Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Implications Of OpenID (Google Tech Talk)


Published on

Published in: Technology
  • Login to see the comments

Implications Of OpenID (Google Tech Talk)

  1. The implications of Simon Willison Google Tech Talk, 25th June 2007
  2. Who here has used OpenID?
  3. Who uses it regularly?
  4. What is OpenID?
  5. OpenID is a decentralised mechanism for Single Sign On
  6. What problems does it solve?
  7. “Too many passwords!”
  8. “Someone else already grabbed my username”
  9. “My online profile is scattered across dozens of sites”
  10. What is an OpenID?
  11. An OpenID is a URL
  16. What can you do with an OpenID?
  17. You can claim that you own it
  18. You can prove that claim
  19. Why is that useful?
  20. You can use it for authentication
  21. “Who the heck are you?!”
  22. “I’m”
  23. “prove it!”
  24. (magic happens)
  25. “OK, you’re in!”
  26. So it’s a bit like Microsoft Passport, then?
  27. Yes, but you don’t need to ask their permission to implement it
  28. And Microsoft don’t get to own your credentials
  29. Who does get to own them?
  30. You, the user, decide.
  31. You pick your own provider
  32. (just like e-mail)
  33. So I’m still giving someone the keys to my kingdom?
  34. Yes, but it can be someone you trust
  35. If you have the ability to run your own server software, you can do it for yourself.
  36. OK, how do I use it?
  37. So my users don’t have to sign up for an account?
  38. Not necessarily
  39. An OpenID tells you very little about a user
  40. You don’t know their name
  41. You don’t know their e-mail address
  42. You don’t know if they’re a person or an evil robot
  43. (or a dog)
  44. Where do I get that information from?
  45. You ask them!
  46. OpenID can even help them answer
  47. How can I tell if they’re an evil spambot?
  48. Same as usual: challenge them with a CAPTCHA
  49. So how does OpenID actually work?
  50. <link rel=quot;openid.serverquot; href=quot;; />
  51. “I’m”
  52. Site fetches HTML, discovers identity provider
  53. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
  54. Redirects you to the identity provider
  55. If you’re logged in there, you get redirected back
  56. How does my identity provider know who I am?
  57. OpenID deliberately doesn’t specify
  58. username/password is common
  59. But providers can use other methods if they want to
  60. Client SSL certificates
  61. Out of band authentication via SMS, e-mail or Jabber
  62. IP based login restrictions
  63. (one guy set that up using DynDNS)
  64. SecurID keyfobs
  65. No authentication at all (just say “Yes”)
  66. Just say “yes”?
  67. Yup. That’s the OpenID version of
  69. Users can give away their passwords today - this is just the OpenID equivalent
  70. What if I decide I hate my provider?
  71. Use your own domain name
  72. Delegate to a provider you trust
  73. <link rel=quot;openid.serverquot; href=quot;;> <link rel=quot;openid.delegatequot; href=quot;;>
  74. Support for delegation is compulsory
  75. This minimises lock in
  76. So everyone will end up with one OpenID that they use for everything?
  77. Probably not
  78. (I have half a dozen OpenIDs already)
  79. People like maintaining multiple online personas
  80. professional social secret ...
  81. OpenID makes it easier to manage multiple online personas
  82. Three accounts is still better than three dozen
  83. If an OpenID is just a URL, is there anything else interesting you can do with it?
  84. Yes. Different OpenIDs can express different things
  85. My AOL OpenID proves my AIM screen name
  86. An OpenID from proves that someone is a current Sun employee
  87. A OpenID could incorporate my taste in music
  88. My LiveJournal OpenID tells you where to find my blog
  89. ... and a FOAF file listing my friends
  90. uses this for contact imports
  91. Why is OpenID worth implementing over all the other identity standards?
  92. It’s simple
  93. Unix philosophy: It solves one, tiny problem
  94. It’s a dumb network
  95. Many of the competing standards are now on board
  96. Isn’t putting all my eggs in one basket a really bad idea?
  97. Bad news: chances are you already do
  98. “I forgot my password” means your e-mail account is already an SSO mechanism
  99. OpenID just makes this a bit more obvious
  100. What about phishing?
  101. Phishing is a problem
  102. I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in
  103. Fake edition Your identity provider Username and password, please! Username: Password: Log in
  104. Identity theft :(
  105. An untrusted site redirects you to your trusted provider
  106. Sound familiar?
  107. PayPal Yahoo! BBAuth Google Auth Google Checkout
  108. You guys already need to solve that problem!
  109. One solution: don’t let the user log in on the identity provider “landing page”
  110. Better solutions
  111. CardSpace
  112. Native browser support for OpenID (e.g. SeatBelt)
  113. Competition between providers
  114. Permanent cookie set using out-of-band token
  115. Best practices for OpenID consumers?
  116. “I forgot my password” becomes “I can’t sign in with my OpenID”
  117. Allow multiple OpenIDs to be associated with a single account
  118. People can still sign in if one of their providers is down
  119. People can un-associate an OpenID without locking themselves out
  120. You can take advantage of site-specific services around each of their OpenIDs
  121. Any other neat tricks?
  122. Portable contact lists
  123. Facebook (and others) currently ask for the user’s Google username and password
  124. I don’t need to tell you why that’s a horrible idea
  125. Lightweight accounts
  126. Pre-approved accounts
  127. Social whitelists
  128. OpenID and microformats
  129. Decentralised social networks?
  130. “People keep asking me to join the LinkedIn network, but I’m already part of a network, it’s called the Internet.” Gary McGraw, via Jon Udell, via Gavin Bell
  131. Doesn’t this outsource the security of my users to untrusted third parties?
  132. Yes it does. But...
  133. ... so do “forgotten password” e-mails!
  134. If e-mail is secure enough for your user’s authentication, so is OpenID
  135. Password e-mails are essentially SSO with a deliberately bad user experience
  136. What are the privacy implications?
  137. Cross correlation of accounts
  138. Don’t publish a user’s OpenID without making it clear that you’re going to do that
  139. Allow users to opt-out of sharing their OpenID
  140. The online equivalent of a credit reporting agency?
  141. This could be built today by sites conspiring to share e-mail addresses
  142. IANAL, but legal protections against this already exist
  143. “Directed identity” in OpenID 2.0 makes it easy to use a different OpenID for every site
  144. Patents?
  145. Sun and VeriSign have both announced “patent covenants”
  146. They won’t smack you down with their patents for using OpenID 1.1
  147. They will smack down anyone else who asserts their own patents against OpenID
  148. Who else is involved?
  149. (Slide borrowed from David Recordon)
  150. AOL - provider, full consumer by end of July
  151. Microsoft: Bill Gates expressed their interest at the RSA conference
  152. (mainly as good PR for CardSpace?)
  153. Sun: Patent Covenant, 33,000 employees
  154. Six Apart
  155. VeriSign
  156. JanRain
  157. Yahoo! - indirectly
  158. Google?
  160. Thank you