July 2007

Overview:

David Recordondrecordon@verisign.com

Who am I?

David Recordon

VeriSign Employee since May of 2006

OpenID Foundation Vice-Chair

Co-Author of various OpenID specifications

Past employee ofSix Apart, where OpenID was created

Web 2.0

What isWeb 2.0?

Users in controlData sharingSocial collaborationLightweight business modelsPerpetual betaApplication platformThe Long Tail

The Long Tail

The 80% tail matters

Virtual shelf space is limitless

For the Economists

"We sold more books today that didn't sell at all yesterday than we sold today of all the

books that did sell yesterday."Amazon.com

http://longtail.typepad.com/the_long_tail/2005/01/definitions_fin.html

For Everyone Else

Mass social networks vs. niché social networks

Allows access to information that otherwise would be "unimportant"

Delivered content vs. discovered content

Found be meRecommended by my friends

What is OpenID?Single sign-on for the web

Simple and light-weight(not going to replace your bank card pin)

Easy to use and deploy

Built upon proven existing technologies (DNS, HTTP, SSL/TLS, Diffie-Hellman)

Decentralized(no single point of failure in the protocol)

Free!

An OpenID is a URI

URLs are globally unique and ubiquitous

OpenID allows proving ownership of an URI

People already have identity at URLs via blogs, photos, MySpace, FaceBook, DAUM, etc

Problems it Solves

Too many usernames and passwords

or the lack of different passwords

Someone took my desired username

My online profile is spread across the Internet without my control

and I can't benefit from it when I go somewhere new

Account management is hard to do right

How Does it Work?

My OpenID

"openid.server" points to my OpenID Provider

1. Site fetches the HTML of my OpenID

2. Finds "openid.server"

3. Establishes a shared secret with the Provider

4. Redirects my browser to the Provider where I authenticate and allow the OpenID login

5. Provider redirects my browser back to the site with an OpenID response

6. Site verifies the signature and logs me in

DEMOUsing OpenID

"Hasn't this been done before?"

Great forthe enterprise

Centralized Centralized

History

History 2005 & 2006Created by Brad Fitzpatrick (Summer 2005)

Yadis Discovery protocol (Jan 2006)

VeriSign launches OpenID Provider (May)

Convergence with i-names (July)

Convergence with Sxip (Aug.)

$50,000 USD Developer Bounty (Aug.)

Technorati adopts OpenID (Oct.)

Tutorials by Simon Willison (Dec.)

History Q1 2007Mozilla announces intent to support OpenID in FireFox 3 (Jan.)

Microsoft support expressed by Bill Gates and Craig Mundie at RSA Conference keynote (Feb.)

AOL add OpenID to every one of their ~60M accounts (Feb.)

Symantec announces upcoming OpenID products (Feb.)

Digg and NetVibes announce OpenID support (Feb.)

Wordpress.com and 37Signals adopt OpenID (March)

USA Today publishes OpenID article on the Money section front-page (March)

History Q2 2007Plone 3.0 ships with OpenID support (May)

Sun Microsystems adopts OpenID in enterprise product and provides employees with OpenID (May)

livedoor adds OpenID support (May)

OpenID wins Next Web Award (June)

Leo Laporte and Steve Gibson discuss OpenID (June)

OpenID wins CNET Webware 100 award (June)

Atlassian (makers of enterprise wiki software) supports OpenID (June)

Drupal 6 ships with OpenID support (June)

The OpenID Foundation

The purpose of the OpenID Foundation is to foster and promote the development

and adoption of OpenID as a framework for user-centric identity on the Internet.

Founding BoardScott KvetonChairscott@kveton.com

Dick HardtTreasurerdick@sxip.com

Johannes Ernstjernst@netmesh.us

David RecordonVice-Chairdrecordon@verisign.com

Martin AtkinsSecretarymart@degeneration.co.uk

Drummond Reeddrummond.reed@cordance.net

Bill WashburnExecutive Directorbill@oidf.org

Artur Bergmansky@crucially.net

Current EffortsDevelop an IPR policy and process for OpenID specifications to keep OpenID free and patent unencumbered

Develop a trademark policy that supports the extended OpenID community

Develop core messaging for OpenID and websites oriented toward developers, users, and other potential adopters

Coordinate World-wide joint marketing and evangelism

Adoption Trends

~120 million OpenIDs(including every AOL and livedoor user)

OpenID 1.1 - Estimated from various services

Total Relying Parties

0

1,000

2,000

3,000

4,000

Sep '

05 Oct

Nov Dec

Jan '0

6Fe

bMar Apr May

June

July

Aug Sep

Oct

Nov Dec

Jan '0

7Fe

bMar Apr May

June

July 1

6

(aka places you can login with OpenID)

Sxip

/ Bou

nty

OpenID 1.1 - As viewed by MyOpenID.com

MSFT &

AOL

Web

2.0

Expo

Key Benefits

UsersFewer usernames and passwords to remember

Ability to strongly protect your accounts anywhere OpenID is accepted

Globally unique, "is that the same David?"

