Transcript
Page 1: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Emerging From Web 2.0Web 2.0 Expo Berlin 2007

Page 2: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

"taking the world by storm"Tim O'Reilly

"Its definitely time to declare OpenID a winner"

TechCrunch

"this high profile announcement marks the importance of single sign on identity technology to the future of the Internet"

ReadWriteWeb

"OpenID is a protocol made for the public, by the public.

No one owns or controls your login information: You do."

37signals

"...sees great potential for OpenID's use alongside enterprise-ready software

infrastructure"Sun Microsystems

Page 3: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

What is OpenID?

• Single sign-on for the web

• Simple and light-weight(not going to replace your bank card pin)

• Easy to use and deploy

• Built upon proven existing technologies(DNS, HTTP, SSL/TLS, Diffie-Hellman)

• Decentralized(you don't have to ask anyone permission to implement it)

• Free!

Page 4: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

An OpenID is a URI

• URLs are globally unique and ubiquitous

• OpenID allows proving ownership of an URI

• People already have identity at URLs via blogs, photos, MySpace, FaceBook, etc

• People already describe relationships via URLs (e.g. links to my friends)

Page 5: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

OpenID is Decentralized

Page 6: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Benefits• Reduces the number of usernames and

passwords

• Simplifies new account creation

• Allows for lightweight accounts

• Simplifies internal SSO

• Enables wide-spread benefit of strong authentication

• Enables decentralized reputation

• Enables social network portability

Page 7: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

DEMOHow Does it Work?

Page 8: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Prove it!

I’m davidrecordon.com

Who are you?

As a Conversation

Page 9: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

"openid.server" points to my OpenID Provider

Discovers My Provider

Page 10: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

(crypto happens)

Page 11: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Getting an OpenID

http://openid.net/get/

Page 12: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

OpenID is Really Easy

Page 13: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

"This is a geek's toy,

nobody will ever have an OpenID!"

Page 14: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

~160 million OpenIDs(including every AOL user)

OpenID 1.1 - Estimated from various services

Page 15: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 16: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

"Nobody will ever use this!"

Page 17: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

0

1,500

3,000

4,500

6,000

Sep '

05 Oct

Nov Dec

Jan '0

6Fe

bMar Apr May

June

July

Aug Sep

Oct

Nov Dec

Jan '0

7Fe

bMar Apr May

June

July

Augus

t

Sep 2

2

(aka places you can login with OpenID)

OpenID 1.1 - As viewed by MyOpenID.com

Total Relying Parties

Page 18: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

"So that's great there are so many blogs, but what about something

real?"

Page 19: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 20: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

"What about security?"

Page 21: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

“Protocol Security?”

Page 22: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

like any protocol...think as you implement

Page 23: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

the best solutions may around the browser

Page 24: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

MyVidoop Plugin(a password manager tied into your OpenID account add-on for Firefox)

Page 25: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Sxipper(a form filler password manager with OpenID integration add-on for Firefox)

Page 26: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Symantec Identity Client(OpenID form-fill, upcoming provider, and claims integration)

Page 27: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

(an OpenID convenience and security add-on for Firefox)

works with

VeriSign's OpenID SeatBelt

Page 28: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

IE Team has posted a job ad mentioning "OpenID""Does the idea of redefining the role of the Internet browser appeal to you? Do the terms HTTP, RSS, Microformats, and OpenID, excite you? If so, then

this just might be the opportunity for you."

Page 29: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

OpenID is great for innovation

Page 30: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

“So, what about OpenID 2.0?”

Page 31: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

OpenID 2.0

• Cleans up the 1.1 specification

• Adds a few useful features

• Robust extensibility

• Enhanced service discovery

• "Directed identity"

• XRI

• About six independent library implementations of final draft

Page 32: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

“Any OpenID in the enterprise?”

Page 33: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Internal SSO for bug trackers and wikis

Offer all employees OpenIDs; open source

Enterprise SSO and identity manager with

LDAP and OpenID

OpenID Provider with plans to ship in enterprise

products this year

Shared OpenID Provider for their businesses and

partnersProject management,

CRM, and billing for small businesses

Page 34: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Open.ID.ee

Page 35: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

I come from E-stonia

• A small EU country with ~1.3M inhabitants

• Access to internet considered a “civil right”

• Had first parliament elections over the internet in 2005

• 80%+ of the population have a digital ID-card

Page 36: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

ID-card

Page 37: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

ID-card is a...

