Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

The Implications of OpenID

Chargement dans…3

Consultez-les par la suite

1 sur 178 Publicité

Plus De Contenu Connexe

Les utilisateurs ont également aimé (12)


Similaire à The Implications of OpenID (20)

Plus par Simon Willison (20)


Plus récents (20)

The Implications of OpenID

  1. The implications of Simon Willison XTech, 18th May 2007
  2. This talk is not about identity
  3. “identity” implies lots of unanswered questions
  4. I’m bored of unanswered questions
  5. I’m going to answer as many questions as possible
  6. (To keep things easy, I get to ask them)
  7. Who here has used OpenID?
  8. Who uses it regularly?
  9. What is OpenID?
  10. OpenID is a decentralised mechanism for Single Sign On
  11. What problems does it solve?
  12. “Too many passwords!”
  13. “Someone else nabbed my username”
  14. “My online profile is scattered across dozens of sites” (potentially, at least)
  15. What is an OpenID?
  16. An OpenID is a URL
  17. http://swillison.livejournal.com/
  18. http://simonw.myopenid.com/
  19. http://simonwillison.net/
  20. http://openid.aol.com/simonwillison/
  21. What can you do with an OpenID?
  22. You can claim that you own it
  23. You can prove that claim
  24. Why is that useful?
  25. You can use it for authentication
  26. “Who the heck are you?!”
  27. “I’m simonwillison.net”
  28. “prove it!”
  29. (magic happens)
  30. “OK, you’re in!”
  31. So it’s a bit like Microsoft Passport, then?
  32. Yes, but Microsoft don’t get to own your credentials
  33. Who does get to own them, then?
  34. You, the user, decide.
  35. You pick a provider
  36. (just like e-mail)
  37. So I’m still giving someone the keys to my kingdom?
  38. Yes, but it can be someone you trust
  39. If you have the ability to run your own server software, you can do it for yourself.
  40. OK, how do I use it?
  41. So my users don’t have to sign up for an account?
  42. Not necessarily
  43. An OpenID tells you very little about a user
  44. You don’t know their name
  45. You don’t know their e-mail address
  46. You don’t know if they’re a person or an evil robot
  47. (or a dog)
  48. Where do I get that information from?
  49. You ask them!
  50. OpenID can even help them answer
  51. How can I tell if they’re an evil spambot?
  52. Same as usual: challenge them with a CAPTCHA
  53. botbouncer.com can tell you if their OpenID has passed a CAPTCHA before
  54. (assuming you trust botbouncer.com)
  55. So how does OpenID actually work?
  56. <link rel=quot;openid.serverquot; href=quot;http://www.myopenid.com/serverquot; />
  57. “I’m simonwillison.myopenid.com”
  58. Site fetches HTML, discovers identity provider
  59. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
  60. Redirects you to the identity provider
  61. If you’re logged in there, you get redirected back
  62. How does my identity provider know who I am?
  63. OpenID deliberately doesn’t specify
  64. username/password is common
  65. But providers can use other methods if they want to
  66. Client SSL certificates
  67. Out of band authentication via SMS, e-mail or Jabber
  68. IP based login restrictions
  69. (one guy set that up using DynDNS)
  70. SecurID keyfobs
  71. No authentication at all (just say “Yes”)
  72. Just say “yes”?
  73. Yup. That’s the OpenID version of bugmenot.com
  74. http://www.jkg.in/openid/
  75. Users can give away their passwords today - this is just the OpenID equivalent
  76. What if I decide I hate my provider?
  77. Use your own domain name
  78. Delegate to a provider you trust
  79. <link rel=quot;openid.serverquot; href=quot;http://www.livejournal.com/openid/server.bmlquot;> <link rel=quot;openid.delegatequot; href=quot;http://swillison.livejournal.com/quot;>
  80. Support for delegation is compulsory
  81. Minimise lock in
  82. So everyone will end up with one OpenID that they use for everything?
  83. Probably not
  84. (I have half a dozen OpenIDs already)
  85. People like maintaining multiple online personas
  86. professional social secret ...
  87. OpenID makes it easier to manage multiple online personas
  88. Different OpenIDs can express different things
  89. My AOL OpenID proves my AIM screen name
  90. A last.fm OpenID could incorporate my taste in music
  91. My LiveJournal OpenID tells you where to find my blog
  92. ... and a FOAF file listing my friends
  93. doxory.com uses this for contact imports
  94. An OpenID from sun.com proves that someone is a current Sun employee
  95. Why is OpenID worth implementing over all the other identity standards?
  96. It’s simple
  97. Unix philosophy: It solves one, tiny problem
  98. It’s a dumb network
  99. Many of the competing standards are now on board
  100. Isn’t putting all my eggs in one basket a really bad idea?
  101. Bad news: chances are you already do
  102. “I forgot my password” means your e-mail account is already an SSO mechanism
  103. OpenID just makes this a bit more obvious
  104. What about phishing?
  105. Phishing is a problem
  106. I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in
  107. Fake edition Your identity provider Username and password, please! Username: Password: Log in
  108. Identity theft :(
  109. An untrusted site redirects you to your trusted provider
  110. Sound familiar?
  111. That’s how Paypal works!
  112. It still sucks though
  113. One solution: don’t let the user log in on the identity provider “landing page”
  114. Better solutions
  115. CardSpace
  116. Seat belt
  117. Native browser support for OpenID
  118. Competition between providers
  119. How do I implement OpenID on my site?
  120. As a consumer...
  121. Grab an OpenID library for your chosen language or platform
  122. www.openidenabled.com
  123. Allow your existing users to associate their accounts with one or more OpenIDs
  124. (make sure you authenticate the OpenIDs first)
  125. Allow people to kick- start the registration process with their OpenID
  126. Make passwords optional during signup if an OpenID has already been confirmed
  127. As a provider...
  128. Figure out your anti- phishing mechanism
  129. Read the spec!
  130. Why allow multiple OpenIDs per account?
  131. People can still sign in if one of their providers is down
  132. People can un-associate an OpenID without locking themselves out
  133. You can take advantage of site-specific services around OpenID
  134. Any other neat tricks?
  135. Yes, lots!
  136. Lightweight accounts
  137. Pre-approved accounts
  138. Social whitelists
  139. OpenID and hCard
  140. Decentralised social networks?
  141. “People keep asking me to join the LinkedIn network, but I’m already part of a network, it’s called the Internet.” Gary McGraw, via Jon Udell, via Gavin Bell
  142. What are the privacy implications?
  143. Cross correlation of accounts
  144. Don’t publish a user’s OpenID without explicit permission
  145. The online equivalent of a credit reporting agency?
  146. This could be built today by sites conspiring to share e-mail addresses
  147. IANAL, but legal protections against this already exist
  148. OpenID 2.0 makes it trivial to use a different OpenID for every site
  149. Patents?
  150. Sun have pre-announced a “patent covenant”
  151. They won’t clobber OpenID with their patents
  152. They’ll clobber anyone else who tries to
  153. Who else is involved?
  154. AOL - provider, full consumer by end of June
  155. Microsoft: Bill Gates expressed their interest
  156. (Mainly as good PR for CardSpace)
  157. Sun: Patent Covenant, 33,000 employees
  158. Six Apart
  159. VeriSign
  160. JanRain
  161. You?
  162. http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/
  163. Thank you