Ability to create a reputation that can be taken with you from site to site

Ability to know where you've shared information

Relying Parties

Simplified account creation

Users don't need to create a new password

Easy to ask for, or discover, profile information

Simplified account management

No more forgotten passwords

OpenID Provider specifics such as IM an AOL OpenID user or know a Sun OpenID user is a current employee

Creating an OpenID

English Korean Japanese

pip.VeriSignLabs.comMyOpenID.com

www.idtail.comwww.myid.netwww.idpia.com

www.ohmyid.com

www.openid.ne.jp

http://openid.net/wiki/index.php/OpenIDServers

Done!

Time to create an OpenID:

~1 minute

and you may already have one

DEMOCreating an OpenID on your own domain

Configure Delegation

<html xmlns="http://www.w3.org/1999/xhtml"><head><title>David Recordon</title><style> div { text-align: center; color: #C0C0C0; } img { border: 0px; } a { color: #C0C0C0; }</style>

<link rel="openid.server" href="https://jpip.verisignlabs.com/server" /><link rel="openid.delegate" href="https://recordond.jpip.verisignlabs.com" />

</head>

(source of www.davidrecordon.com)

Done!

Time to create an OpenID on your own domain:

~5 minutes

Security and Trust

Protocol Security

Use SSL correctly throughout the protocol

Protects against man-in-the-middle and eavesdropping attacks

Generate strong MAC keys and re-negotiate as needed

Used to verify data integrity and authenticity of OpenID responses

Verify NONCEs

Protects against replay attacks

Trust

Challenge them via a CAPTCHA or email verification

Use whitelists and blacklists

Ask someone else whom you trust

"Trust first requires identity" - Brad Fitzpatrick

OpenID does not tell you if a user is good, bad, or even human

Scaling Up OpenID

OpenID Provider Authentication Policy Extension, draft published June 2006

Relying Parties can ask for authentication policies such as "phishing resistant" or "multi-factor"

Providers can respond with policies the user complied with, time since they authenticated, and strength of the credential(s) used per NIST guidelines

VeriSign's OpenID Providerhttp://pip.verisignlabs.com

Substantial upgrade this week

Personal Identity ProviderFree OpenID Provider run by VeriSign

Support for OpenID 1.1 & 2.0

Strong security features

One-time password tokens

Microsoft CardSpace

Out-of-band authentication via SMS

Manage multiple OpenID URLs

Easily manage your profile information

Protect Your Account

Consumer strong authentication and fraud detection network

Deployed for the likes of PayPal, eBay, and Charles Schwab

Get one token and use it anywhere in the network

VIP Protected Login

Manage Multiple OpenIDs

Manage Your Profile

Use Your Profile

VeriSign's OpenID SeatBelt(an OpenID convenience and security add-on for Firefox)

works with

Phishing

An untrusted site redirects you to your trusted provider

Not just a problem for OpenID, but also for PayPal, Google Auth

and Checkout, Yahoo! BBAuth, AOL OpenAuth

Passwords Can be Phished

Replace passwords

Tokens

SMS, Jabber, etc

Client Side Certificates

Mutual authentication

Microsoft CardSpace or Novell Bandit

Passwords are still widely used

Browsers have poor support for alternative means

SeatBeltProvide contextual information

Am I currently logged in and if so as whom?

Is it safe to login?

Remove phishing opportunities

Login when my browser opens

Take me to my Provider if I'm not logged in

Protect against common attacks

Validate SSL certificates when interacting with my Provider

Watch where the RP is sending my browser

Provide Context

Remove Opportunities

Protect

Thanks!

David RecordonInnovation

drecordon@verisign.com

Questions?

http://openid.net/http://planet.openid.net/

Resourceshttp://www.notsorelevant.com/2007-04-26/five-articles-on-openid-you-should-know/

http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers

http://www.sixapart.com/about/news/2006/12/openids_growing.html

http://blogs.zdnet.com/digitalID/?p=78

http://blogs.zdnet.com/digitalID/?p=85

http://dev.aol.com/openid-value-of-connnected-identity

http://www.usatoday.com/tech/webguide/internetlife/2007-03-15-openid_N.htm