OpenID and Beyond – Saviour of the Universe

Oct
28
2007

PodCamp Perth 2007

These are the base notes and transcript of my Podcamp Perth presentation on Saturday 27 October 2008. There was a videoed as well, how well this comes out given the poor lighting in the room and the fact that I tend to walk around the room and chat with the audience remains to be seen. Please note that the presentation slides will not make much sense without these notes, then again the transcript is not a really good information source in a pure text format, plus I have a habit of diverting from the defined script all the time. When I have the audio I will slidecast the presentation.

The Problem

We all have this problem, we have way too many passwords, Take the average person. Dave, He’s like us, he has a nice car, good friends, hes a professional, and well too many passwords, way to many. To the fact he has a little black book, the little black book id his dirty little secret. Its full of passwords and usernames for all the systems at work and all the social sites and professional associations and forums he is a member of. There are hundreds of these passwords . This is a little unprofessional of Dave. But, although he does stress about this, what can Dave do. He can’t remember them all, and he has been told that having one of two passwords is a bad idea as well.

The situation that does worry Dave is if someone got hold of his little black book. And if that someone was someone like Hank. Hank is a “nice” guy, Hank collects passwords for a living, Hank collects “people” or their identities for a living. He collects them for his good friends. Friends that well work on the darker site of town and are open to interesting employment methods if they don’t get what they want, like finger removal.

If Hank where to get Dave’s Little Black book things would not be that good.

So how does Dave get around having all this passwords.

The Solution

Back in 2006 by Brad Fitzpatrick of LiveJournal put together the basis of an idea that would allow the identification of you as you or Dave as Dave via one password. All that is required is an identifier and a password, one only ofr many systems or web sites. Yes the corpate dream of a single login is possible. One Password to rule them all! This became know as OpenID.

Brad’s efforts where enhanced by the offering by various money incentives by vendors and work from the open source community resulting in the first draft implementation of OpenID. Now near the end of 2007, we have OpenID Provider Authentication Policy Extension 1.0 – Draft 2.

What is OpenID?

For Dave OpenID means he doesn’t have to remember lots of passwords. But technically for us geeks:

OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Diffie-Hellman) and realizes that people are already creating identities for themselves whether it be at their blog, photostream, profile page, etc. With OpenID you can easily transform one of these existing URIs into an account which can be used at sites which support OpenID logins.

Who is Using OpenID

In 2007 well over 4500 sites using OpenID and its increases every hour. There are well over 120 Million OpenID accounts. Thats a lot of people. Most of these people are not even aware they have an OpenID account. OpenID is not something that is going away, it has the backing of AOL, Microsoft, Sun, Novell and other heavy weights in the web industry.

But it’s early days yet, OpenID is young, really young, its only in the adoption phase. But for people like you and me, well that is the time to consider OpenID, and maybe it’s time for Dave too.

OpenID is unrestricted. This means that anyone can have an OpenID or can set themselves up as an OpenID provider. Even Hank and his nice friends. There is no central control organisation. Remember no one owns OpenID. However we do have the OpenID Foundation acting as a steward for the community.

Now OpenID is very much centered at present on a Web implementation. But consider this, with the support of Mozilla foundation integrating OpenID into FireFox (3) and Microsoft is implementing OpenID 2 into Windows Vista (and backwards into Windows XP via .Net 3). OpenID isn’t something we are ngoing to see disappear overnight. In fact it’s doing to start to become seamless, part of the corporate authorisation tool set.

This is all good but what really are the good and bad points of OpenID.

  • A way for you to prove that you are you however it can’t guarantee that you aren’t a bot or just somebody else.
  • Allows you to login without making new Accounts, however it does beep track of what you do on the sites you visit.
  • It is secure, you only entrust your password to one site, not many. However you should not let your guard down, all those old tricks and security measure on the web still apply.
  • It is all about helping you bring your online identities together, however you choose when and with who you use it and the degree of trust.
  • It is spreading fast, however it still in the early adopter space, Many of the interfaces are still being tweaked and improved on a day to day basis. But with the integration into browsers this will all be pushed aside and mass market adoption is expected.

The bottom line is that Dave has to ensure that he can trust the web site that he signs up on for an OpenID.

But what really happens

Besides this easy sign up process and despite sites like wikispaces hiding the OpenID signup (hint try the signup link, yeah I know not good design at all). So what is really happening behind the computer screen. But we need to get some terminilogy right first off.

  • Consumer – A site that uses OPenID to sign you up or login is called a consumer, they consume an OpenID or use it.
  • Provider – A site that gives you or looks after you OpenID is a provider. They provide the OpenID.

All Dave has to do is provide his unique URL, and the web site he is signing up to, will then send him to this URL and ask him to login, It’s at that point that the following conversation is heard if you listen really carefully to the the LoLCats.

Consumer: “Hi we have the guy that says you are the place to sign him up”.

Provider: “Make it quick you look a little shady, lets say I we just exchange a little secret password between us so I know you are you”

The Consumer: “err Okay, then”

Provider: “Okay I suppose I trust you, a little, you can come over and hang over here, Dave’s site is… ”

Provider: “Hey Dave, there is this site that says you want to signup, can you just login and prove to me that you are you.”

And so Dave logs in.

Provider:- “Okay Dave you are the real Dave, I have been asked to tell this other site that you are the real deal. So tell me what persona do you want to tell them and do you trust them”

Dave selects the details.

Provider: “So you trust them. Okay, I’ll send them the details”

Consumer: “Hang on now you have been a while…how do I know that those details are really from the true Dave.”

