Simon Willison Webstock15th February 2008

and decentralisedsocial networks

One year ago...

AOL Supports OpenIDSymantec Unveils Consumer

Identity Strategy

OpenID Gets a Boost

From Microsoft

The last few weeks...

OpenID announces powerhouse

board: MSFT, GOOG, IBM, others

Yahoo! backs! OpenID!

OpenID Foundation Co-opts

Google, Microsoft And Yahoo

http://www.flickr.com/photos/87846746@N00/2235550137/

?

or

who will save us from

Decentralised social networks

The username and password problem

What’s my password again?

What’s myusername again?

The Web needsSingle Sign On

?

?Windows Live ID

SSO with a single controlling authoritybetrays the principles

of the Web

OpenID is a decentralised mechanism

for Single Sign On

It’s like e-mail - no one company controls it, but users with different e-mail providers can still

talk to each other

An OpenID is a URL(an identifier)

http://swillison.livejournal.com/

http://simonw.myopenid.com/

http://simonwillison.net/

http://openid.aol.com/simonwillison/

URLs are globally unique

The OpenID protocol lets you prove that you

own a specific URL

Which means an OpenID can be used as an

authentication credential

“Who are you?”

“I’m simonwillison.net”

“prove it!”

(magic happens)

“OK, you’re in!”

Picking an OpenID is like picking an e-mail provider - you find a

company that you trust

Or if you have the ability to run your own server software, you can do it

for yourself

(mobile phones can run web servers now)

How to use OpenID

?What happens tomy organisation’s

user account database?

OpenID augments existing account

mechanisms; it does not replace them

The first time you see a specific OpenID, you create

an account for that user

OpenID can even help userscreate their initial profile

OpenID 1.1: Simple Registration

OpenID 2.0: Attribute Exchange

?So how does OpenIDactually work?

<link rel="openid.server" href="http://www.myopenid.com/server" />

“I’m simonwillison.myopenid.com”

Site fetches HTML,discovers identity provider

Establishes shared secretwith identity provider

(Using Diffie-Hellman key exchange)

Redirects you to the identity provider

If you’re logged in there, you get redirected back

(Discovery in OpenID 2.0 is more complicated, but the concept is much the same)

?How does my identityprovider know who I am?

OpenID deliberately doesn’t specify

username/passwordis the most common

But providers can use other methods if

they want to

Client SSL certificates

Out of band authentication via SMS,

e-mail or Jabber

Hardware tokens

Vidoop.com

?Will everyone end upwith one OpenID that

they use for everything?

Almost certainly not

(I have half a dozen OpenIDs already)

People like maintaining multiple online personas

professionalsocialsecret

...

OpenID makes it easier to manage multiple

online personas

Three accounts is much better than three dozen

An OpenID provider can provide more than

just an OpenID

My AOL OpenID incorporates my AIM

screen name

An OpenID from sun.com proves that someone is a current

Sun employee

An OpenID from a university can assert my

staff/student status

Some providers might even provide guarantees that OpenIDs belong to

specific people

Problems with OpenID

Phishing

lolcats ‘r’ us

Sign in with your OpenID for even more lolcats!

OpenID: Sign in

http://www.flickr.com/photos/duygu/115528187/

http://www.flickr.com/photos/earthandeden/395466458/

http://www.flickr.com/photos/endbradley/306280569/

Fake edition

Username and password, please!

Your identity provider

Username:

Password:Log in

Your accountgets stolen

An untrusted site redirects you to your

trusted provider

PayPalGoogle Checkout

Yahoo!, Flickr, Facebook

One solution: don’t let the user log in on the

identity provider “landing page”

Better solutions

Yahoo! sign-in seal

VeriSign SeatBelt (a browser extension)

Windows CardSpace

Competition between providers on security

?Outsourcing the security of your users

to a third party

OpenID is functionally equivalent to a lost password

e-mail mechanism

If e-mail is secure enough for your user’s authentication,

then so is OpenID

In other cases, a whitelist of trusted providers may

make sense

Usability challenges

Many people haveno idea what a URL is

(but they do know wheretheir MySpace page is)

OpenID 2.0 introduces directed identity

Linking identities together

Identity projection

last.fm

Upcoming

XFN rel="me" lets me publicly point to my

accounts on other services

Portable contact lists

I don’t want to have to re-add my friends on every social application I use

But... I don’t want to automatically add my

high school friends to a business network

The correct model is pick-from-import:

show me a list of options and let me decide

The state of the art in contact import is asking for the user’s webmail

password

The contact import anti-pattern

The good way: XFN and FOAFPublic data, already published

The Google Social Graph API

A safe way to import private contacts?

oauth.net

Completing our decentralised social

network

The Facebook news feed

Flickr photos from your contacts

Your Twitter friends

Decentralised news feed?

XMPP(Jabber)

We have the ingredients

• OpenID

• OAuth

• XFN and FOAF

• XMPP

Now we just need to make the pie

People of Webstock!

• Go forth and implement OpenID

• Support these emerging standards

• Set your users free

http://openid.net/

http://www.openidenabled.com/

http://simonwillison.net/tags/openid/