eduserv openid meeting: openid today

TodayEduserv OpenID Meeting

"taking the world by storm"Tim O'Reilly

"Its definitely time to declare OpenID a winner"

TechCrunch

"this high profile announcement marks the importance of single sign on identity technology to the future of the Internet"

ReadWriteWeb

"OpenID is a protocol made for the public, by the public.

No one owns or controls your login information: You do."

37signals

"...sees great potential for OpenID's use alongside enterprise-ready software

infrastructure"Sun Microsystems

What is OpenID?

• Single sign-on for the web

• Simple and light-weight(not going to replace your bank card pin)

• Easy to use and deploy

• Built upon proven existing technologies(DNS, HTTP, SSL/TLS, Diffie-Hellman)

• Decentralized(you don't have to ask anyone permission to implement it)

• Free!

An OpenID is a URI

• URLs are globally unique and ubiquitous

• OpenID allows proving ownership of an URI

• People already have identity at URLs via blogs, photos, MySpace, FaceBook, etc

• People already describe relationships via URLs (e.g. links to my friends)

OpenID is Decentralized

"What problems does it solve?"

Too many usernames

Too many passwords

Signup is too hard

Directories are hard

Strong auth is complex

The web lacks identity

OpenID is another important building

block.

Identity is not just one thing

...but it is really about trust

With OpenID, you get to choose who you trust.

(and even change your mind later)

DEMOHow Does it Work?

Prove it!

I’m davidrecordon.com

Who are you?

As a Conversation

"openid.server" points to my OpenID Provider

Discovers My Provider

(crypto happens)

DEMOUsing OpenID

Getting an OpenID

http://openid.net/get/

OpenID is Really Easy

"This is a geek's toy,

nobody will ever have an OpenID!"

~160 million OpenIDs(including every AOL user)

OpenID 1.1 - Estimated from various services

"Nobody will ever use this!"

0

1,500

3,000

4,500

6,000

Sep '

05 Oct

Nov Dec

Jan '0

6Fe

bMar Apr May

June

July

Aug Sep

Oct

Nov Dec

Jan '0

7Fe

bMar Apr May

June

July

Augus

t

Sep 2

2

(aka places you can login with OpenID)

OpenID 1.1 - As viewed by MyOpenID.com

Total Relying Parties

"So that's great there are so many blogs, but what about something

real?"

http://janrain.com/blog/2007/11/05/openid-in-higher-education/

“Any OpenID in the enterprise?”

Internal SSO for bug trackers and wikis

Offer all employees OpenIDs; open source

Enterprise SSO and identity manager with

LDAP and OpenID

OpenID Provider with plans to ship in enterprise

products this year

Shared OpenID Provider for their businesses and

partnersProject management,

CRM, and billing for small businesses

"What about security?"

“Protocol Security?”

like any protocol...think as you implement

What about phishing?

More kittens!

Kitten Overload!

Simon Willison - FOWA 02/07

Identity theft!:'(

Kitten Overload!

FAKE

Simon Willison - FOWA 02/07

Safe Sign-In Pages

Estonian ID-cardhttp://open.id.ee/

the best solutions may around the browser

Microsoft CardSpace

MyVidoop Plugin(a password manager tied into your OpenID account add-on for Firefox)

Sxipper(a form filler password manager with OpenID integration add-on for Firefox)

Symantec Identity Client(OpenID form-fill, upcoming provider, and claims integration)

(an OpenID convenience and security add-on for Firefox)

works with

VeriSign's OpenID SeatBelt

IE Team has posted a job ad mentioning "OpenID""Does the idea of redefining the role of the Internet browser appeal to you? Do the terms HTTP, RSS, Microformats, and OpenID, excite you? If so, then

this just might be the opportunity for you."

OpenID doesn't dictate an authentication method

OpenID is great for innovation

"How do I deploy OpenID?"

OpenID Specs

• OpenID Authentication 1.1

• OpenID Simple Registration 1.0

• Yadis Discovery Protocol

• OpenID Authentication 2.0 (implementors draft)

• OpenID Attribute Exchange 1.0 (draft)

• OpenID PAPE 1.0 (draft)

• OpenID Data Transport Protocol (draft)

Final Specifications

• OpenID Authentication 1.1

• What most people think of for OpenID

• What I’m mainly talking about today

• Very simple

• OpenID Simple Registration Extension

• Exchange basic profile data

• Keep the user in charge

OpenID Authentication 2.0

• Cleans up the 1.1 specification

• Adds a few useful features

• Robust extensibility

• Enhanced service discovery

• "Directed identity"

• XRI

• About six independent library implementations of final draft

Attribute Exchange

• Flexible framework for exchange rich profile attributes

• Keeps the user in charge

• Allows updating data in a distributed fashion

PAPE

• Communicate details about how the user authenticated

• High-level policies such as “phishing resistant” or “multi-factor”

• Increasingly important with higher value OpenID transactions

Lots Easy of Code

• Libraries in C#, C++, Java, Perl, Python, Ruby, PHP, and ColdFusion

• Can have something working within a weekend

• Need to think a bit about security and usability

“Why OpenID and education?”

http://openid.net/

Thanks!Questions?

David Recordondavidrecordon.comdavid@sixapart.com