The implications of. Simon Willison Google Tech Talk, 25th June 2007

Similar documents
By Prabath Siriwardena, WSO2

Implementing OpenID for Your Social Networking Web Site

OpenID. Mark Heiges Center for Tropical and Emerging Global Diseases

How to Integrate CA SiteMinder with the Barracuda Web Application Firewall

Configuring a Secure Access etrust SiteMinder Server Instance (NSM Procedure)

RSA SecurID Ready Implementation Guide

Angel Flight Information Database System AFIDS

RECENT ADVANCES in E-ACTIVITIES, INFORMATION SECURITY and PRIVACY. Hierarchy OpenID

Integrating CA (formerly Netegrity) SiteMinder 6.0 with IBM Lotus Connections 2.0

etrust SiteMinder Agent r5.5 for BEA WebLogic 9.0 etrust SiteMinder Agent for BEA WebLogic Guide

Virgin Australia s Corporate Booking Portal User Guide

OTP SERVER NETEGRITY SITEMINDER 6. Rev 1.0 INTEGRATION MODULE. Copyright, NordicEdge, 2005 O T P S E R V E R I N T E G R A T I O N M O D U L E

Operations Manual. FS Airlines Client User Guide Supplement A. Flight Operations Department

Concur Travel-Frequently Asked Questions

Dell EMC Unisphere 360

Supports full integration with Apollo, Galileo and Worldspan GDS.

Fox World Travel/Concur Documentation Concur FAQ

Video Media Center - VMC 1000 Getting Started Guide

PRIVACY POLICY KEY DEFINITIONS. Aquapark Wrocław Wrocławski Park Wodny S.A. with the registered office in Wrocław, ul. Borowska 99, Wrocław.

API Gateway Version September Authentication and Authorization Integration Guide

CA SiteMinder. Agent for JBoss Guide SP1

WHAT S NEW in 7.9 RELEASE NOTES

etrust SiteMinder Agent r6.0 for IBM WebSphere

CA SiteMinder. Agent for JBoss Guide. r12.1 SP3. Third Edition

User Reference Manual

Installation Guide. Unisphere Central. Installation. Release number REV 07. October, 2015

EMC Unisphere 360 for VMAX

KB 2449 CA Wily APM security example: CA SiteMinder for authentication with CA EEM for authorization

IRCTCC RAIL CONNECT ANDROID APP

Wishlist Auto Registration Manual

Concur Travel FAQs. 5. How do I log in to Concur Travel? Visit or the link is available on the Travel page of the Compass.

User Guide for E-Rez

Security Analysis of OpenID

CA SiteMinder. Agent for JBoss Guide 12.51

Click the Profile link to review and update your profile. You must save your profile before you first attempt to book a trip. TOP

Concur Travel - Frequently Asked Questions

MyFBO Help. Contents TRAINING ONLY

Frequently Asked Questions

myldtravel USER GUIDE

How to Create a New Account

ELOQUA INTEGRATION GUIDE

etrust SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide For UNIX Version 1.6 (Rev 1.

2018 PSO Profile Highlights and Tips. December 18, :00 3:00 PM

Relying Party User Interface Recommendations

Travel Technology and Managed Corporate Travel

DART. Duty & Recreation Travel STAFF TRAVEL SIMPLIFIED. Straightforward, easy to use staff travel management system for the airline industry

CA SITEMINDER OVERVIEW

Introduction to OpenID Connect. October 23, 2018 Michael B. Jones Identity Standards Architect Microsoft

Preparing for International Travel

HEATHROW S VIP SERVICE

Setup and Configure the Siteminder Policy Store with Dxmanager

Overseas Travel Registration System Operation Manual

FREQUENTLY ASKED QUESTION November 2014

mobile and web Click on each question category for a series of questions and answers to help you learn more about mycwt TM s features.

