document5
DESCRIPTION
hergerTRANSCRIPT
-
Emerging From Web 2.0Web 2.0 Expo Berlin 2007
-
"taking the world by storm"Tim O'Reilly
"Its definitely time to declare OpenID a winner"
TechCrunch
"this high profile announcement marks the importance of single sign on identity technology to the future of the Internet"
ReadWriteWeb
"OpenID is a protocol made for the public, by the public.
No one owns or controls your login information: You do."
37signals
"...sees great potential for OpenID's use alongside enterprise-ready software
infrastructure"Sun Microsystems
-
What is OpenID?
• Single sign-on for the web
• Simple and light-weight(not going to replace your bank card pin)
• Easy to use and deploy
• Built upon proven existing technologies(DNS, HTTP, SSL/TLS, Diffie-Hellman)
• Decentralized(you don't have to ask anyone permission to implement it)
• Free!
-
An OpenID is a URI
• URLs are globally unique and ubiquitous
• OpenID allows proving ownership of an URI
• People already have identity at URLs via blogs, photos, MySpace, FaceBook, etc
• People already describe relationships via URLs (e.g. links to my friends)
-
OpenID is Decentralized
-
Benefits• Reduces the number of usernames and
passwords
• Simplifies new account creation
• Allows for lightweight accounts
• Simplifies internal SSO
• Enables wide-spread benefit of strong authentication
• Enables decentralized reputation
• Enables social network portability
-
DEMOHow Does it Work?
-
Prove it!
I’m davidrecordon.com
Who are you?
As a Conversation
-
"openid.server" points to my OpenID Provider
Discovers My Provider
-
(crypto happens)
-
Getting an OpenID
http://openid.net/get/
http://openid.net/get/http://openid.net/get/
-
OpenID is Really Easy
-
"This is a geek's toy,
nobody will ever have an OpenID!"
-
~160 million OpenIDs(including every AOL user)
OpenID 1.1 - Estimated from various services
-
"Nobody will ever use this!"
-
0
1,500
3,000
4,500
6,000
Sep '
05 Oct
Nov
Dec
Jan '0
6Fe
bMa
rAp
rMa
yJun
eJul
yAu
gSe
pO
ctNo
vDe
c
Jan '0
7Fe
bMa
rAp
rMa
yJun
eJul
y
Augu
st
Sep 2
2
(aka places you can login with OpenID)
OpenID 1.1 - As viewed by MyOpenID.com
Total Relying Parties
-
"So that's great there are so many blogs, but what about something
real?"
-
"What about security?"
-
“Protocol Security?”
-
like any protocol...think as you implement
-
the best solutions may around the browser
-
MyVidoop Plugin(a password manager tied into your OpenID account add-on for Firefox)
-
Sxipper(a form filler password manager with OpenID integration add-on for Firefox)
-
Symantec Identity Client(OpenID form-fill, upcoming provider, and claims integration)
-
(an OpenID convenience and security add-on for Firefox)
works with
VeriSign's OpenID SeatBelt
http://pip.verisignlabs.comhttp://pip.verisignlabs.com
-
IE Team has posted a job ad mentioning "OpenID""Does the idea of redefining the role of the Internet browser appeal to you? Do the terms HTTP, RSS, Microformats, and OpenID, excite you? If so, then
this just might be the opportunity for you."
-
OpenID is great for innovation
-
“So, what about OpenID 2.0?”
-
OpenID 2.0
• Cleans up the 1.1 specification• Adds a few useful features• Robust extensibility• Enhanced service discovery• "Directed identity"• XRI
• About six independent library implementations of final draft
-
“Any OpenID in the enterprise?”
-
Internal SSO for bug trackers and wikis
Offer all employees OpenIDs; open source
Enterprise SSO and identity manager with
LDAP and OpenID
OpenID Provider with plans to ship in enterprise
products this year
Shared OpenID Provider for their businesses and
partnersProject management,
CRM, and billing for small businesses
-
Open.ID.ee
-
I come from E-stonia
• A small EU country with ~1.3M inhabitants• Access to internet considered a “civil right”• Had first parliament elections over the
internet in 2005
• 80%+ of the population have a digital ID-card
-
ID-card
-
ID-card is a...
