Published on November 12, 2007
Emerging From Web 2.0 Web 2.0 Expo Berlin 2007
quot;Its deﬁnitely time to declare quot;OpenID is a protocol made OpenID a winnerquot; for the public, by the public. TechCrunch No one owns or controls your login information:You do.quot; 37signals quot;...sees great potential for OpenID's use alongside enterprise-ready software infrastructurequot; Sun Microsystems quot;taking the world by stormquot; quot;this high proﬁle announcement marks Tim O'Reilly the importance of single sign on identity technology to the future of the Internetquot; ReadWriteWeb
What is OpenID? • Single sign-on for the web • Simple and light-weight (not going to replace your bank card pin) • Easy to use and deploy • Built upon proven existing technologies (DNS, HTTP, SSL/TLS, Difﬁe-Hellman) • Decentralized (you don't have to ask anyone permission to implement it) • Free!
An OpenID is a URI • URLs are globally unique and ubiquitous • OpenID allows proving ownership of an URI • People already have identity at URLs via blogs, photos, MySpace, FaceBook, etc • People already describe relationships via URLs (e.g. links to my friends)
OpenID is Decentralized
Beneﬁts • Reduces the number of usernames and passwords • Simpliﬁes new account creation • Allows for lightweight accounts • Simpliﬁes internal SSO • Enables wide-spread beneﬁt of strong authentication • Enables decentralized reputation • Enables social network portability
O M E How Does it Work? D
As a Conversation Who are you? I’m davidrecordon.com Prove it!
Discovers My Provider quot;openid.serverquot; points to my OpenID Provider
Getting an OpenID http://openid.net/get/
OpenID is Really Easy
quot;This is a geek's toy, nobody will ever have an OpenID!quot;
~160 million OpenIDs (including every AOL user) OpenID 1.1 - Estimated from various services
quot;Nobody will ever use this!quot;
Total Relying Parties (aka places you can login with OpenID) 6,000 4,500 3,000 1,500 0 ov b ay ly '06 ar ne ov ay ly '05 ct ec r g ne p ec '07 b ct ar r st 22 Ap Ap Au Fe Se Fe Ju Ju gu O O M M M M D D Ju Ju N N p p Jan Jan Au Se Se OpenID 1.1 - As viewed by MyOpenID.com
quot;So that's great there are so many blogs, but what about something real?quot;
quot;What about security?quot;
like any protocol...think as you implement
the best solutions may around the browser
MyVidoop Plugin (a password manager tied into your OpenID account add-on for Firefox)
Sxipper (a form ﬁller password manager with OpenID integration add-on for Firefox)
Symantec Identity Client (OpenID form-ﬁll, upcoming provider, and claims integration)
VeriSign's OpenID SeatBelt (an OpenID convenience and security add-on for Firefox) works with
IE Team has posted a job ad mentioning quot;OpenIDquot; quot;Does the idea of redeﬁning the role of the Internet browser appeal to you? Do the terms HTTP, RSS, Microformats, and OpenID, excite you? If so, then this just might be the opportunity for you.quot;
OpenID is great for innovation
“So, what about OpenID 2.0?”
OpenID 2.0 • Cleans up the 1.1 speciﬁcation • Adds a few useful features • Robust extensibility • Enhanced service discovery • quot;Directed identityquot; • XRI • About six independent library implementations of ﬁnal draft
“Any OpenID in the enterprise?”
Offer all employees OpenIDs; open source Enterprise SSO and identity manager with LDAP and OpenID Internal SSO for bug trackers and wikis OpenID Provider with plans to ship in enterprise products this year Shared OpenID Provider for their businesses and partners Project management, CRM, and billing for small businesses
I come from E-stonia • A small EU country with ~1.3M inhabitants • Access to internet considered a “civil right” • Had ﬁrst parliament elections over the internet in 2005 • 80%+ of the population have a digital ID- card
ID-card is a... • Photo ID like any other • We are interested in Electronic ID: • The chip contains your name, age, gender and social security number • Two PIN codes: one for authentication and one for signing documents
Authentication • Is about proving who you are. • Available to any service that wants to use it • Online banking • Filing your taxes • Various other services
quot;How does this happen?quot;
Entering your PIN code is your consent to send personal data to the service
quot;So what is the problem?quot;
Users do not always want this. Users want control of their personal data.
What is Identity? • Wikipedia: “the sameness of two things” • “Things” are users • Users are website visitors • “Who are you?”
