1. The implications of
Simon Willison
Google Tech Talk, 25th June 2007

2. Who here has used
OpenID?

3. Who uses it regularly?

4. What is OpenID?

5. OpenID is a
decentralised mechanism
for Single Sign On

6. What problems
does it solve?

7. “Too many passwords!”

8. “Someone else already
grabbed my username”

9. “My online profile is
scattered across
dozens of sites”

10. What is an OpenID?

11. An OpenID is a URL

12. http://swillison.livejournal.com/

13. http://simonw.myopenid.com/

14. http://simonwillison.net/

15. http://openid.aol.com/simonwillison/

16. What can you do
with an OpenID?

17. You can claim
that you own it

18. You can prove
that claim

19. Why is that useful?

20. You can use it for
authentication

21. “Who the heck are you?!”

22. “I’m simonwillison.net”

23. “prove it!”

24. (magic happens)

25. “OK, you’re in!”

26. So it’s a bit like
Microsoft Passport,
then?

27. Yes, but you don’t need
to ask their permission
to implement it

28. And Microsoft
don’t get to own your
credentials

29. Who does get to
own them?

30. You, the user, decide.

31. You pick your own provider

32. (just like e-mail)

33. So I’m still giving
someone the keys
to my kingdom?

34. Yes, but it can be
someone you trust

35. If you have the ability to
run your own server
software, you can do it
for yourself.

36. OK, how do I use it?

42. So my users don’t
have to sign up for an
account?

43. Not necessarily

44. An OpenID tells you
very little about a user

45. You don’t know
their name

46. You don’t know
their e-mail address

47. You don’t know
if they’re a person
or an evil robot

48. (or a dog)

49. Where do I get that
information from?

50. You ask them!

51. OpenID can even help
them answer

56. How can I tell if they’re
an evil spambot?

57. Same as usual: challenge
them with a CAPTCHA

58. So how does OpenID
actually work?

61. <link rel=quot;openid.serverquot;
href=quot;http://www.myopenid.com/serverquot; />

62. “I’m simonwillison.myopenid.com”

63. Site fetches HTML,
discovers identity provider

64. Establishes shared secret
with identity provider
(Using Diffie-Hellman key exchange)

65. Redirects you to the
identity provider

66. If you’re logged in there,
you get redirected back

67. How does my identity
provider know who I am?

68. OpenID deliberately
doesn’t specify

69. username/password
is common

70. But providers can
use other methods if
they want to

71. Client SSL certificates

72. Out of band
authentication via SMS,
e-mail or Jabber

73. IP based login
restrictions

74. (one guy set that up
using DynDNS)

75. SecurID keyfobs

76. No authentication at all
(just say “Yes”)

77. Just say “yes”?

78. Yup. That’s the OpenID
version of bugmenot.com

79. http://www.jkg.in/openid/

80. Users can give away
their passwords today -
this is just the OpenID
equivalent

81. What if I decide I
hate my provider?

82. Use your own
domain name

83. Delegate to a
provider you trust

86. <link rel=quot;openid.serverquot;
href=quot;http://www.livejournal.com/openid/server.bmlquot;>
<link rel=quot;openid.delegatequot;
href=quot;http://swillison.livejournal.com/quot;>

87. Support for delegation
is compulsory

88. This minimises lock in

89. So everyone will end up
with one OpenID that
they use for everything?

90. Probably not

91. (I have half a dozen
OpenIDs already)

92. People like maintaining
multiple online personas

93. professional
social
secret
...

94. OpenID makes it easier
to manage multiple
online personas

95. Three accounts is still
better than three dozen

96. If an OpenID is just a URL, is
there anything else interesting
you can do with it?

97. Yes. Different OpenIDs can
express different things

98. My AOL OpenID proves
my AIM screen name

99. An OpenID from
sun.com proves that
someone is a current
Sun employee

100. A last.fm OpenID
could incorporate
my taste in music

101. My LiveJournal OpenID
tells you where to find
my blog

102. ... and a FOAF file
listing my friends

103. doxory.com uses this
for contact imports

104. Why is OpenID worth
implementing over all the
other identity standards?

105. It’s simple

106. Unix philosophy:
It solves one,
tiny problem

107. It’s a dumb network

108. Many of the competing
standards are now on
board

109. Isn’t putting all my
eggs in one basket
a really bad idea?

110. Bad news: chances are
you already do

111. “I forgot my password”
means your e-mail
account is already an
SSO mechanism

112. OpenID just makes this
a bit more obvious

113. What about phishing?

114. Phishing is a problem

115. I can has lolcats!? BETA
Make your own lolcats! lol
Sign in with your OpenID:
OpenID: Sign in
http://icanhascheezburger.com/2007/05/16/i-has-a-backpack/

116. Fake edition
Your identity provider
Username and password, please!
Username:
Password:
Log in

117. Identity theft :(

118. An untrusted site
redirects you to your
trusted provider

119. Sound familiar?

120. PayPal
Yahoo! BBAuth
Google Auth
Google Checkout

121. You guys already need
to solve that problem!

122. One solution: don’t let
the user log in on the
identity provider
“landing page”

124. Better solutions

125. CardSpace

126. Native browser support
for OpenID (e.g. SeatBelt)

127. Competition between
providers

128. Permanent cookie set
using out-of-band token

129. Best practices for
OpenID consumers?

130. “I forgot my password”
becomes “I can’t sign in
with my OpenID”

131. Allow multiple OpenIDs
to be associated with a
single account

132. People can still sign
in if one of their
providers is down

133. People can un-associate
an OpenID without
locking themselves out

134. You can take advantage
of site-specific services
around each of their
OpenIDs

135. Any other neat tricks?

136. Portable contact lists

137. Facebook (and others)
currently ask for the
user’s Google username
and password

138. I don’t need to tell you
why that’s a horrible idea

139. Lightweight accounts

140. Pre-approved accounts

141. Social whitelists

142. OpenID and
microformats

143. Decentralised social
networks?

144. “People keep asking me to join
the LinkedIn network, but I’m
already part of a network, it’s
called the Internet.”
Gary McGraw, via Jon Udell, via Gavin Bell

145. Doesn’t this outsource the
security of my users to
untrusted third parties?

146. Yes it does. But...

147. ... so do “forgotten
password” e-mails!

148. If e-mail is secure
enough for your user’s
authentication, so is
OpenID

149. Password e-mails are
essentially SSO with a
deliberately bad user
experience

150. What are the privacy
implications?

151. Cross correlation of
accounts

152. Don’t publish a user’s
OpenID without making
it clear that you’re going
to do that

153. Allow users to opt-out
of sharing their OpenID

154. The online equivalent of a
credit reporting agency?

155. This could be built today
by sites conspiring to
share e-mail addresses

156. IANAL, but legal
protections against this
already exist

157. “Directed identity” in
OpenID 2.0 makes it
easy to use a different
OpenID for every site

158. Patents?

159. Sun and VeriSign have
both announced
“patent covenants”

160. They won’t smack you
down with their patents
for using OpenID 1.1

161. They will smack down
anyone else who asserts
their own patents against
OpenID

162. Who else is involved?

163. (Slide borrowed from David Recordon)

164. AOL - provider, full
consumer by end of July

165. Microsoft: Bill Gates
expressed their interest
at the RSA conference

166. (mainly as good PR
for CardSpace?)

167. Sun: Patent Covenant,
33,000 employees

168. Six Apart

169. VeriSign

170. JanRain

171. Yahoo! - indirectly

173. Google?

174. http://openid.net/
http://www.openidenabled.com/
http://simonwillison.net/tags/openid/

175. Thank you