OpenID Overview - Seoul July 2007
-
Upload
david-recordon -
Category
Technology
-
view
112 -
download
0
description
Transcript of OpenID Overview - Seoul July 2007
![Page 2: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/2.jpg)
Who am I?
David Recordon
VeriSign Employee since May of 2006
OpenID Foundation Vice-Chair
Co-Author of various OpenID specifications
Past employee ofSix Apart, where OpenID was created
![Page 3: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/3.jpg)
Web 2.0
![Page 4: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/4.jpg)
What isWeb 2.0?
Users in controlData sharingSocial collaborationLightweight business modelsPerpetual betaApplication platformThe Long Tail
![Page 5: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/5.jpg)
The Long Tail
![Page 6: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/6.jpg)
The 80% tail matters
Virtual shelf space is limitless
For the Economists
"We sold more books today that didn't sell at all yesterday than we sold today of all the
books that did sell yesterday."Amazon.com
http://longtail.typepad.com/the_long_tail/2005/01/definitions_fin.html
![Page 7: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/7.jpg)
For Everyone Else
Mass social networks vs. niché social networks
Allows access to information that otherwise would be "unimportant"
Delivered content vs. discovered content
Found be meRecommended by my friends
![Page 8: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/8.jpg)
![Page 9: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/9.jpg)
What is OpenID?Single sign-on for the web
Simple and light-weight(not going to replace your bank card pin)
Easy to use and deploy
Built upon proven existing technologies (DNS, HTTP, SSL/TLS, Diffie-Hellman)
Decentralized(no single point of failure in the protocol)
Free!
![Page 10: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/10.jpg)
An OpenID is a URI
URLs are globally unique and ubiquitous
OpenID allows proving ownership of an URI
People already have identity at URLs via blogs, photos, MySpace, FaceBook, DAUM, etc
![Page 11: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/11.jpg)
Problems it Solves
Too many usernames and passwords
or the lack of different passwords
Someone took my desired username
My online profile is spread across the Internet without my control
and I can't benefit from it when I go somewhere new
Account management is hard to do right
![Page 12: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/12.jpg)
How Does it Work?
![Page 13: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/13.jpg)
My OpenID
"openid.server" points to my OpenID Provider
![Page 14: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/14.jpg)
1. Site fetches the HTML of my OpenID
2. Finds "openid.server"
3. Establishes a shared secret with the Provider
4. Redirects my browser to the Provider where I authenticate and allow the OpenID login
5. Provider redirects my browser back to the site with an OpenID response
6. Site verifies the signature and logs me in
![Page 15: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/15.jpg)
DEMOUsing OpenID
![Page 16: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/16.jpg)
"Hasn't this been done before?"
Great forthe enterprise
Centralized Centralized
![Page 17: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/17.jpg)
History
![Page 18: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/18.jpg)
History 2005 & 2006Created by Brad Fitzpatrick (Summer 2005)
Yadis Discovery protocol (Jan 2006)
VeriSign launches OpenID Provider (May)
Convergence with i-names (July)
Convergence with Sxip (Aug.)
$50,000 USD Developer Bounty (Aug.)
Technorati adopts OpenID (Oct.)
Tutorials by Simon Willison (Dec.)
![Page 19: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/19.jpg)
History Q1 2007Mozilla announces intent to support OpenID in FireFox 3 (Jan.)
Microsoft support expressed by Bill Gates and Craig Mundie at RSA Conference keynote (Feb.)
AOL add OpenID to every one of their ~60M accounts (Feb.)
Symantec announces upcoming OpenID products (Feb.)
Digg and NetVibes announce OpenID support (Feb.)
Wordpress.com and 37Signals adopt OpenID (March)
USA Today publishes OpenID article on the Money section front-page (March)
![Page 20: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/20.jpg)
History Q2 2007Plone 3.0 ships with OpenID support (May)
Sun Microsystems adopts OpenID in enterprise product and provides employees with OpenID (May)
livedoor adds OpenID support (May)
OpenID wins Next Web Award (June)
Leo Laporte and Steve Gibson discuss OpenID (June)
OpenID wins CNET Webware 100 award (June)
Atlassian (makers of enterprise wiki software) supports OpenID (June)
Drupal 6 ships with OpenID support (June)
![Page 21: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/21.jpg)
The OpenID Foundation
![Page 22: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/22.jpg)
The purpose of the OpenID Foundation is to foster and promote the development
and adoption of OpenID as a framework for user-centric identity on the Internet.
![Page 23: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/23.jpg)
Founding BoardScott [email protected]
Dick [email protected]
Johannes [email protected]
David [email protected]
Martin [email protected]
Drummond [email protected]
Bill WashburnExecutive [email protected]
Artur [email protected]
![Page 24: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/24.jpg)
Current EffortsDevelop an IPR policy and process for OpenID specifications to keep OpenID free and patent unencumbered
Develop a trademark policy that supports the extended OpenID community
Develop core messaging for OpenID and websites oriented toward developers, users, and other potential adopters
Coordinate World-wide joint marketing and evangelism
![Page 25: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/25.jpg)
Adoption Trends
![Page 26: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/26.jpg)
~120 million OpenIDs(including every AOL and livedoor user)
OpenID 1.1 - Estimated from various services
![Page 27: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/27.jpg)
Total Relying Parties
0
1,000
2,000
3,000
4,000
Sep '
05 Oct
Nov Dec
Jan '0
6Fe
bMar Apr May
June
July
Aug Sep
Oct
Nov Dec
Jan '0
7Fe
bMar Apr May
June
July 1
6
(aka places you can login with OpenID)
Sxip
/ Bou
nty
OpenID 1.1 - As viewed by MyOpenID.com
MSFT &
AOL
Web
2.0
Expo
![Page 28: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/28.jpg)
![Page 29: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/29.jpg)
Key Benefits
![Page 30: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/30.jpg)
UsersFewer usernames and passwords to remember
Ability to strongly protect your accounts anywhere OpenID is accepted
Globally unique, "is that the same David?"
