digital id world 2007 - understanding openid

UnderstandingDigital ID World 2007

David RecordonOpen Platforms Tech Lead

david@sixapart.com

Eve MalerTechnology Director

eve.maler@sun.com

"taking the world by storm"Tim O'Reilly

"Its definitely time to declare OpenID a winner"

TechCrunch

"this high profile announcement marks the importance of single sign on identity technology to the future of the Internet"

ReadWriteWeb

"OpenID is a protocol made for the public, by the public.

No one owns or controls your login information: You do."

37signals

"...sees great potential for OpenID's use alongside enterprise-ready software

infrastructure"Sun Microsystems

What is OpenID?

• Single sign-on for the web

• Simple and light-weight(not going to replace your bank card pin)

• Easy to use and deploy

• Built upon proven existing technologies(DNS, HTTP, SSL/TLS, Diffie-Hellman)

• Decentralized(you don't have to ask anyone permission to implement it)

• Free!

An OpenID is a URI

• URLs are globally unique and ubiquitous

• OpenID allows proving ownership of an URI

• People already have identity at URLs via blogs, photos, MySpace, FaceBook, etc

• People already describe relationships via URLs (e.g. links to my friends)

OpenID is Decentralized

Benefits• Reduces the number of usernames and

passwords

• Simplifies new account creation

• Allows for lightweight accounts

• Simplifies internal SSO

• Enables wide-spread benefit of strong authentication

• Enables decentralized reputation

• Enables social network portability

OpenID is one of Phil’s Anchors

WikiPedia.org

...but it also enables and powers

DEMOUsing OpenIDnow with claimsalways with attributes --

DEMOHow Does it Work?

Prove it!

I’m davidrecordon.com

Who are you?

As a Conversation

"openid.server" points to my OpenID Provider

Discovers My Provider

(crypto happens)

http://openid.net/wiki/index.php/OpenIDServers

ClaimID.com

MyOpenID.compip.VeriSignLabs.com

MyVidoop.com

and you may already have one

Creating an OpenID

OpenID is Really Easy

"This is a geek's toy,

nobody will ever have an OpenID!"

~120 million OpenIDs(including every AOL user)

OpenID 1.1 - Estimated from various services

"Nobody will ever use this!"

0

1,500

3,000

4,500

6,000

Sep '

05 Oct

Nov Dec

Jan '0

6Fe

bMar Apr May

June

July

Aug Sep

(aka places you can login with OpenID)

OpenID 1.1 - As viewed by MyOpenID.com

Total Relying Parties

2006

0

1,500

3,000

4,500

6,000

Sep '

05 Oct

Nov Dec

Jan '0

6Fe

bMar Apr May

June

July

Aug Sep

Oct

Nov Dec

Jan '0

7Fe

bMar Apr May

June

July

Augus

t

Sep 2

2

(aka places you can login with OpenID)

OpenID 1.1 - As viewed by MyOpenID.com

Total Relying Parties

"So that's great there are so many blogs, but what about something

real?"

"What about security?"

“Protocol Security?”

like any protocol...think as you implement

the best solutions will around the browser

Higgins & Bandit(open source identity selector plugin and desktop app with OpenID support)

MyVidoop Plugin(a password manager tied into your OpenID account add-on for Firefox)

Sxipper(a form filler password manager with OpenID integration add-on for Firefox)

Symantec Identity Client(OpenID form-fill, upcoming provider, and claims integration)

(an OpenID convenience and security add-on for Firefox)

works with

VeriSign's OpenID SeatBelt

IE Team has posted a job ad mentioning "OpenID""Does the idea of redefining the role of the Internet browser appeal to you? Do the terms HTTP, RSS, Microformats, and OpenID, excite you? If so, then

this just might be the opportunity for you."

OpenID is great for innovation

"What about the Foundation?"

Scott KvetonChairscott@kveton.com

Dick HardtTreasurerdick@sxip.com

Johannes Ernstjernst@netmesh.us

David RecordonVice-Chairdavid@sixapart.com

Martin AtkinsSecretarymart@degeneration.co.uk

Drummond Reeddrummond.reed@cordance.net

Bill WashburnExecutive Directorbill@oidf.org

Artur Bergmansky@crucially.net

Founding Board

• Add four corporate board members

• Finalize an IPR policy for future technical work (effort let by OIDF, AOL, Microsoft, Sun, Symantec, VeriSign,Yahoo!)

• Develop a trademark policy that supports the World-wide OpenID community

• Develop and refined core messaging for OpenID and websites oriented toward developers, users, and other potential adopters

• Coordinate World-wide joint marketing and evangelism (Snorri Giorgetti appointed as European representative)

Current Efforts

“So, what about the enterprise?”

“What is OpenID@Work?”

• Exploratory program launched by Sun in May

• Why?

• Learn from experience!

• Analyze use cases that connect business scenarios and “enterprise-strength” technology

• Pass on our experiences to customers, partners, and others

• What does it include?

• An OpenID Provider (of a specialized sort)

• Advising Sun website teams on OpenID

• A non-assertion covenant (important IPR declaration)

• Sharing what we learn

The Sun Provider• Only for Sun employees

• http://openid.sun.com/nickname

• These are effectively pseudonyms (and we don’t peek)

• Can be used directly or with delegation

• Use of Sun’s OpenID authentication service means:

• “Yes, this person is associated with this OpenID” and “This person is a current Sun employee”

• OpenID relying parties can act on this additional knowledge

• e.g. offer discounts to proven Sun employees

ArchitectureEnterprise-class and open-sourced

http://blogs.sun.com/hubertsblog has more information

OpenSSO.dev.java.net/public/extensions/openid

OpenSSO.dev.java.net

How are they being used?

• Not for business use -- an “employee perk”

• ProjectConcordia.org wiki (work-related use that I undertake on my own recognizance)

• Not currently using for internal applications

• Not a corporate approved authn mechanism

• Currently low usage

• <1% of employees have signed up (~350)

• ~7% the number of employees on Facebook

Formal Security Review• Business purposes:

What we are trying to achieve, so that risks can be appropriately measured and mitigated?

• Data governance:What responsibilities do we have regarding employee data privacy?

• Authentication:Why did we choose the password method?

• Protocol and implementation:Where are the “holes”?

• www.laurenwood.org/anyway - starting September 19th

Do Sun Websites Accept OpenID?• Pitched to several community site owners

• No takers to date

• Why?

• Doesn’t completely remove local account management

• Allows decentralized authorization only if everyone adopts it

• No currently deployed OpenID standard for locally and third party asserted authorization claims

• Business prioritization

• Lost account costs not high enough

• Not high-enough user demand

Internal SSO for bug trackers and wikis

Offer all employees OpenIDs; open source

Enterprise SSO and identity manager with

LDAP and OpenID

OpenID Provider with plans to ship in enterprise

products this year

Shared OpenID Provider for their businesses and

partnersProject management,

CRM, and billing for small businesses

http://openid.net/http://sun.com/identity/

Thanks!Questions?

David Recordondavidrecordon.comdavid@sixapart.com

Eve Malerxmlgrrl.com/blog/eve.maler@sun.com