FOWA 2007 day two - Simon Willison on OpenID

FOWA 2007 day two - Simon Willison on OpenID

Web authentication sucks!

(This is a Textile rendition of my OmniOutliner file)

  • Not a niche
  • Web authentication sucks
    • Use same password
    • Which account did i use?
    • Email addresses better
      • But which one?
      • What about out of date addresses
    • Too many usernames
    • Too many passwords
    • Too many forms
  • Single sign-on will save us
    • MSN Passport
      • But would you trust these men with your identity?
    • TypeKey
      • Ben and Mena - I trust them now, but what if they turn evil?
  • OpenID
    • Decentralised single sign-on
    • Identity is a URI
      • Shows zoomr.com
        • types in url --> redirects to livejournal --> log in to live journal --> grant ID validation --> back to zoomr and login with one string!
      • But...
        • openID attributes (not tokens but still breakable?)
  • Is this decentralised?
    • How do we own our own identity?
      • I run my own id server (shows link tag)
        • jyte.com
      • Who provides openID?
        • bunch of folk (6A, etc)
      • Other ways to authenticate
        • dyndns
        • jabber
        • rsa keyfobs
        • secure certificates
  • One obvious reason to support openID
    • Build some OpenID shit now!
    • Hey, hundreds of early adopters need to create loads of accounts. Give them OpenID
  • OpenID is an example, of dumb networks
    • the intelligence is on the edges
    • OpenID conforms to the same model
  • What can we build?
    • Shared profile information
    • Use OpenID to extend the lifetime of cookies
    • blog / wiki antispam because it saves readers from creating yet another account
    • Pre-approved accounts
    • Corp SSO
      • OID server behind the firewall
    • OpenID and microformats
      • hCard
      • XFN
        • You can import a user's contact by introspecting their OpenID
    • OpenID site specific hacks
      • Login with 'X' id to grab the services you need
    • Social whitelisting
      • Share the whitelist with your friends
      • Publish the list of OIDs that you trust to comment
    • Jyte
      • Lightweight trust networks
        • Comment on 'id claims'
        • Jyte group export (sort of like social whitelist)
        • Manage an invite only group using Jyte then hook that into another site's authentication mechanism
    • Decentralised social network
  • What sucks about OpenID
    • Phishing
      • Example of "more kittens" website with man in middle attack
        • redirect to evil kitten
      • Possible solutions
        • Card space
      • We can defeat phishing with competition
      • Problem can be solved at the edges
    • What happens in the OID server crashes?
      • One for the applications
        • Cascade through multiple OpenIDs with their account
    • Privacy
      • I don't want my boss to know that I'm a furry
        • Use multiple OpenIDs
          • Pro ID
          • Furry ID
          • Gaming etc ID
    • OpenID is hard to explain
      • Ready for early adopters
      • Need to develop this to be able to explain it
  • (Mentions Tom Coates twice!)