Who here has usedOpenID?
Who uses it regularly?
What is OpenID?
OpenID is adecentralised mechanismfor Single Sign On
What problemsdoes it solve?
“Too many passwords!”
“Someone else alreadygrabbed my username”
“My online profile isscattered acrossdozens of sites”
What is an OpenID?
An OpenID is a URL
What can you dowith an OpenID?
You can claimthat you own it
You can provethat claim
Why is that useful?
You can use it forauthentication
“Who the heck are you?!”
“OK, you’re in!”
So it’s a bit likeMicrosoft Passport,then?
Yes, but you don’t needto ask their permissionto implement it
And Microsoftdon’t get to own yourcredentials
Who does get toown them?
You, the user, decide.
You pick your own provider
(just like e-mail)
So I’m still givingsomeone the keysto my kingdom?
Yes, but it can besomeone you trust
If you have the ability torun your own serversoftware, you can do itfor yourself.
OK, how do I use it?
So my users don’thave to sign up for anaccount?
An OpenID tells youvery little about a user
You don’t knowtheir name
You don’t knowtheir e-mail address
You don’t knowif they’re a personor an evil robot
(or a dog)
Where do I get thatinformation from?
You ask them!
OpenID can even helpthem answer
How can I tell if they’rean evil spambot?
Same as usual: challengethem with a CAPTCHA
So how does OpenIDactually work?
Site fetches HTML,discovers identity provider
Establishes shared secretwith identity provider(Using Diffie-Hellman key exchange)
Redirects you to theidentity provider
If you’re logged in there,you get redirected back
How does my identityprovider know who I am?
OpenID deliberatelydoesn’t specify
But providers canuse other methods ifthey want to
Client SSL certificates
Out of bandauthentication via SMS,e-mail or Jabber
IP based loginrestrictions
(one guy set that upusing DynDNS)
No authentication at all(just say “Yes”)
Just say “yes”?
Yup. That’s the OpenIDversion of bugmenot.com
Users can give awaytheir passwords today -this is just the OpenIDequivalent
What if I decide Ihate my provider?
Use your owndomain name
Delegate to aprovider you trust
Support for delegationis compulsory
This minimises lock in
So everyone will end upwith one OpenID thatthey use for everything?
(I have half a dozenOpenIDs already)
People like maintainingmultiple online personas
OpenID makes it easierto manage multipleonline personas
Three accounts is stillbetter than three dozen
If an OpenID is just a URL, isthere anything else interestingyou can do with it?
Yes. Different OpenIDs canexpress different things
My AOL OpenID provesmy AIM screen name
An OpenID fromsun.com proves thatsomeone is a currentSun employee
A last.fm OpenIDcould incorporatemy taste in music
My LiveJournal OpenIDtells you where to findmy blog
... and a FOAF filelisting my friends
doxory.com uses thisfor contact imports
Why is OpenID worthimplementing over all theother identity standards?
Unix philosophy:It solves one,tiny problem
It’s a dumb network
Many of the competingstandards are now onboard
Isn’t putting all myeggs in one basketa really bad idea?
Bad news: chances areyou already do
“I forgot my password”means your e-mailaccount is already anSSO mechanism
OpenID just makes thisa bit more obvious
What about phishing?
Phishing is a problem
I can has lolcats!? BETAMake your own lolcats! lolSign in with your OpenID:OpenID:Sign inhttp://icanhascheezburger.com/2007/05/16/i-has-a-backpack/
Your identity providerFake editionUsername and password, please!Username:Password:Log in
Identity theft :(
An untrusted siteredirects you to yourtrusted provider
PayPalYahoo! BBAuthGoogle AuthGoogle Checkout
You guys already needto solve that problem!
One solution: don’t letthe user log in on theidentity provider“landing page”
Native browser supportfor OpenID (e.g. SeatBelt)
Permanent cookie setusing out-of-band token
Best practices forOpenID consumers?
“I forgot my password”becomes “I can’t sign inwith my OpenID”
Allow multiple OpenIDsto be associated with asingle account
People can still signin if one of theirproviders is down
People can un-associatean OpenID withoutlocking themselves out
You can take advantageof site-specific servicesaround each of theirOpenIDs
Any other neat tricks?
Portable contact lists
Facebook (and others)currently ask for theuser’s Google usernameand password
I don’t need to tell youwhy that’s a horrible idea
“People keep asking me to jointhe LinkedIn network, but I’malready part of a network, it’scalled the Internet.”Gary McGraw, via Jon Udell, via Gavin Bell
Doesn’t this outsource thesecurity of my users tountrusted third parties?
Yes it does. But...
... so do “forgottenpassword” e-mails!
If e-mail is secureenough for your user’sauthentication, so isOpenID
Password e-mails areessentially SSO with adeliberately bad userexperience
What are the privacyimplications?
Cross correlation ofaccounts
Don’t publish a user’sOpenID without makingit clear that you’re goingto do that
Allow users to opt-outof sharing their OpenID
The online equivalent of acredit reporting agency?
This could be built todayby sites conspiring toshare e-mail addresses
IANAL, but legalprotections against thisalready exist
“Directed identity” inOpenID 2.0 makes iteasy to use a differentOpenID for every site
Sun and VeriSign haveboth announced“patent covenants”
They won’t smack youdown with their patentsfor using OpenID 1.1
They will smack downanyone else who assertstheir own patents againstOpenID
Who else is involved?
(Slide borrowed from David Recordon)
AOL - provider, fullconsumer by end of July
Microsoft: Bill Gatesexpressed their interestat the RSA conference
(mainly as good PRfor CardSpace?)
Sun: Patent Covenant,33,000 employees
Yahoo! - indirectly