simon willison @ fowa feb 07

70
The Future of OpenID Simon Willison The Future of Web Apps February 21st, 2007

Upload: carsonsystems

Post on 28-Jan-2015

129 views

Category:

Technology


0 download

DESCRIPTION

Simon Willison speaking about Open ID at Future of Web Apps in London, February 2007.

TRANSCRIPT

Page 1: Simon Willison @ FOWA Feb 07

The Future of OpenIDSimon Willison

The Future of Web AppsFebruary 21st, 2007

Page 2: Simon Willison @ FOWA Feb 07
Page 3: Simon Willison @ FOWA Feb 07

AOL Supports OpenIDSymantec Unveils Consumer

Identity Strategy

OpenID Gets a Boost

From Microsoft

Page 4: Simon Willison @ FOWA Feb 07

Last night on TechCrunch:

It’s definitely time to declare OpenID a winner and the hope for making a single-sign on world a

reality.

Page 5: Simon Willison @ FOWA Feb 07

• What problems does OpenID solve?

• How does it work?

• What Cool Stuff can you build with it?

• What’s wrong with it?

Page 6: Simon Willison @ FOWA Feb 07

Web authentication sucks!

What’s my username again?

What’s my password again?

Page 7: Simon Willison @ FOWA Feb 07

Web authentication sucks!

Which e-mail address did I sign up with again?

Page 8: Simon Willison @ FOWA Feb 07

Yahoo! - Help

Already have an ID or a Yahoo! Mail address? Sign In.

Fields marked with an asterisk * are required.

Create Your Yahoo! ID

* First name:

* Last name:

* Preferred content: Yahoo! U.S.

* Gender: [Select]

* Yahoo! ID: @yahoo.com

ID may consist of a-z, 0-9, underscores, and a single dot (.)

* Password:

Six characters or more; capitalization matters!

* Re-type password:

If You Forget Your Password...

* Security question: [Select a Question]

* Your answer:

Four characters or more. Make sure your answer is memorable for you but hard for others to guess!

* Birthday: [Select a Month] dd , yyyy

* ZIP/Postal code:

Alternate Email:

Verify Your Registration

* Enter the code shown: More info

This helps Yahoo! prevent automated registrations.

Registration Verification Code

Terms of Service

Please review the following terms and indicate your agreement below. Printable Version

1. ACCEPTANCE OF TERMS Yahoo! Inc. ("Yahoo!") welcomes you. Yahoo! provides its service to you subject to the following Terms of Service ("TOS"), which may be updated by us from time to time without notice to you.

By clicking "I Agree" you agree and consent to (a) the Yahoo! Terms of Service

and Privacy Policy, and (b) receive required notices from Yahoo! electronically.

!!!!!!!!!!!!!!I Agree!!!!!!!!!!!!!! I Do Not Agree

Code verification technology developed in collaboration with the Captcha Project at Carnegie Mellon University.

Copyright © 2006 Yahoo! Inc. All rights reserved. Copyright/IP Policy Terms of Service

NOTICE: We collect personal information on this site.

To learn more about how we use your information, see our Privacy Policy

Page 9: Simon Willison @ FOWA Feb 07

• Too many usernames

• Too many passwords

• Too many forms!

Page 10: Simon Willison @ FOWA Feb 07
Page 11: Simon Willison @ FOWA Feb 07

Single Sign-Onwill save us!

Page 12: Simon Willison @ FOWA Feb 07

Would you trust these men with your identity?

Page 13: Simon Willison @ FOWA Feb 07

Maybe you trust these people

http://www.flickr.com/photos/jacksonwest/94738765/

Page 14: Simon Willison @ FOWA Feb 07

But what if they turn evil?

Page 15: Simon Willison @ FOWA Feb 07

Single Sign-On without a Single

Point-of-Control?

Page 16: Simon Willison @ FOWA Feb 07
Page 17: Simon Willison @ FOWA Feb 07

• Decentralised - you pick who you want to manage your identity

• Your identity is a URL

• e.g. swillison.livejournal.com

Page 18: Simon Willison @ FOWA Feb 07

• Single Sign-On by entering just your username

• What about account creation?

• Do we still have to fill out a form?

Page 19: Simon Willison @ FOWA Feb 07

So how does it work?

Page 20: Simon Willison @ FOWA Feb 07
Page 21: Simon Willison @ FOWA Feb 07
Page 22: Simon Willison @ FOWA Feb 07

<link rel="openid.server" href="http://www.myopenid.com/server" />

Page 23: Simon Willison @ FOWA Feb 07

Cryptography happensIf you want the details, read the spec

Page 24: Simon Willison @ FOWA Feb 07

Screw LiveJournal and MyOpenID! This is

meant to be decentralised!

Page 25: Simon Willison @ FOWA Feb 07
Page 26: Simon Willison @ FOWA Feb 07
Page 27: Simon Willison @ FOWA Feb 07

<link rel="openid.server" href="http://www.livejournal.com/openid/server.bml"><link rel="openid.delegate" href="http://swillison.livejournal.com/">

Page 28: Simon Willison @ FOWA Feb 07

Who provides OpenID?

Page 29: Simon Willison @ FOWA Feb 07

• SixApart: LiveJournal, Vox, TypeKey

• VeriSign PIP

• MyOpenID.com

• ClaimID.com

• AOL

• Digg - coming soon!

Page 30: Simon Willison @ FOWA Feb 07

• OpenID doesn’t dictate the authentication method used by OpenID providers

• Jabber authentication

• Secure browser certificates

• RSA keyfobs

• DynDNS to bind to your IP

Page 31: Simon Willison @ FOWA Feb 07

If you provide an authentication API but don’t support OpenID,

someone else will support it for you.

