Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building the Social Web with OpenID


Published on

Slides from my keynote at PyCon UK 2007.

Published in: Technology
  • Be the first to comment

Building the Social Web with OpenID

  1. Building the Social Web with Simon Willison PyCon UK, 8th September 2007
  2. Who here has used OpenID?
  3. Who uses it regularly?
  4. Four problems • Usernames and passwords suck • Signing up for new accounts is a pain • My online identity exists in dozens of different places • Social software suffers from too much overhead
  5. Four problems (and their OpenID related solutions) • Usernames and passwords suck • Signing up for new accounts is a pain • My online identity exists in dozens of different places • Social software suffers from too much overhead
  6. Usernames and passwords suck
  7. “We want to make you aware that media of ours that contained a backup of a portion of the reddit database was stolen recently [...] we wanted to alert you to the possibility that your username, password, and -- in some cases -- e-mail address may have been compromised. ” Steve Huffman,
  8. Two lessons • Don’t store plaintext passwords in your application’s database • Don’t use the same password on more than one site!
  9. The Web needs Single Sign On
  10. ?
  11. SSO with a single controlling authority betrays the principles of the Web
  12. OpenID is a decentralised mechanism for Single Sign On
  13. An OpenID is a URL
  18. The OpenID protocol lets you prove that you own a specific URL
  19. An OpenID can be used as an authentication credential
  20. “Who the heck are you?!”
  21. “I’m”
  22. “prove it!”
  23. (magic happens)
  24. “OK, you’re in!”
  25. Picking an OpenID is like picking an e-mail provider - you find one that you trust
  26. If you have the ability to run your own server software, you can do it for yourself
  28. So how do I use it?
  29. So my users don’t have to sign up for an account?
  30. Not necessarily
  31. An OpenID tells you very little about a user
  32. You don’t know their name
  33. You don’t know their e-mail address
  34. You don’t know if they’re a person or an evil robot
  35. Where do I get that information from?
  36. You ask them!
  37. OpenID can help them answer
  38. So how does OpenID actually work?
  39. <link rel=quot;openid.serverquot; href=quot;; />
  40. “I’m”
  41. Site fetches HTML, discovers identity provider
  42. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
  43. Redirects you to the identity provider
  44. If you’re logged in there, you get redirected back
  45. How does my identity provider know who I am?
  46. OpenID deliberately doesn’t specify
  47. username/password is common
  48. But providers can use other methods if they want to
  49. Client SSL certificates
  50. Out of band authentication via SMS, e-mail or Jabber
  51. SecurID keyfobs
  52. No authentication at all (just say “Yes”)
  53. Just say “yes”?
  54. Yup. That’s the OpenID version of
  56. Users can give away their passwords today - this is just the OpenID equivalent
  57. What if I decide I hate my provider?
  58. Use your own domain name
  59. Delegate to a provider you trust
  60. <link rel=quot;openid.serverquot; href=quot;;> <link rel=quot;openid.delegatequot; href=quot;;>
  61. Support for delegation is compulsory
  62. This minimises lock in
  63. So everyone will end up with one OpenID that they use for everything?
  64. Probably not
  65. (I have half a dozen OpenIDs already)
  66. People like maintaining multiple online personas
  67. professional social secret ...
  68. OpenID makes it easier to manage multiple online personas
  69. Three accounts is still better than three dozen
  70. If an OpenID is a URL, is there anything else interesting you can do with it?
  71. Yes. Different OpenIDs can express different things
  72. My AOL OpenID proves my AIM screen name
  73. An OpenID from proves that someone is a current Sun employee
  74. A OpenID could incorporate my taste in music
  75. My LiveJournal OpenID tells you where to find my blog
  76. OpenID and web service APIs naturally complement each other
  77. What about phishing?
  78. Phishing is a problem
  79. I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in
  80. Fake edition Your identity provider Username and password, please! Username: Password: Log in
  81. Identity theft :(
  82. An untrusted site redirects you to your trusted provider
  83. Sound familiar?
  84. PayPal Yahoo! BBAuth Google Auth Google Checkout
  85. One solution: don’t let the user log in on the identity provider “landing page”
  86. Better solutions
  87. CardSpace
  88. Native browser support for OpenID (Firefox 3, Seatbelt)
  89. Competition between providers
  90. Doesn’t this outsource the security of my users to untrusted third parties?
  91. Yes it does. But...
  92. ... so do “forgotten password” e-mails!
  93. If e-mail is secure enough for your user’s authentication, so is OpenID
  94. Password e-mails are just SSO with an unavoidably bad user experience
  95. Best practices for OpenID consumers?
  96. “I forgot my password” becomes “I can’t sign in with my OpenID”
  97. Allow multiple OpenIDs to be associated with a single account
  98. People can still sign in if one of their providers is down
  99. People can un-associate an OpenID without locking themselves out
  100. You can take advantage of site-specific services around each of their OpenIDs
  101. What are the privacy implications?
  102. Cross correlation of accounts
  103. Don’t publish a user’s OpenID without making it clear that you’re going to do that
  104. Allow users to opt-out of sharing their OpenID
  105. Any other neat tricks?
  106. My online identity exists in dozens of different places
  107. I can use OpenID to tie these profiles together
  108. Portable contact lists
  109. Facebook (and others) currently ask for the user’s webmail username and password
  110. Lightweight accounts
  111. Pre-approved accounts
  112. Social whitelists
  113. OpenID and microformats
  114. Identity projection
  115. Decentralised social networks
  116. “People keep asking me to join the LinkedIn network, but I’m already part of a network, it’s called the Internet.” Gary McGraw, via Jon Udell, via Gavin Bell
  117. An open alternative?
  118. Who else is involved?
  119. 0 875 1,750 2,625 3,500 Se p '05 O ct N ov D ec Jan '06 Fe b M ar Ap r M ay Ju ne Ju ly Au g Se p O ct N ov D ec Jan '07 Fe b Total Relying Parties M ar Ap r M ay Ju ne
  120. How do I build it in to my Python application?
  121. Open Source libraries from JanRain
  122. OpenID Smart hackers needed
  124. Thank you
  125. Questions?