• Photo ID like any other

• We are interested in Electronic ID:

• The chip contains your name, age, gender and social security number

• Two PIN codes: one for authentication and one for signing documents

Page 38: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Authentication

• Is about proving who you are.

• Available to any service that wants to use it

• Online banking

• Filing your taxes

• Various other services

Page 39: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 40: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 41: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 42: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 43: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

"How does this happen?"

Page 44: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Entering your PIN code is your consent to send personal data to the

service

Page 45: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Yes/No decision

Page 46: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

"So what is the problem?"

Page 47: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Users do not always want this.Users want control of their

personal data.

Page 48: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

What is Identity?

• Wikipedia: “the sameness of two things”

• “Things” are users

• Users are website visitors

• “Who are you?”

Page 49: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Are you the same you that signed up with us?

Page 50: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

ID-card contains government verified

identity

Page 51: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Same Can be Different

• Bank: Martin Paljak, the account owner

• Forum: user who registered as “catluvr99”

• Blog: author of the comment

• http://open.id.ee/martin.paljak is Martin Paljak

Page 52: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Is the OpenID you present the same as we have in our database?

Page 53: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Websites really need to match identifiers, not collect your personal

data.

Page 54: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Solution: OpenID

• id.ee => open.id.ee

• OpenID service that uses ID-cards for authentication

• Gives users more control over their private data

• Is NOT a government enforced/controlled service

Page 55: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Simplicity

• One privacy policy to check

• One trust decision to make

• One purpose for the OpenID service

• Encapsulate and protect users’ private data

Page 56: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

No need to sign up, it JustWorks

Page 57: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

... if you have the needed hardware and software ...

Page 58: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 59: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 60: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 61: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

"So if everybody implements OpenID, are we all happy?"

Page 62: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

"What about website developers?"

Page 63: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

ID-card Sucks!

• Implementing support is difficult

• Technically challenging (SSL certificates and such)

• Users don’t like ID-cards anyway as they are often afraid of privacy issues

• Most sites don’t need so high security

• So... why bother?

Page 64: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

I Forgot!

• Mobile-ID: same stuff inside your GSM SIM card

• Same technology inside ...

• ... but totally different to implement ...

• ... AGAIN!!!

Page 65: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

What is Mobile-ID?

• Smaller ID-card

• No hardware needed - your phone is your card reader

• No need to install software to use it online - websites have it

Page 66: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 67: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 68: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

beep-beep!

Page 69: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 70: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

If you’re going to write new code, why not

OpenID code?

Page 71: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Benefits of OpenID

• Only one interface to implement

• And lots of expertise available globally

• If website uses open.id.ee service exclusively, it has instant access to both ID-cards and Mobile-ID authentication

• ... with privacy features included @ no cost

Page 72: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

• Users get more control over their private data and OpenID provides it

• Websites have a simple and easy way to integrate newest authentication technologies with OpenID

So ...

Page 73: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Finally a win-win solution?

Page 74: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Almost there ...

Page 75: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Anonymity

• Users want anonymity

• At least partial

• Remaining anonymous is a privilege

• Spam, death threats etc must be punishable

Page 76: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

The story

• Riots in Tallinn that leaded to cyber-attacks

• Petition letter to force a politician resign collected almost 100k names and e-mails

• Including “George Bush”, “Rex the dog” and “!@#$ you”

• Result: nothing.

Page 77: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

OpenID 2.0

• New feature: identity selection

• You get to choose the OpenID sent to the website

• Choose between open.id.ee/martin.paljak ...

Page 79: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Anonymous OpenID

• No (zero) personal data in the URL

• One anonymous URL per user per website

• The “account” problem mitigated

• Still a guarantee that the user behind the OpenID is a real person

Page 80: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 81: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
Page 82: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Extra Features

• Identity theft virtually impossible

• re-claiming is painless

• Some registration data is always true

• If user chooses to send it

• “Why do they need it?”

Page 83: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Why do I Care?

• I’m a user too!

• We export the ID technology of Estonia

• Online privacy issues are being discussed

• Verified anonymity contributes to e-democracy

Page 84: Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0

Why you should care!

• Implement OpenID - get access to our technology

• Other EU countries deploying ID-cards

• Similar problems

• Similar solutions

• OpenID is designed for interoperability

• ID-cards are in theory


Top Related