openid - what is it, and what does it mean to me?
TRANSCRIPT
What is it ... and what does it mean to me?
David [email protected] 9 Aug 2007
What's this about?
Learn about what OpenID is.
See how web identity systems are changing.
Hopefully be convinced that it's a good thing!
What is OpenID?
OpenID is an open, decentralized, free framework for user-centric digital identity.
(from OpenID.net)
(...for the Web)
(...for Web 2.0)
What is an OpenID?
http://dno.myopenid.com
or
http://openid.eduserv.org.uk/dno
An OpenID is itself a web entity.
An OpenID is itself a web entity.
It's an identity system using Web technologies.
An OpenID is itself a web entity.
It's an identity system using Web technologies.
It's scalable.
An OpenID is itself a web entity.
It's an identity system using Web technologies.
It's scalable.
It's elegant and really simple!
Open and Decentralised
The 3 key qualities...
(1) No one provider holds key to the OpenID network.
A sustainable foundation to the system, with the user in control.
Open and Decentralised
(2) Pervasively Open Source.
Providers don't have to worry about technology and vendor lock-in.
Open and Decentralised
(3) Light-weight enough to be 'layered' with other technologies.
Open and Decentralised
What's in an OpenID?
http://dno.myopenid.com
me
my identity provider
Why users should care...
A user can choose who holds their identity.
http://openid.net/wiki/index.php/OpenIDServers
lists around 60 providers.
Or your employer, college might provide one.
Why not run your own?
Users get single sign on between resources.
- common username
- common password
- sign on once
(or client certificates: MyOpenID / certifi.ca)
Users get single sign on between resources.
- common username
- common password
- sign on once
(or client certificates: MyOpenID / certifi.ca)
Their credentials are only stored by their identity provider(s).
Users can easily register for services.
OpenID has a 'simple registration extension'.
Easy registration for light-weight purposes, like posting comments on blogs.
Easy registration for light-weight purposes, like posting comments on blogs.
Better than persistent cookies.
Easy registration for light-weight purposes, like posting comments on blogs.
Better than persistent cookies.
Can associate an OpenID with an existing account.
Users can choose their identity
dno.myopenid.com
I'm not forced to use
'dno34562' at someconsumer.com and 'dno234' at someotherconumer.com
Users can choose their identity
dno.myopenid.com
I'm not forced to use
'dno34562' at someconsumer.com and 'dno234' at someotherconumer.com
Even better if I am my identity provider
OK, this sounds great, but...
A URL as an identity?
Isn't a URL a counter-intuitive form of identity?
A URL as an identity?
Isn't a URL a counter-intuitive form of identity?
Perhaps, but think of a blog, or MySpace... a URL is very much an identity.
A URL can imply more....
http://openid.eduserv.org.uk/dno
I am an employeeof Eduserv
In theory, a URL says much more...
In theory, a URL says much more...
An OpenID is much richer than a username in what it can say (or imply) about a user.
In theory, a URL says much more...
An OpenID is much richer than a username in what it can say (or imply) about a user.
Can delegate your identity from any URL: eg. your blog.
An OpenID is globally unique so could form the basis of decentralised social networks.
Add support for microformats...xfn, hCard, MicroID?
Check out...http://microformats.orghttp://microid.orghttp://simonwillison.net
What about privacy?
Identity vs Privacy
What about privacy?
OpenID does not solve problems around privacy.
Again, keep in mind the context here: Web 2.0, social networks and the blogosphere.
Phishing
A 'bad' consumer can easily perform a phishing attack.
OpenID does not necessarily make things better or worse!
Set you identity provider as your homepage or a bookmark and sign in first.
Verisign PIP SeatBelt Firefox extension
Firefox 3 to have 'OpenID support'
Trust!
2 schools of thought....
(though not necessarily mutually exclusive)
(1)
OpenID is what is it because it doesn't do trust.
(1)
OpenID is what is it because it doesn't do trust.
Consumers and identity providers need no prior agreements.
(1)
OpenID is what is it because it doesn't do trust.
Consumers and identity providers need no prior agreements.
Ad-hoc trust can still be achieved.
This is not a trust system. Trust requires identity first.
(from OpenID.net)
(2)
OpenID is simple and is there to be built on. Adding trust is a natural extension.
(2)
OpenID is simple and is there to be built on. Adding trust is a natural extension.
Consumers can white-list 'good' identity providers.
Relations with SAML/Shibboleth
Don't they address the same thing!
Relations with SAML/Shibboleth
Don't they address the same thing!
Can co-exist.
Relations with SAML/Shibboleth
Don't they address the same thing!
Can co-exist.
OpenID comes from a different angle, for different applications and for non-specific user-bases.
Open Standards and Patents
Patents => not so Open?
Open Standards and Patents
Patents => not so Open?
Sun, Verisign and JanRain have all issued patent-covenants: patents will not be enforced against implementations of OpenID.
So, who's using it?
All AOL users have an OpenID (even if they don't know it).
63 million users.
All 33 000 Sun employees.
digg.com announced support.
General theme is that there are more providers than consumers.
http://openid.net(Specifications)
http://www.openiddirectory.com/(Directory of resources)
http://www.openidenabled.com/ (OpenID implementations)
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline Level