Are you the same you that signed up with us?
ID-card contains government veriﬁed identity
Same Can be Different • Bank: Martin Paljak, the account owner • Forum: user who registered as “catluvr99” • Blog: author of the comment • http://open.id.ee/martin.paljak is Martin Paljak
Is the OpenID you present the same as we have in our database?
Websites really need to match identiﬁers, not collect your personal data.
Solution: OpenID • id.ee => open.id.ee • OpenID service that uses ID-cards for authentication • Gives users more control over their private data • Is NOT a government enforced/controlled service
No need to sign up, it JustWorks
... if you have the needed hardware and software ...
quot;So if everybody implements OpenID, are we all happy?quot;
quot;What about website developers?quot;
ID-card Sucks! • Implementing support is difﬁcult • Technically challenging (SSL certiﬁcates and such) • Users don’t like ID-cards anyway as they are often afraid of privacy issues • Most sites don’t need so high security • So... why bother?
I Forgot! • Mobile-ID: same stuff inside your GSM SIM card • Same technology inside ... • ... but totally different to implement ... • ... AGAIN!!!
What is Mobile-ID? • Smaller ID-card • No hardware needed - your phone is your card reader • No need to install software to use it online - websites have it
If you’re going to write new code, why not OpenID code?
Beneﬁts of OpenID • Only one interface to implement • And lots of expertise available globally • If website uses open.id.ee service exclusively, it has instant access to both ID-cards and Mobile-ID authentication • ... with privacy features included @ no cost
So ... • Users get more control over their private data and OpenID provides it • Websites have a simple and easy way to integrate newest authentication technologies with OpenID
Finally a win-win solution?
Almost there ...
Anonymity • Users want anonymity • At least partial • Remaining anonymous is a privilege • Spam, death threats etc must be punishable
The story • Riots in Tallinn that leaded to cyber-attacks • Petition letter to force a politician resign collected almost 100k names and e-mails • Including “George Bush”, “Rex the dog” and “!@#$ you” • Result: nothing.
OpenID 2.0 • New feature: identity selection • You get to choose the OpenID sent to the website • Choose between open.id.ee/martin.paljak ...
Anonymous OpenID • No (zero) personal data in the URL • One anonymous URL per user per website • The “account” problem mitigated • Still a guarantee that the user behind the OpenID is a real person
Extra Features • Identity theft virtually impossible • re-claiming is painless • Some registration data is always true • If user chooses to send it • “Why do they need it?”
Why do I Care? • I’m a user too! • We export the ID technology of Estonia • Online privacy issues are being discussed • Veriﬁed anonymity contributes to e-democracy
Why you should care! • Implement OpenID - get access to our technology • Other EU countries deploying ID-cards • Similar problems • Similar solutions • OpenID is designed for interoperability • ID-cards are in theory
Thanks! Questions? http://openid.net/ https://open.id.ee/about/english David Recordon Martin Paljak davidrecordon.com http://ideelabor.ee firstname.lastname@example.org email@example.com
News & coverage from Web 2.0 Expo NY > Speaker Slides & Video from Web 2.0 Expo NY > Web 2.0 Expo blog > Sign up for the bulletin to stay informed.
... and new user demands have created the "perfect storm" for a Web 2.0 ... of Web 2.0 Expo ... The Emerging Business Risks of Web 2.0 ...
Web 2.0 Expo Berlin. ... today at the Web 2.0 Expo in Berlin – Robert and I are currently at Dion Hinchcliffe’s workshop on Building Successful Web 2.0 ...
If you are planning on going to the Web 2.0 Expo in Berlin, ... Center Data Warehouse Database Emerging Technology and ... in Berlin and My Chance to Say ...
Web 2.0 Expo Berlin 3sat im Gespräch mit Tim O'Reilly Im November 2007 lud Internetpionier und Verlagsgründer Tim O'Reilly zur Web 2.0 Expo nach Berlin ...
Werden Sie Veranstaltungspartner der Berlin Web Week. Upload Event. Impressionen.
... (IBM), Thinking Outside the Inbox O'Reilly. Subscribe Subscribed Unsubscribe 117,256 117K. ... Web 2.0 Expo SF 2010: Eric Ries, ...
Gov 2.0 Expo brings stakeholders ... A Balancing Act for Government Workers on the Web; Procurement 2.0: ... and emerging professions in the Gov 2.0 ...