Ability to create a reputation that can be taken with you from site to site
Ability to know where you've shared information
![Page 31: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/31.jpg)
Relying Parties
Simplified account creation
Users don't need to create a new password
Easy to ask for, or discover, profile information
Simplified account management
No more forgotten passwords
OpenID Provider specifics such as IM an AOL OpenID user or know a Sun OpenID user is a current employee
![Page 32: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/32.jpg)
Creating an OpenID
English Korean Japanese
pip.VeriSignLabs.comMyOpenID.com
www.idtail.comwww.myid.netwww.idpia.com
www.ohmyid.com
www.openid.ne.jp
http://openid.net/wiki/index.php/OpenIDServers
![Page 33: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/33.jpg)
Done!
Time to create an OpenID:
~1 minute
and you may already have one
![Page 34: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/34.jpg)
DEMOCreating an OpenID on your own domain
![Page 35: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/35.jpg)
Configure Delegation
<html xmlns="http://www.w3.org/1999/xhtml"><head><title>David Recordon</title><style> div { text-align: center; color: #C0C0C0; } img { border: 0px; } a { color: #C0C0C0; }</style>
<link rel="openid.server" href="https://jpip.verisignlabs.com/server" /><link rel="openid.delegate" href="https://recordond.jpip.verisignlabs.com" />
</head>
(source of www.davidrecordon.com)
![Page 36: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/36.jpg)
Done!
Time to create an OpenID on your own domain:
~5 minutes
![Page 37: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/37.jpg)
Security and Trust
![Page 38: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/38.jpg)
Protocol Security
Use SSL correctly throughout the protocol
Protects against man-in-the-middle and eavesdropping attacks
Generate strong MAC keys and re-negotiate as needed
Used to verify data integrity and authenticity of OpenID responses
Verify NONCEs
Protects against replay attacks
![Page 39: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/39.jpg)
Trust
Challenge them via a CAPTCHA or email verification
Use whitelists and blacklists
Ask someone else whom you trust
"Trust first requires identity" - Brad Fitzpatrick
OpenID does not tell you if a user is good, bad, or even human
![Page 40: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/40.jpg)
Scaling Up OpenID
OpenID Provider Authentication Policy Extension, draft published June 2006
Relying Parties can ask for authentication policies such as "phishing resistant" or "multi-factor"
Providers can respond with policies the user complied with, time since they authenticated, and strength of the credential(s) used per NIST guidelines
![Page 41: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/41.jpg)
VeriSign's OpenID Providerhttp://pip.verisignlabs.com
![Page 43: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/43.jpg)
Personal Identity ProviderFree OpenID Provider run by VeriSign
Support for OpenID 1.1 & 2.0
Strong security features
One-time password tokens
Microsoft CardSpace
Out-of-band authentication via SMS
Manage multiple OpenID URLs
Easily manage your profile information
![Page 44: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/44.jpg)
Protect Your Account
![Page 45: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/45.jpg)
Consumer strong authentication and fraud detection network
Deployed for the likes of PayPal, eBay, and Charles Schwab
Get one token and use it anywhere in the network
![Page 46: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/46.jpg)
VIP Protected Login
![Page 47: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/47.jpg)
Manage Multiple OpenIDs
![Page 48: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/48.jpg)
Manage Your Profile
![Page 49: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/49.jpg)
Use Your Profile
![Page 50: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/50.jpg)
VeriSign's OpenID SeatBelt(an OpenID convenience and security add-on for Firefox)
works with
![Page 51: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/51.jpg)
Phishing
An untrusted site redirects you to your trusted provider
Not just a problem for OpenID, but also for PayPal, Google Auth
and Checkout, Yahoo! BBAuth, AOL OpenAuth
![Page 52: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/52.jpg)
Passwords Can be Phished
Replace passwords
Tokens
SMS, Jabber, etc
Client Side Certificates
Mutual authentication
Microsoft CardSpace or Novell Bandit
Passwords are still widely used
Browsers have poor support for alternative means
![Page 53: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/53.jpg)
SeatBeltProvide contextual information
Am I currently logged in and if so as whom?
Is it safe to login?
Remove phishing opportunities
Login when my browser opens
Take me to my Provider if I'm not logged in
Protect against common attacks
Validate SSL certificates when interacting with my Provider
Watch where the RP is sending my browser
![Page 54: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/54.jpg)
Provide Context
![Page 55: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/55.jpg)
Remove Opportunities
![Page 56: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/56.jpg)
Protect
![Page 57: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/57.jpg)
Thanks!
David RecordonInnovation
Questions?
http://openid.net/http://planet.openid.net/
![Page 58: OpenID Overview - Seoul July 2007](https://reader031.fdocuments.net/reader031/viewer/2022013011/54c8c5584a79591b0f8b457f/html5/thumbnails/58.jpg)
Resourceshttp://www.notsorelevant.com/2007-04-26/five-articles-on-openid-you-should-know/
http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers
http://www.sixapart.com/about/news/2006/12/openids_growing.html
http://blogs.zdnet.com/digitalID/?p=78
http://blogs.zdnet.com/digitalID/?p=85
http://dev.aol.com/openid-value-of-connnected-identity
http://www.usatoday.com/tech/webguide/internetlife/2007-03-15-openid_N.htm