Provider: “I knew you where a bit shady…Remember that little secret we both made – well it is ……. “

Hence what has occurred is a transaction between a consumer site and a Provider to authenticate Dave as Dave. But its move than that, Dave can tell the Provider to use a designated profile that may for example have limited information in it.

Dave can also determine the level of trust, does he want to be prompted every time for a password he logins in. Or does he want to trust the consumer site with an auto login for the next week, month, six months or forever, depending on the Provider. Now Dave can change this at any time so he need not worry if he changes his mind.

One thing OpenID does not provide is 2 Factor Authentication or just Strong (1) factor Authentication. This must be provided by the user. However with the use of secure transactions (via a SSL, it is possible to use OpenID for banking and e-commerce.

The down side of all this is having this single ONE password. This ONE password is what Hank really wants. As I said before you have to ensure this password is very secure and hard to determine.

How do I sign up for OpenID

There are a number of independent providers that Dave can use, but it basically comes down to does Dave trust the provider.

Details of these and many more can be found at the OpenID wiki site.

With OpenID Dave can setup a series of personas (as discussed before) within his OpenID account, He can have one for Business, one for Recreational activities, one for one site, one for a another, as many as he likes, he can release as much or as little information to enquiring sites. He can also use OpenID as a centralised resource for his picture or icon if he wishes.

Signing up is just like signing up to any Social Network Site, the details are usually very similar.

But the one thing that Dave has to be careful about is ensuring that his Username is unique and his password is relatively secure.

But this gets better, Dave discovers thats his old Livejournal blog (dusted and forgotten) is also automatically acting as an OpenID as well.

These are liek Automatic OpenID providers:

  • AOL – openid.aol.com/screenname
  • LiveDoor – profile.livedoor.com/username
  • LiveJournal – username.livejournal.com
  • Orange (france) – openid.orange.fr/
  • SmugMug – username.smugmug.com
  • Technorati – technorati.com/people/technorati/username
  • Vox – member.vox.com
  • WordPress.com – username.wordpress.com

What About Hank and his mates

Still in the back of Daves mind is a concern about Hank and his “nice” friends in the Mob.

Yes Phishing can be a problem as a malicious fake provider can be setup to lure people like Dave into entering their Authentication information as they pose was the real provider. Just like with any transaction Dave has to make sure that he is on the right site URL. However moves are in progress to counter this as well.

Cross-Site Request Forgery is the main concern here Checking the referrers head would be useful, but not that reliable. A hidden form element with some part of the exchanged secret would also help, most reputable providers are doing this.

Creating your own Personalised OpenID site

What if Dave wants to make his person site the URL for the OpenID, can he do that. Yes very easy. It’s just a matter of dropping a little bit of code it the HEAD tag section of the home page HTML, And then confirming the new URL with his provider

<head>
<link rel="openid.server" href="http://www.myopenid.com/server" />
<link rel="openid.delegate" href="http://youraccount.myopenid.com/" />
<meta http-equiv="X-XRDS-Location"
content="http://www.myopenid.com/xrds?
username=youraccount.myopenid.com" />
</head>

The details of the servers in use will change depending on the provider. But its all the same in principle, but I would check with the provider. Its just a little bit of customisation that redirects the details as required. Making it even easier to remember the OpenID URL to login.

But Dave wants his own OpenID Provider.

Okay this, get a little more complex, but there is help at hand. Most of the major open source languages have implementations of OpenID via various libraries. There are often Provider and Consumer base modules available in:

  • C#
  • C++
  • Java
  • Perl
  • Python
  • PHP
  • Ruby
  • ColdFusion

Remember when setting up a Provider its all about Trust, and the value of that trust. You can’t afford within the world of OpenID for one minute to muddy the trust the users have placed in your service. It must always be there for them and be 100% secure.

The Future

Okay there are a number of proposals circling around and related to OpenID, such as OAuth, Yadis and iNames.

OAuth

You know he deal, you want to reconnect to al your friends on the new social networking site. So they ask you for you gmail account or flickr account or whatever account username and password. You know you can trust them, right. WRONG. why should they have access to your private information. Would it be easier for them to ask permission and the site concerned (eg Google) autheticate this and then provide only the information you have authorised. Wouldn’t it be good if there was just a standard open protocol secure API for this. Pipe dream? well no. It’s the new kid on the block (since November 2006), but this is OAuth. OAuth Core 1.0 final draft was release this month. If you are developing for the interactive web or desktop with trusted data transfer, have a look at OAuth and support it.

Yadis

This is a little like OpenID, and draft 2 of OpenID has some of its functions, but Yadis goes a little more towards the users URL containing the right and requirement for sharing of the determined information. Will this ever see commercial acceptance. As Yadis maybe not, as a rolled in component of OpenID, more likely.

iNames

As the use of a URL for a single person identifier becomes very important, it’s a little hard for everyone to have a URL, especially in the corporate world. So inames are basically web like identifier made so that they are easy for people to remember and use. An example of a personal i-name maybe =Bob.Smith or for a company =My.Company. Hence you combine the iName with a URI to get the unique identifier, eg BigCompany.com.au/=Joe.Smith. There is some debate over the use of this concept. Mind you it is a good idea. Implementation is another thing.

References

http://en.wikipedia.org/wiki/OpenID

http://wiki.openid.net/

http://openid.net/

http://blog.openiddirectory.com/

http://www.myopenid.com/

http://oauth.net/

Technorati Tags: , , , , , , ,

1 comment

  1. @Gary, you have a real knack for explaining OpenID. Awesome job! You should consider helping Carsten Potter and Thomas Huhn over at SpreadOpenID.org by submitting some consumer and RP focused content. Here’s to hoping OpenID really takes off in 2008. Keep up the campaign…

    ~Doug Halve

Comments are now closed, move along, nothing to see here.