an OpenID
  • No tags were found...

an OpenID

Who here has usedOpenID?

Who uses it regularly?

What is OpenID?

OpenID is adecentralised mechanismfor Single Sign On

What problemsdoes it solve?

“Too many passwords!”

“Someone else alreadygrabbed my username”

“My online profile isscattered acrossdozens of sites”

What is an OpenID?

An OpenID is a URL

What can you dowith an OpenID?

You can claimthat you own it

You can provethat claim

Why is that useful?

You can use it forauthentication

“Who the heck are you?!”


“prove it!”

(magic happens)

“OK, you’re in!”

So it’s a bit likeMicrosoft Passport,then?

Yes, but you don’t needto ask their permissionto implement it

And Microsoftdon’t get to own yourcredentials

Who does get toown them?

You, the user, decide.

You pick your own provider

(just like e-mail)

So I’m still givingsomeone the keysto my kingdom?

Yes, but it can besomeone you trust

If you have the ability torun your own serversoftware, you can do itfor yourself.

OK, how do I use it?

So my users don’thave to sign up for anaccount?

Not necessarily

An OpenID tells youvery little about a user

You don’t knowtheir name

You don’t knowtheir e-mail address

You don’t knowif they’re a personor an evil robot

(or a dog)

Where do I get thatinformation from?

You ask them!

OpenID can even helpthem answer

How can I tell if they’rean evil spambot?

Same as usual: challengethem with a CAPTCHA

So how does OpenIDactually work?


Site fetches HTML,discovers identity provider

Establishes shared secretwith identity provider(Using Diffie-Hellman key exchange)

Redirects you to theidentity provider

If you’re logged in there,you get redirected back

How does my identityprovider know who I am?

OpenID deliberatelydoesn’t specify

username/passwordis common

But providers canuse other methods ifthey want to

Client SSL certificates

Out of bandauthentication via SMS,e-mail or Jabber

IP based loginrestrictions

(one guy set that upusing DynDNS)

SecurID keyfobs

No authentication at all(just say “Yes”)

Just say “yes”?

Yup. That’s the OpenIDversion of

Users can give awaytheir passwords today -this is just the OpenIDequivalent

What if I decide Ihate my provider?

Use your owndomain name

Delegate to aprovider you trust

Support for delegationis compulsory

This minimises lock in

So everyone will end upwith one OpenID thatthey use for everything?

Probably not

(I have half a dozenOpenIDs already)

People like maintainingmultiple online personas


OpenID makes it easierto manage multipleonline personas

Three accounts is stillbetter than three dozen

If an OpenID is just a URL, isthere anything else interestingyou can do with it?

Yes. Different OpenIDs canexpress different things

My AOL OpenID provesmy AIM screen name

An OpenID proves thatsomeone is a currentSun employee

A OpenIDcould incorporatemy taste in music

My LiveJournal OpenIDtells you where to findmy blog

... and a FOAF filelisting my friends uses thisfor contact imports

Why is OpenID worthimplementing over all theother identity standards?

It’s simple

Unix philosophy:It solves one,tiny problem

It’s a dumb network

Many of the competingstandards are now onboard

Isn’t putting all myeggs in one basketa really bad idea?

Bad news: chances areyou already do

“I forgot my password”means your e-mailaccount is already anSSO mechanism

OpenID just makes thisa bit more obvious

What about phishing?

Phishing is a problem

I can has lolcats!? BETAMake your own lolcats! lolSign in with your OpenID:OpenID:Sign in

Your identity providerFake editionUsername and password, please!Username:Password:Log in

Identity theft :(

An untrusted siteredirects you to yourtrusted provider

Sound familiar?

PayPalYahoo! BBAuthGoogle AuthGoogle Checkout

You guys already needto solve that problem!

One solution: don’t letthe user log in on theidentity provider“landing page”

Better solutions


Native browser supportfor OpenID (e.g. SeatBelt)

Competition betweenproviders

Permanent cookie setusing out-of-band token

Best practices forOpenID consumers?

“I forgot my password”becomes “I can’t sign inwith my OpenID

Allow multiple OpenIDsto be associated with asingle account

People can still signin if one of theirproviders is down

People can un-associatean OpenID withoutlocking themselves out

You can take advantageof site-specific servicesaround each of theirOpenIDs

Any other neat tricks?

Portable contact lists

Facebook (and others)currently ask for theuser’s Google usernameand password

I don’t need to tell youwhy that’s a horrible idea

Lightweight accounts

Pre-approved accounts

Social whitelists

OpenID andmicroformats

Decentralised socialnetworks?

“People keep asking me to jointhe LinkedIn network, but I’malready part of a network, it’scalled the Internet.”Gary McGraw, via Jon Udell, via Gavin Bell

Doesn’t this outsource thesecurity of my users tountrusted third parties?

Yes it does. But...

... so do “forgottenpassword” e-mails!

If e-mail is secureenough for your user’sauthentication, so isOpenID

Password e-mails areessentially SSO with adeliberately bad userexperience

What are the privacyimplications?

Cross correlation ofaccounts

Don’t publish a user’sOpenID without makingit clear that you’re goingto do that

Allow users to opt-outof sharing their OpenID

The online equivalent of acredit reporting agency?

This could be built todayby sites conspiring toshare e-mail addresses

IANAL, but legalprotections against thisalready exist

“Directed identity” inOpenID 2.0 makes iteasy to use a differentOpenID for every site


Sun and VeriSign haveboth announced“patent covenants”

They won’t smack youdown with their patentsfor using OpenID 1.1

They will smack downanyone else who assertstheir own patents againstOpenID

Who else is involved?

(Slide borrowed from David Recordon)

AOL - provider, fullconsumer by end of July

Microsoft: Bill Gatesexpressed their interestat the RSA conference

(mainly as good PRfor CardSpace?)

Sun: Patent Covenant,33,000 employees

Six Apart



Yahoo! - indirectly


Thank you

More magazines by this user
Similar magazines