OpenID Overview - Seoul July 2007

50 %
50 %
Information about OpenID Overview - Seoul July 2007

Published on July 25, 2007

Author: daveman692



Overview presentation on OpenID and VeriSign's OpenID Provider given by David Recordon at AhnLab in Seoul, Korea.

Overview: David Recordon July 2007

Who am I? David Recordon VeriSign Employee since May of 2006 OpenID Foundation Vice-Chair Co-Author of various OpenID specifications Past employee of Six Apart, where OpenID was created

Web 2.0

What is Web 2.0? Users in control Data sharing Social collaboration Lightweight business models Perpetual beta Application platform The Long Tail

The Long Tail

For the Economists The 80% tail matters Virtual shelf space is limitless quot;We sold more books today that didn't sell at all yesterday than we sold today of all the books that did sell yesterday.quot;

For Everyone Else Mass social networks vs. niché social networks Allows access to information that otherwise would be quot;unimportantquot; Delivered content vs. discovered content Found be me Recommended by my friends

What is OpenID? Single sign-on for the web Simple and light-weight (not going to replace your bank card pin) Easy to use and deploy Built upon proven existing technologies (DNS, HTTP, SSL/TLS, Diffie-Hellman) Decentralized (no single point of failure in the protocol) Free!

An OpenID is a URI URLs are globally unique and ubiquitous OpenID allows proving ownership of an URI People already have identity at URLs via blogs, photos, MySpace, FaceBook, DAUM, etc

Problems it Solves Too many usernames and passwords or the lack of different passwords Someone took my desired username My online profile is spread across the Internet without my control and I can't benefit from it when I go somewhere new Account management is hard to do right

How Does it Work?

My OpenID quot;openid.serverquot; points to my OpenID Provider

1. Site fetches the HTML of my OpenID 2. Finds quot;openid.serverquot; 3. Establishes a shared secret with the Provider 4. Redirects my browser to the Provider where I authenticate and allow the OpenID login 5. Provider redirects my browser back to the site with an OpenID response 6. Site verifies the signature and logs me in

O M E Using OpenID D

quot;Hasn't this been done before?quot; Great for Centralized Centralized the enterprise


History 2005 & 2006 Created by Brad Fitzpatrick (Summer 2005) Yadis Discovery protocol (Jan 2006) VeriSign launches OpenID Provider (May) Convergence with i-names (July) Convergence with Sxip (Aug.) $50,000 USD Developer Bounty (Aug.) Technorati adopts OpenID (Oct.) Tutorials by Simon Willison (Dec.)

History Q1 2007 Mozilla announces intent to support OpenID in FireFox 3 (Jan.) Microsoft support expressed by Bill Gates and Craig Mundie at RSA Conference keynote (Feb.) AOL add OpenID to every one of their ~60M accounts (Feb.) Symantec announces upcoming OpenID products (Feb.) Digg and NetVibes announce OpenID support (Feb.) and 37Signals adopt OpenID (March) USA Today publishes OpenID article on the Money section front-page (March)

History Q2 2007 Plone 3.0 ships with OpenID support (May) Sun Microsystems adopts OpenID in enterprise product and provides employees with OpenID (May) livedoor adds OpenID support (May) OpenID wins Next Web Award (June) Leo Laporte and Steve Gibson discuss OpenID (June) OpenID wins CNET Webware 100 award (June) Atlassian (makers of enterprise wiki software) supports OpenID (June) Drupal 6 ships with OpenID support (June)

The OpenID Foundation

The purpose of the OpenID Foundation is to foster and promote the development and adoption of OpenID as a framework for user-centric identity on the Internet.

Founding Board Scott Kveton David Recordon Chair Vice-Chair Dick Hardt Martin Atkins Treasurer Secretary Johannes Ernst Drummond Reed Bill Washburn Artur Bergman Executive Director

Current Efforts Develop an IPR policy and process for OpenID specifications to keep OpenID free and patent unencumbered Develop a trademark policy that supports the extended OpenID community Develop core messaging for OpenID and websites oriented toward developers, users, and other potential adopters Coordinate World-wide joint marketing and evangelism

Adoption Trends

~120 million OpenIDs (including every AOL and livedoor user) OpenID 1.1 - Estimated from various services

Total Relying Parties (aka places you can login with OpenID) o L p AO y Ex nt ou 0 & 2. /B T SF eb ip M W Sx 4,000 3,000 2,000 1,000 0 '05 ct ov ec '06 b ar r ay e ly g p ct ov ec '07 b ar r ay e 16 Ap Ap Au n n Fe Se Fe Ju O O M M M M D D N Ju N Ju ly p Jan Jan Ju Se OpenID 1.1 - As viewed by

Key Benefits

Users Fewer usernames and passwords to remember Ability to strongly protect your accounts anywhere OpenID is accepted Globally unique, quot;is that the same David?quot; Ability to create a reputation that can be taken with you from site to site Ability to know where you've shared information