EMC Unisphere 360 for VMAX

Linking your u-id and MileagePlus ID in employeeres

EMC Unisphere 360 for VMAX

An Online Airline Reservation Information System Case

LS-Data. Manual. Altenrhein Luftfahrt GmbH Office Park 3 Top 312 / Postfach 90 A-1300 Wien Flughafen

UNIVERSAL GUEST ACCOUNT QUICK REFERENCE GUIDE

My Check-in APPLICATION USER GUIDE

Federated Shibboleth, OpenID, oauth, and Multifactor

I need the best deals

BHP Billiton Group Management Award Plan Conditional Awards FY15 Terms and Conditions

NHS Professionals System User Guide

Signature Travel Expert Certification Course

Information security supplier rules. Information security supplier rules

User Guide and Reference Information

Homeport 2.0 User Guide for Public Users

Q. Can I book personal travel on the site? - The Concur site is to be used exclusively for business related travel.

The Official s Guide to Athletix

PRE-CONFERENCE INFORMATION. (Very Important Please Print this out!) COMPLIMENTARY AIRPORT TRANSFERS

It s going to be minute clean up minimum. You re going to be running late today for sure.

STATIC SOCIAL SITE TO NETWORK WHY HOW WHO

CruisePay Enhancements for 2005 Training Guide Version 1.0

Frequently asked Questions

Virginia Medicaid Web Portal Provider Maintenance Frequently Asked Questions Revised 02/20/2015. FAQ Contents. General Questions

BHP BILLITON. Contractor Management System. User Guide for Booking Inductions - MAC Administrators

CA SiteMinder Federation Standalone

Cvent Passkey Glossary

GPS Training

Autism Speaks Walk at Tropicana Field

Exhibitor System Quick Start Guide

STANDARD OPERATING MANUAL. 11 th Edition

Travel Booking Tool Guide for Electrolux

FOR DEALER USE ONLY. Online Resource YOUR TRAINING GUIDE. Version 3.0

FareStar Ticket Window Product Functionality Guide

Privacy. Newcrest means Newcrest Mining Limited (ACN ) and each of its subsidiaries; and

2018 IDA Downtown Achievement Awards Category: Marketing & Communications. Submitted by: The Glebe BIA Andrew Peck Executive Director

you are travelling. This factsheet will give you tips on staying safe when travelling on the tram, in taxis, buses, and trains.

Terms and Conditions

CALL CENTER PRE-CLASS Module 2

CruiseBuilder 2.0 Tutorial. How to Set Up CruiseBuilder 2.0 How to Use CruiseBuilder 2.0 Booking Engine

Help Document for utsonmobile - Windows Phone

IBM Tivoli Storage Manager Version Configuring an IBM Tivoli Storage Manager cluster with IBM Tivoli System Automation for Multiplatforms

Picture Book Reading

Virgin Atlantic Airways

Booking Airfare for Another Employee

Firewall Network and Proxy Datasheet

Passport to. Health & Safety

Transcription:

The implications of Simon Willison Google Tech Talk, 25th June 2007

Who here has used OpenID?

Who uses it regularly?

What is OpenID?

OpenID is a decentralised mechanism for Single Sign On

What problems does it solve?

Too many passwords!

Someone else already grabbed my username

My online profile is scattered across dozens of sites

What is an OpenID?

An OpenID is a URL

http://swillison.livejournal.com/

http://simonw.myopenid.com/

http://simonwillison.net/

http://openid.aol.com/simonwillison/

What can you do with an OpenID?

You can claim that you own it

You can prove that claim

Why is that useful?

You can use it for authentication

Who the heck are you?!

I m simonwillison.net

prove it!

(magic happens)

OK, you re in!

So it s a bit like Microsoft Passport, then?

Yes, but you don t need to ask their permission to implement it

And Microsoft don t get to own your credentials

Who does get to own them?

You, the user, decide.

You pick your own provider

(just like e-mail)

So I m still giving someone the keys to my kingdom?

Yes, but it can be someone you trust

If you have the ability to run your own server software, you can do it for yourself.

OK, how do I use it?

So my users don t have to sign up for an account?

Not necessarily

An OpenID tells you very little about a user

You don t know their name

You don t know their e-mail address

You don t know if they re a person or an evil robot

(or a dog)

Where do I get that information from?

You ask them!

OpenID can even help them answer

How can I tell if they re an evil spambot?

Same as usual: challenge them with a CAPTCHA

So how does OpenID actually work?

<link rel="openid.server" href="http://www.myopenid.com/server" />

I m simonwillison.myopenid.com

Site fetches HTML, discovers identity provider

Establishes shared secret with identity provider (Using Diffie-Hellman key exchange)

Redirects you to the identity provider

If you re logged in there, you get redirected back

How does my identity provider know who I am?