Page 32: Simon Willison @ FOWA Feb 07

One obvious reason to support OpenID

Page 33: Simon Willison @ FOWA Feb 07

• TechCrunch links to dozens of new startups every week

• TechCrunch readers aren’t going to create dozens of new accounts every week

Startup fatigue

Page 34: Simon Willison @ FOWA Feb 07

Dumb networks

Page 35: Simon Willison @ FOWA Feb 07

• The Internet is a dumb network

• It gets packets from A to B

• It’s up to A and B (the applications) to do the smart stuff

• The intelligence is on the edges

Page 36: Simon Willison @ FOWA Feb 07

• OpenID is a dumb network

• It lets X tell Y that Z can prove ownership of a URL

• It’s up to X and Y to do the smart stuff

• The intelligence is on the edges

Page 37: Simon Willison @ FOWA Feb 07

What can we build with OpenID that we

couldn’t build before?

Page 38: Simon Willison @ FOWA Feb 07

Light-weight accounts

• Any application that people normally wouldn’t bother to create an account for

• Use OpenID to extend the lifetime of cookies

Page 39: Simon Willison @ FOWA Feb 07

Pre-approved accounts

E-mail a friend and say:

“I’ve added you to as an author to the blog I set up for our band”

Page 40: Simon Willison @ FOWA Feb 07

Corporate SSO

• You can use OpenID behind the firewall

• username.internal.example.com

• Restrict your applications to only accepting OpenIDs of that format

Page 41: Simon Willison @ FOWA Feb 07

• hCard

• Your OpenID can embed your public contact details

• XFN

• You can import a user’s contacts by introspecting their OpenID

OpenID and Microformats

Page 42: Simon Willison @ FOWA Feb 07

• "Log in with your LiveJournal OpenID and we'll import your LJ contacts"

• "Log in with your AOL OpenID and we'll send you updates over AIM"

Site-specific OpenID hacks

Page 43: Simon Willison @ FOWA Feb 07

Social whitelists

• Came from discussions around moderation with Tom Coates

• Publish a list of the OpenIDs that you trust to comment on your blog without needing moderation

• Syndicate the trusted whitelists from your friends

Page 44: Simon Willison @ FOWA Feb 07

Jyte

Page 45: Simon Willison @ FOWA Feb 07
Page 46: Simon Willison @ FOWA Feb 07
Page 47: Simon Willison @ FOWA Feb 07
Page 48: Simon Willison @ FOWA Feb 07

• You can export a Jyte group as a simple whitelist-style list of OpenIDs

• You could manage an invite only group using Jyte, then hook that in to another site’s authentication mechanism

Jyte group export

Page 49: Simon Willison @ FOWA Feb 07

Decentralised social networks

Page 50: Simon Willison @ FOWA Feb 07

What sucks about OpenID

Page 51: Simon Willison @ FOWA Feb 07

Phishing

Page 52: Simon Willison @ FOWA Feb 07

Kitten

Overload!

MoreKittens!

Page 53: Simon Willison @ FOWA Feb 07

Kitten

Overload!

FAKEIdentity theft!

:(

Page 54: Simon Willison @ FOWA Feb 07

idproxy.net

Page 55: Simon Willison @ FOWA Feb 07

myopenid.com

Page 56: Simon Willison @ FOWA Feb 07

CardSpace

Page 57: Simon Willison @ FOWA Feb 07

Competition

• Providers can compete on their defences against phishing

• This is a problem that can be solved at the edges

Page 58: Simon Willison @ FOWA Feb 07

What if my provider goes down?

Page 59: Simon Willison @ FOWA Feb 07

One for the applications

• This is a similar problem to password recovery

• E-mail the user a reset token

• Allow users to associate multiple OpenIDs with their account

Page 60: Simon Willison @ FOWA Feb 07

Privacy!

Page 61: Simon Willison @ FOWA Feb 07

a.k.a.

“I don’t want my boss to know that I’m a

furry”

Page 62: Simon Willison @ FOWA Feb 07
Page 63: Simon Willison @ FOWA Feb 07

Use multiple OpenIDs!

Page 64: Simon Willison @ FOWA Feb 07

People have been managing multiple

online identities since the Internet began

Page 65: Simon Willison @ FOWA Feb 07

OpenID is hard to explain

Page 66: Simon Willison @ FOWA Feb 07

If it takes 30 minutes to explain it to a room full of geeks, what chance has

anyone else got?

Page 67: Simon Willison @ FOWA Feb 07

Your help needed!(Or if you like, this is an Exciting Business Opportunity)

Page 68: Simon Willison @ FOWA Feb 07

You are not signed in (Sign In or Register)

Report a bug | Copyright GNR Labs 2007

What is Open ID?What is a .name Personal Address?How does it work?How long is the Free Trial?

Welcome to YourID.name

Welcome to the service that is likely to do as much for youridentity online as your birth certificate has done "offline".

We personalize your presence online and help you manage youridentity on the Internet - who gets what information, what is itused for, and how you can be reached. We make it easier forthe "good guys" to find you, and harder for the "bad guys" toget, use or abuse your information.

We activate your personalized address for all your web identitydata and services on the Internet personal identity space,.name, and an email address you actually can own for life, asopposed to having an address on someone else's domain. Itcomes with an identity management service using OpenID, andoptionally, a personal webpage aggregator powered byPageflakes.

Try it today for free for 90 days! You'll love it - no stringsattached.

Your name is the basis for your openID, your fully personalized email address and web page.

Your name: Firstname Lastname

Page 69: Simon Willison @ FOWA Feb 07

Don’t just implement OpenID

Innovate with it

Page 70: Simon Willison @ FOWA Feb 07

Thank you!