvbjELMAkGA1UEBhMCR0IxEjAQBgNVBTCUJUIFNESyBDQTAiFxEwNzAxMDMxNTE5MjIrMDAwMBcNMDgwMTA0MTUxOTIyWjCBgjELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMQ8wDQYDVQQKEwZCVCBTREsxLTArBgNVBAsTJDM0ZDU0NTkwLTRkZTEtNGJmNi04ZGMxLWZjODQzNzM1MmM4MjERMA8GA1UEAxMIcGhvbmVib3gwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANKIQf+DOAKNZqs+HvCBYJ7+Q/wdCQBfFslIOGMnKN5zxpCuwB/pPW4DjLnqcWkIIVIH4A7RlWRemIO5e5caTW9bwvz0Fl1ZM6e2Mx9XKT0ZkxvXq8Dxn0abqWzoKyD3IJ2/tUhqriWveFR+6PY3PSBcj7NpJaqr7yH3z6RtEGNlAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAmabZVFeAXfXcBKR6NUK7kYqHhtX7YdNtxZcULRMMpFEkCMGERWCH5bK6/xnFtNXG09RkwkSTGs2dhM6/jQNvd1jJhLR6E2ejYrYWWf6Sap0Etok7sJqrS9awdbFmQGenFZKRUAEeyHeZhdFil8trzyJv1VzgPIjDRZmhnpItzQ8=</wsse:BinarySecurityToken> </wsse:Security> <wsa:Action>http://sdk.bt.com/2007/01/WhiteLabelAuthentication#login</wsa:Action> <wsa:MessageID>urn:uuid:e12edac3-f87d-3e0a-b621-04fa4d0b8cda</wsa:MessageID> </SOAP-ENV:Header> <SOAP-ENV:Body wsu:Id="78223460-ef68-5501-83d6-a5edb6d452b6"> <ns1:login> <ns1:userName>paul.downey@bt.com</ns1:userName> <ns1:password>2344324t</ns1:password> </ns1:login> </SOAP-ENV:Body></SOAP-ENV:Envelope>
  45. 45. http://www.xmlgrrl.com/blog/2007/03/28/the-venn-of-identity/
  46. 46. http://www.xmlgrrl.com/blog/2007/03/28/the-venn-of-identity/
  47. 47. http://connectid.blogspot.com
  48. 48. http://www.xmlgrrl.com/blog/2008/09/04/venn-and-the-art-of-data-sharing/
  49. 49. http://kantarainitiative.org
  50. 50. http://en.wikipedia.org/wiki/OpenID
  51. 51. http://www.bbc.co.uk/news/technology-13749010
  52. 52. https://twitter.com/IdentityWoman/status/110622242127364096
  53. 53. https://twitter.com/robinberjon/status/109611765435875329
  54. 54. very cool!
  55. 55. http://www.w3.org/wiki/WebID
  56. 56. http://webfinger.org/
  57. 57. correct horsebattery staple
  58. 58. http://nigelparry.com/news/guardian-david-leigh-cablegate.shtml
  59. 59. .. but .. wait!
  60. 60. https://twitter.com/rem/status/123392299320344579
  61. 61. Verified by Visa not only protects your card against unauthorised use, it also means you can have confidence that the online retailer you’re buying from has made your security a priority.http://www.visaeurope.com/en/cardholders/verified_by_visa.aspx
  62. 62. http://cyberelk.net/tim/2008/11/20/chip-and-pin/
  63. 63. http://krebsonsecurity.com/2011/09/gang-used-3d-printers-for-atm-skimmers/
  64. 64. http://berglondon.com/blog/2009/10/12/the-ghost-in-the-field/
  65. 65. http://gizmodo.com/5366022/sniff-the-rfid-dog-likes-to-smell-your-credit-cards
  66. 66. http://www.chromaroma.com/
  67. 67. http://www.bijlmereuro.net/
  68. 68. http://www.cerealbits.com/
  69. 69. http://en.wikipedia.org/wiki/Blue_box_(phreaking)
  70. 70. https://bitcointalk.org/index.php?topic=9047.0
  71. 71. http://en.aureatechnology.net/
  72. 72. http://cs-exhibitions.uni-klu.ac.at/index.php?id=258
  73. 73. Bio-meh-trics
  74. 74. http://www.flickr.com/photos/jeff-barnes/76948611
  75. 75. Something you have Something you areSomething you know
  76. 76. The Mobile isThe Dongle ™ not really
  77. 77. http://www.duosecurity.com/
  78. 78. Who is anybody?
  79. 79. http://isaach.com/2011/07/mention-constellations.html
  80. 80. BUTTON SLUTS
  81. 81. https://twitter.com/beng/status/118026274148073472
  82. 82. https://twitter.com/monkchips/status/117246164839043072
  83. 83. http://www.ghostery.com/
  84. 84. Yikes!
  85. 85. http://collusion.toolness.org/
  86. 86. • Standard HTTP Cookies • Flash Local Shared Objects • Silverlight Isolated Storage • auto-generated force-cached RGB values • PNG/HTML5 Canvas tag to read pixels • Web History • HTTP ETags • Web cacheevercookies • window.name caching • Internet Explorer userData storage • HTML5 Session Storage • HTML5 Local Storage • HTML5 Global Storage • HTML5 Database Storage (SQLite) • HTTP Authentication • Java NIC based unique key
  87. 87. https://panopticlick.eff.org/
  88. 88. https://twitter.com/9600/status/117309784130199553
  89. 89. “The thing that makes newspapers sofundamentally fascinating — that serendipity— can be calculated now.We can actually produce it electronically.The power of individual targeting — thetechnology will be so good it will be very hardfor people to watch or consume somethingthat has not in some sense been tailored forthem” — Eric Schmidthttp://googlesystem.blogspot.com/2010/08/eric-schmidt-on-future-of-search.html
  90. 90. Privacy Window
  91. 91. four legs good,two legs better ...
  92. 92. https://twitter.com/danbri/status/114241481346252801
  93. 93. Test Driven Development Behaviour Driven DevelopmentJenga Driven Development Domain Driven DesignDevelopment Driven Development Design Driven Driving
  94. 94. Investor Driven Development
  95. 95. ConfusionConclusion
  96. 96. Who am I? — someone who treasures linkingWho are you? — someone who deserves grokable securityWho is Anybody? — mind your own bloomin’ business!

×