Relying Parties Simplified account creation Users don't need to create a new password Easy to ask for, or discover, profile information Simplified account management No more forgotten passwords OpenID Provider specifics such as IM an AOL OpenID user or know a Sun OpenID user is a current employee

Creating an OpenID English Korean Japanese

Done! Time to create an OpenID: ~1 minute and you may already have one

O M E Creating an OpenID on your own domain D

Configure Delegation (source of <html xmlns=quot;;> <head> <title>David Recordon</title> <style> div { text-align: center; color: #C0C0C0; } img { border: 0px; } a { color: #C0C0C0; } </style> <link rel=quot;openid.serverquot; href=quot;; /> <link rel=quot;openid.delegatequot; href=quot;https://recordond.jpip.verisignlabs.comquot; /> </head>

Done! Time to create an OpenID on your own domain: ~5 minutes

Security and Trust

Protocol Security Use SSL correctly throughout the protocol Protects against man-in-the-middle and eavesdropping attacks Generate strong MAC keys and re-negotiate as needed Used to verify data integrity and authenticity of OpenID responses Verify NONCEs Protects against replay attacks

Trust quot;Trust first requires identityquot; - Brad Fitzpatrick OpenID does not tell you if a user is good, bad, or even human Challenge them via a CAPTCHA or email verification Use whitelists and blacklists Ask someone else whom you trust

Scaling Up OpenID OpenID Provider Authentication Policy Extension, draft published June 2006 Relying Parties can ask for authentication policies such as quot;phishing resistantquot; or quot;multi-factorquot; Providers can respond with policies the user complied with, time since they authenticated, and strength of the credential(s) used per NIST guidelines

VeriSign's OpenID Provider

Substantial upgrade this week

Personal Identity Provider Free OpenID Provider run by VeriSign Support for OpenID 1.1 & 2.0 Strong security features One-time password tokens Microsoft CardSpace Out-of-band authentication via SMS Manage multiple OpenID URLs Easily manage your profile information

Protect Your Account

Consumer strong authentication and fraud detection network Deployed for the likes of PayPal, eBay, and Charles Schwab Get one token and use it anywhere in the network

VIP Protected Login

Manage Multiple OpenIDs

Manage Your Profile

Use Your Profile

VeriSign's OpenID SeatBelt (an OpenID convenience and security add-on for Firefox) works with

Phishing An untrusted site redirects you to your trusted provider Not just a problem for OpenID, but also for PayPal, Google Auth and Checkout, Yahoo! BBAuth, AOL OpenAuth

Passwords Can be Phished Replace passwords Tokens SMS, Jabber, etc Client Side Certificates Mutual authentication Microsoft CardSpace or Novell Bandit Passwords are still widely used Browsers have poor support for alternative means

SeatBelt Provide contextual information Am I currently logged in and if so as whom? Is it safe to login? Remove phishing opportunities Login when my browser opens Take me to my Provider if I'm not logged in Protect against common attacks Validate SSL certificates when interacting with my Provider Watch where the RP is sending my browser

Provide Context

Remove Opportunities


Thanks! Questions? David Recordon Innovation

Resources openid-you-should-know/ SuperUsers openids_growing.html 2007-03-15-openid_N.htm

Add a comment

Related presentations

Related pages

OpenID Foundation website

OpenID is a safe, faster and easier ... The increasing adoption of OpenID Connect deployments has required the OpenID Foundation to develop new ...
Read more

Account Chooser Working Group | OpenID

This site is for a working group sponsored by the OpenID Foundation to define ... Slides and videos of an account chooser overview . Central ...
Read more

History | hueniverse

OAuth Core 1.0 The OAuth community, to a large extent, emerged out of the OpenID community. ... In July 2007 after the first iPhoneDevCamp, ...
Read more

OpenID - Wikipedia, the free encyclopedia

Technical overview This section is ... as of August 31, 2007, the OpenID trademark is registered to the OpenID Europe Foundation. ... In late July, popular ...
Read more

O'Reilly Open Source Convention 2007 • July 23-27, 2007 ...

O'Reilly Open Source Convention 2007 - July 23-27, 2007 - Portland, Oregon. Sponsors. Diamond Sponsors. ... OSCON 2008 will happen July 21-25, 2008 in ...
Read more

Introduction — OAuthn - OAuth Community Site

About OAuth 2.0; Advisories; ... In July 2007 the team drafted an initial specification and the ... OAuth is not an OpenID extension and at the ...
Read more

OAuth/OpenID Support for WebForms, MVC and WebPages - .NET ...

July 2007 (7 ) June 2007 (6) May ... feature ... 2012/08/23/plugging-custom-oauth-openid ...
Read more

U Line - Wikipedia, the free encyclopedia

Overview; Native name: 의정부 ... 2007 July – Construction ... The U Line is physically connected to the Seoul Metropolitan Subway system and allows ...
Read more