OpenID deliberately doesn t specify

username/password is common

But providers can use other methods if they want to

Client SSL certificates

Out of band authentication via SMS, e-mail or Jabber

IP based login restrictions

(one guy set that up using DynDNS)

SecurID keyfobs

No authentication at all (just say Yes )

Just say yes?

Yup. That s the OpenID version of bugmenot.com

http://www.jkg.in/openid/

Users can give away their passwords today - this is just the OpenID equivalent

What if I decide I hate my provider?

Use your own domain name

Delegate to a provider you trust

<link rel="openid.server" href="http://www.livejournal.com/openid/server.bml"> <link rel="openid.delegate" href="http://swillison.livejournal.com/">

Support for delegation is compulsory

This minimises lock in

So everyone will end up with one OpenID that they use for everything?

Probably not

(I have half a dozen OpenIDs already)

People like maintaining multiple online personas

professional social secret...

OpenID makes it easier to manage multiple online personas

Three accounts is still better than three dozen

If an OpenID is just a URL, is there anything else interesting you can do with it?

Yes. Different OpenIDs can express different things

My AOL OpenID proves my AIM screen name

An OpenID from sun.com proves that someone is a current Sun employee

A last.fm OpenID could incorporate my taste in music

My LiveJournal OpenID tells you where to find my blog

... and a FOAF file listing my friends

doxory.com uses this for contact imports

Why is OpenID worth implementing over all the other identity standards?

It s simple

Unix philosophy: It solves one, tiny problem

It s a dumb network

Many of the competing standards are now on board

Isn t putting all my eggs in one basket a really bad idea?

Bad news: chances are you already do

I forgot my password means your e-mail account is already an SSO mechanism

OpenID just makes this a bit more obvious

What about phishing?

Phishing is a problem

I can has lolcats!? BETA Make your own lolcats! lol Sign in with your OpenID: OpenID: Sign in http://icanhascheezburger.com/2007/05/16/i-has-a-backpack/

Your identity provider Fake edition Username and password, please! Username: Password: Log in

Identity theft :(

An untrusted site redirects you to your trusted provider

Sound familiar?

PayPal Yahoo! BBAuth Google Auth Google Checkout

You guys already need to solve that problem!

One solution: don t let the user log in on the identity provider landing page

Better solutions

CardSpace

Native browser support for OpenID (e.g. SeatBelt)

Competition between providers

Permanent cookie set using out-of-band token

Best practices for OpenID consumers?

I forgot my password becomes I can t sign in with my OpenID

Allow multiple OpenIDs to be associated with a single account

People can still sign in if one of their providers is down

People can un-associate an OpenID without locking themselves out

You can take advantage of site-specific services around each of their OpenIDs

Any other neat tricks?

Portable contact lists

Facebook (and others) currently ask for the user s Google username and password

I don t need to tell you why that s a horrible idea

Lightweight accounts

Pre-approved accounts

Social whitelists

OpenID and microformats

Decentralised social networks?

People keep asking me to join the LinkedIn network, but I m already part of a network, it s called the Internet. Gary McGraw, via Jon Udell, via Gavin Bell

Doesn t this outsource the security of my users to untrusted third parties?

Yes it does. But...

... so do forgotten password e-mails!

If e-mail is secure enough for your user s authentication, so is OpenID

Password e-mails are essentially SSO with a deliberately bad user experience

What are the privacy implications?

Cross correlation of accounts

Don t publish a user s OpenID without making it clear that you re going to do that

Allow users to opt-out of sharing their OpenID

The online equivalent of a credit reporting agency?

This could be built today by sites conspiring to share e-mail addresses

IANAL, but legal protections against this already exist

Directed identity in OpenID 2.0 makes it easy to use a different OpenID for every site

Patents?

Sun and VeriSign have both announced patent covenants

They won t smack you down with their patents for using OpenID 1.1

They will smack down anyone else who asserts their own patents against OpenID

Who else is involved?

(Slide borrowed from David Recordon)

AOL - provider, full consumer by end of July

Microsoft: Bill Gates expressed their interest at the RSA conference

(mainly as good PR for CardSpace?)

Sun: Patent Covenant, 33,000 employees

Six Apart

VeriSign

JanRain

Yahoo! - indirectly

Google?

http://openid.net/ http://www.openidenabled.com/ http://simonwillison.net/tags/openid/

Thank you

2024 © travelsdocbox.com Privacy Policy | Terms of Service | Feedback