an OpenID

innovbfa.viabloga.com
  • No tags were found...

an OpenID

Who here has usedOpenID?


Who uses it regularly?


What is OpenID?


OpenID is adecentralised mechanismfor Single Sign On


What problemsdoes it solve?


“Too many passwords!”


“Someone else alreadygrabbed my username”


“My online profile isscattered acrossdozens of sites”


What is an OpenID?


An OpenID is a URL


http://swillison.livejournal.com/


http://simonw.myopenid.com/


http://simonwillison.net/


http://openid.aol.com/simonwillison/


What can you dowith an OpenID?


You can claimthat you own it


You can provethat claim


Why is that useful?


You can use it forauthentication


“Who the heck are you?!”


“I’m simonwillison.net”


“prove it!”


(magic happens)


“OK, you’re in!”


So it’s a bit likeMicrosoft Passport,then?


Yes, but you don’t needto ask their permissionto implement it


And Microsoftdon’t get to own yourcredentials


Who does get toown them?


You, the user, decide.


You pick your own provider


(just like e-mail)


So I’m still givingsomeone the keysto my kingdom?


Yes, but it can besomeone you trust


If you have the ability torun your own serversoftware, you can do itfor yourself.


OK, how do I use it?


So my users don’thave to sign up for anaccount?


Not necessarily


An OpenID tells youvery little about a user


You don’t knowtheir name


You don’t knowtheir e-mail address


You don’t knowif they’re a personor an evil robot


(or a dog)


Where do I get thatinformation from?


You ask them!


OpenID can even helpthem answer


How can I tell if they’rean evil spambot?


Same as usual: challengethem with a CAPTCHA


So how does OpenIDactually work?


“I’m simonwillison.myopenid.com”


Site fetches HTML,discovers identity provider


Establishes shared secretwith identity provider(Using Diffie-Hellman key exchange)


Redirects you to theidentity provider


If you’re logged in there,you get redirected back


How does my identityprovider know who I am?


OpenID deliberatelydoesn’t specify


username/passwordis common


But providers canuse other methods ifthey want to


Client SSL certificates


Out of bandauthentication via SMS,e-mail or Jabber


IP based loginrestrictions


(one guy set that upusing DynDNS)


SecurID keyfobs


No authentication at all(just say “Yes”)


Just say “yes”?


Yup. That’s the OpenIDversion of bugmenot.com


http://www.jkg.in/openid/


Users can give awaytheir passwords today -this is just the OpenIDequivalent


What if I decide Ihate my provider?


Use your owndomain name


Delegate to aprovider you trust


Support for delegationis compulsory


This minimises lock in


So everyone will end upwith one OpenID thatthey use for everything?


Probably not


(I have half a dozenOpenIDs already)


People like maintainingmultiple online personas


professionalsocialsecret...


OpenID makes it easierto manage multipleonline personas


Three accounts is stillbetter than three dozen


If an OpenID is just a URL, isthere anything else interestingyou can do with it?


Yes. Different OpenIDs canexpress different things


My AOL OpenID provesmy AIM screen name


An OpenID fromsun.com proves thatsomeone is a currentSun employee


A last.fm OpenIDcould incorporatemy taste in music


My LiveJournal OpenIDtells you where to findmy blog


... and a FOAF filelisting my friends


doxory.com uses thisfor contact imports


Why is OpenID worthimplementing over all theother identity standards?


It’s simple


Unix philosophy:It solves one,tiny problem


It’s a dumb network


Many of the competingstandards are now onboard


Isn’t putting all myeggs in one basketa really bad idea?


Bad news: chances areyou already do


“I forgot my password”means your e-mailaccount is already anSSO mechanism


OpenID just makes thisa bit more obvious


What about phishing?


Phishing is a problem


I can has lolcats!? BETAMake your own lolcats! lolSign in with your OpenID:OpenID:Sign inhttp://icanhascheezburger.com/2007/05/16/i-has-a-backpack/


Your identity providerFake editionUsername and password, please!Username:Password:Log in


Identity theft :(


An untrusted siteredirects you to yourtrusted provider


Sound familiar?


PayPalYahoo! BBAuthGoogle AuthGoogle Checkout


You guys already needto solve that problem!


One solution: don’t letthe user log in on theidentity provider“landing page”


Better solutions


CardSpace


Native browser supportfor OpenID (e.g. SeatBelt)


Competition betweenproviders


Permanent cookie setusing out-of-band token


Best practices forOpenID consumers?


“I forgot my password”becomes “I can’t sign inwith my OpenID


Allow multiple OpenIDsto be associated with asingle account


People can still signin if one of theirproviders is down


People can un-associatean OpenID withoutlocking themselves out


You can take advantageof site-specific servicesaround each of theirOpenIDs


Any other neat tricks?


Portable contact lists


Facebook (and others)currently ask for theuser’s Google usernameand password


I don’t need to tell youwhy that’s a horrible idea


Lightweight accounts


Pre-approved accounts


Social whitelists


OpenID andmicroformats


Decentralised socialnetworks?


“People keep asking me to jointhe LinkedIn network, but I’malready part of a network, it’scalled the Internet.”Gary McGraw, via Jon Udell, via Gavin Bell


Doesn’t this outsource thesecurity of my users tountrusted third parties?


Yes it does. But...


... so do “forgottenpassword” e-mails!


If e-mail is secureenough for your user’sauthentication, so isOpenID


Password e-mails areessentially SSO with adeliberately bad userexperience


What are the privacyimplications?


Cross correlation ofaccounts


Don’t publish a user’sOpenID without makingit clear that you’re goingto do that


Allow users to opt-outof sharing their OpenID


The online equivalent of acredit reporting agency?


This could be built todayby sites conspiring toshare e-mail addresses


IANAL, but legalprotections against thisalready exist


“Directed identity” inOpenID 2.0 makes iteasy to use a differentOpenID for every site


Patents?


Sun and VeriSign haveboth announced“patent covenants”


They won’t smack youdown with their patentsfor using OpenID 1.1


They will smack downanyone else who assertstheir own patents againstOpenID


Who else is involved?


(Slide borrowed from David Recordon)


AOL - provider, fullconsumer by end of July


Microsoft: Bill Gatesexpressed their interestat the RSA conference


(mainly as good PRfor CardSpace?)


Sun: Patent Covenant,33,000 employees


Six Apart


VeriSign


JanRain


Yahoo! - indirectly


Google?


http://openid.net/http://www.openidenabled.com/http://simonwillison.net/tags/openid/


Thank you

More magazines by this user
Similar magazines