OpenID and decentralised social networks
•
6 likes•1,765 views
Presented at Webstock '08 on February 15th in Wellington, New Zealand. Social networks are an unavoidable part of life on the Web today, but most exist as walled gardens with interactions and identities trapped in a silo. OpenID is one of a number of initiatives that are trying to break down these walls and enable new social applications to bootstrap off each other.
Report
Share
OpenID and decentralised social networks
- 1. and decentralised social networks Simon Willison Webstock 15th February 2008
- 3. A OL Supports OpenID Symantec Unveils Cons umer Identity Strategy O penID Gets a Boost Fr om Mic rosoft
- 4. The last few weeks...
- 5. OpenID announces powerhouse boa rd: MSFT, GOOG, IBM, others Yahoo! backs! OpenID! oundatio n Co-opts OpenID F icrosoft A nd Yahoo Google, M
- 6. Decentralised social networks or who will save us from ? http://www.flickr.com/photos/87846746@N00/2235550137/
- 7. The username and password problem
- 9. What’s my password again? What’s my username again?
- 10. The Web needs Single Sign On
- 11. ?
- 13. SSO with a single controlling authority betrays the principles of the Web
- 14. OpenID is a decentralised mechanism for Single Sign On
- 15. It’s like e-mail - no one company controls it, but users with different e- mail providers can still talk to each other
- 16. An OpenID is a URL (an identifier)
- 21. URLs are globally unique
- 22. The OpenID protocol lets you prove that you own a specific URL
- 23. Which means an OpenID can be used as an authentication credential
- 24. “Who are you?”
- 26. “prove it!”
- 27. (magic happens)
- 28. “OK, you’re in!”
- 29. Picking an OpenID is like picking an e-mail provider - you find a company that you trust
- 30. Or if you have the ability to run your own server software, you can do it for yourself
- 31. (mobile phones can run web servers now)
- 32. How to use OpenID
- 37. ? What happens to my organisation’s user account database?
- 38. OpenID augments existing account mechanisms; it does not replace them
- 39. The first time you see a specific OpenID, you create an account for that user
- 40. OpenID can even help users create their initial profile
- 43. OpenID 1.1: Simple Registration OpenID 2.0: Attribute Exchange
- 44. ? So how does OpenID actually work?
- 49. Site fetches HTML, discovers identity provider
- 50. Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)
- 51. Redirects you to the identity provider
- 52. If you’re logged in there, you get redirected back
- 53. (Discovery in OpenID 2.0 is more complicated, but the concept is much the same)
- 54. ? How does my identity provider know who I am?
- 55. OpenID deliberately doesn’t specify
- 56. username/password is the most common
- 57. But providers can use other methods if they want to
- 59. Out of band authentication via SMS, e-mail or Jabber
- 60. Hardware tokens
- 61. Vidoop.com
- 62. ?Will everyone end up with one OpenID that they use for everything?
- 64. (I have half a dozen OpenIDs already)
- 65. People like maintaining multiple online personas
- 66. professional social secret ...
- 67. OpenID makes it easier to manage multiple online personas
- 68. Three accounts is much better than three dozen
- 69. An OpenID provider can provide more than just an OpenID
- 70. My AOL OpenID incorporates my AIM screen name
- 71. An OpenID from sun.com proves that someone is a current Sun employee
- 72. An OpenID from a university can assert my staff/student status
- 73. Some providers might even provide guarantees that OpenIDs belong to specific people
- 75. Phishing
- 76. lolcats ‘r’ us Sign in with your OpenID for even more lolcats! OpenID: Sign in http://www.flickr.com/photos/earthandeden/395466458/ http://www.flickr.com/photos/endbradley/306280569/ http://www.flickr.com/photos/duygu/115528187/
- 77. Fake edition Your identity provider Username and password, please! Username: Password: Log in
- 78. Your account gets stolen
- 79. An untrusted site redirects you to your trusted provider
- 80. PayPal Google Checkout Yahoo!, Flickr, Facebook
- 81. One solution: don’t let the user log in on the identity provider “landing page”
- 83. Better solutions
- 85. VeriSign SeatBelt (a browser extension)
- 87. Competition between providers on security
- 88. ? Outsourcing the security of your users to a third party
- 89. OpenID is functionally equivalent to a lost password e-mail mechanism
- 90. If e-mail is secure enough for your user’s authentication, then so is OpenID
- 91. In other cases, a whitelist of trusted providers may make sense
- 93. Many people have no idea what a URL is
- 94. (but they do know where their MySpace page is)
- 95. OpenID 2.0 introduces directed identity
- 99. Linking identities together
- 101. Identity projection
- 102. Upcoming last.fm
- 103. XFN rel=quot;mequot; lets me publicly point to my accounts on other services
- 105. I don’t want to have to re- add my friends on every social application I use
- 106. But... I don’t want to automatically add my high school friends to a business network
- 107. The correct model is pick-from-import: show me a list of options and let me decide
- 108. The state of the art in contact import is asking for the user’s webmail password The contact import anti-pattern
- 109. The good way: XFN and FOAF Public data, already published
- 110. The Google Social Graph API
- 111. A safe way to import private contacts?
- 113. oauth.net
- 114. Completing our decentralised social network
- 115. The Facebook news feed
- 116. Flickr photos from your contacts
- 117. Your Twitter friends
- 119. XMPP (Jabber)
- 120. We have the ingredients • OpenID • OAuth • XFN and FOAF • XMPP Now we just need to make the pie
- 121. People of Webstock! • Go forth and implement OpenID • Support these emerging standards • Set your users free