• Photo ID like any other• We are interested in Electronic ID:• The chip contains your name, age, gender
and social security number
• Two PIN codes: one for authentication and one for signing documents
-
Authentication
• Is about proving who you are.• Available to any service that wants to use it• Online banking• Filing your taxes• Various other services
-
"How does this happen?"
-
Entering your PIN code is your consent to send personal data to the
service
-
Yes/No decision
-
"So what is the problem?"
-
Users do not always want this.Users want control of their
personal data.
-
What is Identity?
• Wikipedia: “the sameness of two things”• “Things” are users• Users are website visitors
• “Who are you?”
-
Are you the same you that signed up with us?
-
ID-card contains government verified
identity
-
Same Can be Different
• Bank: Martin Paljak, the account owner• Forum: user who registered as “catluvr99”• Blog: author of the comment• http://open.id.ee/martin.paljak is Martin Paljak
http://open.id.ee/martin.paljakhttp://open.id.ee/martin.paljak
-
Is the OpenID you present the same as we have in our database?
-
Websites really need to match identifiers, not collect your personal
data.
-
Solution: OpenID
• id.ee => open.id.ee• OpenID service that uses ID-cards for
authentication
• Gives users more control over their private data
• Is NOT a government enforced/controlled service
-
Simplicity
• One privacy policy to check• One trust decision to make• One purpose for the OpenID service• Encapsulate and protect users’ private
data
-
No need to sign up, it JustWorks
-
... if you have the needed hardware and software ...
-
"So if everybody implements OpenID, are we all happy?"
-
"What about website developers?"
-
ID-card Sucks!
• Implementing support is difficult• Technically challenging (SSL certificates
and such)
• Users don’t like ID-cards anyway as they are often afraid of privacy issues
• Most sites don’t need so high security• So... why bother?
-
I Forgot!
• Mobile-ID: same stuff inside your GSM SIM card
• Same technology inside ...• ... but totally different to implement ...• ... AGAIN!!!
-
What is Mobile-ID?
• Smaller ID-card• No hardware needed - your phone is
your card reader
• No need to install software to use it online - websites have it
-
beep-beep!
-
If you’re going to write new code, why not
OpenID code?
-
Benefits of OpenID
• Only one interface to implement• And lots of expertise available globally
• If website uses open.id.ee service exclusively, it has instant access to both ID-cards and Mobile-ID authentication
• ... with privacy features included @ no cost
-
• Users get more control over their private data and OpenID provides it
• Websites have a simple and easy way to integrate newest authentication technologies with OpenID
So ...
-
Finally a win-win solution?
-
Almost there ...
-
Anonymity
• Users want anonymity• At least partial
• Remaining anonymous is a privilege• Spam, death threats etc must be
punishable
-
The story
• Riots in Tallinn that leaded to cyber-attacks• Petition letter to force a politician resign
collected almost 100k names and e-mails
• Including “George Bush”, “Rex the dog” and “!@#$ you”
• Result: nothing.
-
OpenID 2.0
• New feature: identity selection• You get to choose the OpenID sent to
the website
• Choose between open.id.ee/martin.paljak ...
-
orhttp://open.id.ee/5a0eaba4bb1fb68a39ddec57c15dbff1543d6f461b2203f74
http://open.id.ee/5a0eaba4bb1fb68a39ddec57c15dbff1543d6f461b2203f74http://open.id.ee/5a0eaba4bb1fb68a39ddec57c15dbff1543d6f461b2203f74
-
Anonymous OpenID
• No (zero) personal data in the URL• One anonymous URL per user per website• The “account” problem mitigated
• Still a guarantee that the user behind the OpenID is a real person
-
Extra Features
• Identity theft virtually impossible• re-claiming is painless
• Some registration data is always true• If user chooses to send it• “Why do they need it?”
-
Why do I Care?
• I’m a user too!• We export the ID technology of Estonia• Online privacy issues are being discussed• Verified anonymity contributes to
e-democracy
-
Why you should care!
• Implement OpenID - get access to our technology
• Other EU countries deploying ID-cards• Similar problems• Similar solutions
• OpenID is designed for interoperability• ID-cards are in theory
-
http://openid.net/https://open.id.ee/about/english
Thanks!Questions?
David [email protected]
Martin Paljakhttp://[email protected]
http://openid.nethttp://openid.nethttp://sun.com/identity/http://sun.com/identity/mailto:[email protected]:[email protected]://ideelabor.eehttp://ideelabor.eemailto:[email protected]:[email protected]