openid and decentralised social networks
DESCRIPTION
Presented at Webstock '08 on February 15th in Wellington, New Zealand. Social networks are an unavoidable part of life on the Web today, but most exist as walled gardens with interactions and identities trapped in a silo. OpenID is one of a number of initiatives that are trying to break down these walls and enable new social applications to bootstrap off each other.TRANSCRIPT
Simon Willison Webstock15th February 2008
and decentralisedsocial networks
One year ago...
AOL Supports OpenIDSymantec Unveils Consumer
Identity Strategy
OpenID Gets a Boost
From Microsoft
The last few weeks...
OpenID announces powerhouse
board: MSFT, GOOG, IBM, others
Yahoo! backs! OpenID!
OpenID Foundation Co-opts
Google, Microsoft And Yahoo
http://www.flickr.com/photos/87846746@N00/2235550137/
?
or
who will save us from
Decentralised social networks
The username and password problem
What’s my password again?
What’s myusername again?
The Web needsSingle Sign On
?
?Windows Live ID
SSO with a single controlling authoritybetrays the principles
of the Web
OpenID is a decentralised mechanism
for Single Sign On
It’s like e-mail - no one company controls it, but users with different e-mail providers can still
talk to each other
An OpenID is a URL(an identifier)
http://openid.aol.com/simonwillison/
URLs are globally unique
The OpenID protocol lets you prove that you
own a specific URL
Which means an OpenID can be used as an
authentication credential
“Who are you?”
“I’m simonwillison.net”
“prove it!”
(magic happens)
“OK, you’re in!”
Picking an OpenID is like picking an e-mail provider - you find a
company that you trust
Or if you have the ability to run your own server software, you can do it
for yourself
(mobile phones can run web servers now)
How to use OpenID
?What happens tomy organisation’s
user account database?
OpenID augments existing account
mechanisms; it does not replace them
The first time you see a specific OpenID, you create
an account for that user
OpenID can even help userscreate their initial profile
OpenID 1.1: Simple Registration
OpenID 2.0: Attribute Exchange
?So how does OpenIDactually work?
<link rel="openid.server" href="http://www.myopenid.com/server" />
“I’m simonwillison.myopenid.com”
Site fetches HTML,discovers identity provider
Establishes shared secretwith identity provider
(Using Diffie-Hellman key exchange)
Redirects you to the identity provider
If you’re logged in there, you get redirected back
(Discovery in OpenID 2.0 is more complicated, but the concept is much the same)
?How does my identityprovider know who I am?
OpenID deliberately doesn’t specify
username/passwordis the most common
But providers can use other methods if
they want to
Client SSL certificates
Out of band authentication via SMS,
e-mail or Jabber
Hardware tokens
Vidoop.com
?Will everyone end upwith one OpenID that
they use for everything?
Almost certainly not
(I have half a dozen OpenIDs already)
People like maintaining multiple online personas
professionalsocialsecret
...
OpenID makes it easier to manage multiple
online personas
Three accounts is much better than three dozen
An OpenID provider can provide more than
just an OpenID
My AOL OpenID incorporates my AIM
screen name
An OpenID from sun.com proves that someone is a current
Sun employee
An OpenID from a university can assert my
staff/student status
Some providers might even provide guarantees that OpenIDs belong to
specific people
Problems with OpenID
Phishing
lolcats ‘r’ us
Sign in with your OpenID for even more lolcats!
OpenID: Sign in
http://www.flickr.com/photos/duygu/115528187/
http://www.flickr.com/photos/earthandeden/395466458/
http://www.flickr.com/photos/endbradley/306280569/
Fake edition
Username and password, please!
Your identity provider
Username:
Password:Log in
Your accountgets stolen
An untrusted site redirects you to your
trusted provider
PayPalGoogle Checkout
Yahoo!, Flickr, Facebook
One solution: don’t let the user log in on the
identity provider “landing page”
Better solutions
Yahoo! sign-in seal
VeriSign SeatBelt (a browser extension)
Windows CardSpace
Competition between providers on security
?Outsourcing the security of your users
to a third party
OpenID is functionally equivalent to a lost password
e-mail mechanism
If e-mail is secure enough for your user’s authentication,
then so is OpenID
In other cases, a whitelist of trusted providers may
make sense
Usability challenges
Many people haveno idea what a URL is
(but they do know wheretheir MySpace page is)
OpenID 2.0 introduces directed identity
Linking identities together
Identity projection
last.fm
Upcoming
XFN rel="me" lets me publicly point to my
accounts on other services
Portable contact lists
I don’t want to have to re-add my friends on every social application I use
But... I don’t want to automatically add my
high school friends to a business network
The correct model is pick-from-import:
show me a list of options and let me decide
The state of the art in contact import is asking for the user’s webmail
password
The contact import anti-pattern
The good way: XFN and FOAFPublic data, already published
The Google Social Graph API
A safe way to import private contacts?
oauth.net
Completing our decentralised social
network
The Facebook news feed
Flickr photos from your contacts
Your Twitter friends
Decentralised news feed?
XMPP(Jabber)
We have the ingredients
• OpenID
• OAuth
• XFN and FOAF
• XMPP
Now we just need to make the pie
People of Webstock!
• Go forth and implement OpenID
• Support these emerging standards
• Set your users free
http://openid.net/
http://www.openidenabled.com/
http://simonwillison.net/tags/openid/