OpenID for starters - Barcamp Berlin II

0700LukasRos.deLukas Rosenstock Digitale Dienste

OpenID for starters

Lukas L. RosenstockOpenID Foundation Europe

BarCamp Berlin II03.11.07

Outline● About me● About this presentation● Problem and solution● Concept URL-based identity● History of OpenID● User perspective● Technical perspective● Business perspective● Visions for the future● Criticism 0700LukasRos.de

Lukas Rosenstock Digitale Dienste

About me● Lukas Leander Rosenstock (1984)● Computer science student at Darmstadt University of

Technology● Involved in smaller web projects● Active OpenID-supporter since Sept. 2005● OpenID Foundation Europe Member● Web Montag Frankfurt & Cologne● BarCamp Frankfurt & Cologne


About this presentation● Complete overview for starters● Introduction into the topic, starts at „0“ (zero)● More questions and discussion after the presentation

or in other sessions at this BarCamp


Problem and solution (1)● Web 2.0 sites allow interaction● Web 1.0 sites too (e.g. Boards)● Yes, I know, you can't say a site is „1.0“ or „2.0“ ...● Register everywhere? Maybe for one post or

download?● Remember passwords?● Often the same information has to be entered, no

connection between profiles● Effect: websites are still islands / walled gardens

2.0 0700LukasRos.deLukas Rosenstock Digitale Dienste

Problem and solution (2)● Negative side-effect: Centralization encouraged (e.g..

Gravatar, MySpace, Facebook)● “(de)centralisization-paradox”● Solution: one „username“ for every site?● Single-Sign-On● A framework für interoperability, extensible with profile

exchange, reputation / claims / votings, distributed social networks and applications (while privacy remains)?

● Here we go ...0700LukasRos.de

Lukas Rosenstock Digitale Dienste

Concept URL-based identity● URL, more exact: HTTP-URL, as identifier● Well-known and proved concept● Namespace is easily accessible● Describes a „space“

● (meta-)information can be requested synchronously ● Examples:

● http://daveman692.livejournal.com/● http://0700lukasros.de/● http://openid.aol.com/username


History of OpenID (1)● Originally YADIS = Yet Another Distributed

Identity System, developed by Brad Fitzpatrick (Danga/SixApart/LiveJournal)

● 17th May 2005: Renamed to OpenID and published

● Implementation on LiveJournal● September 2005: First public OpenID-Servers

videntity.org and MyOpenID.com


History of OpenID (2)● October 2005: „Yadis“ newly announced as

interoperability platform für OpenID and LID (Light Weight Identity, Netmesh)

● JanRain Inc writes OpenID code librarys for PHP, Perl, Ruby and Python

● 21th March 2006: Yadis Spezifikation 1.0 published, based upon XRI/XRDS/i-names

● 26th July 2006: announcement of the OpenID code bounty program


History of OpenID (3)● Beginning of 2007: RSA Conference; Microsoft

announces support for OpenID● interoperability with CardSpace / InfoCard

● AOL “inofficially” gives their 63 million members an OpenID

● Question: What are Google and Yahoo doing?● Evaluating internally!

● During 2007: some websites introduce at least partial OpenID support (wordpress.com, Technorati)

● OpenID Foundation & OpenID Foundation Europe


User perspective

● Use Case: Login/Signup on a website– User already owns his OpenID

● Example ...


Technical perspective

End User/Client

Identity-URL Identity Provider(IdP)

Relying Party(RP)

wants to identifyhimself

owns

points to

confirms identity


End User/Client

Identity-URL Identity Provider(IdP)

Relying Party(RP)

(1) asks for IdP(discovery)

(3) sendsredirectionto IdP

(2) gets ahandleissued(association)[if not yet done]]



End User/Client

Identity Provider(IdP)

Relying Party(RP)

(1) session, cookie, password, clientcertificate, trustsetting (eitherautomatically ofinteractive)

(3) redirection

(2) sendsredirectionto the RPwith signature(SHA1-HMAC)

(4) signature validation

Business perspective● What benefits does OpenID offer?● As relying party (offer OpenID logins):– lower entry barrier for potential customers– more users, more profit :-)


Business perspective● As a provider (offering OpenID URLs):– free bonus feature– more links back to your site

● potentially higher pagerank● Dominate the world with a “microsoft strategy”

(proprietary addons) ...


Visions for the future● URL as platform– RSS, FOAF, Microformats

● Decentral Social Networking– Good-bye to walled gardens– videntity, claimID– Who's next?– An own dedicated session for this ...


Visions for the future● OpenID 2.0 and extensions coming up– added security (& privacy)– profile exchange


Criticism● openid-neindanke.de● IdP as “Big Brother”?– your ISP already is– can be prevented with multiple OpenIDs

● IdP as SPoF– can be prevented with multiple OpenIDs*

● Not secure?– comparable to „password by email reset“

* this does not break the concept of OpenID


That's all, folks ...● Thanks for your attention!● Questions now or in discussion session● A link to slides will be on the BarCamp wiki


OpenID for starters - Barcamp Berlin II

Technology

Transcript of OpenID for starters - Barcamp Berlin II