FOWA 07: Simon Willison – The Future of OpenID

Right time to be talking about OpenID. Supported by AOL, MS, Symantec. Bill Gates spent 7 minutes talking about OpenID. Digg announced yesterday.

“It’s definitely time to declare OpenID a winner and the hope for making a single-sign on world a reality” – Mike Arrington, TechCrunch.

Authentication on the web completely sucks. As soon as you see a sign-in form. Need to remember which username we chose, as there’s a massive war for the namespace so you don’t always get the name you want. Need to remember which password you used. If you sign in with an email address it’s a bit easier, but if you lose access you lose ability to regain a forgotten password.

Yahoo! registration form, as an example, asks for too much information, too long of a form.

Have dozens of different accounts on different sites. We have this problem now, but we are early adopters. Everyone else will have this problem soon, if not already.

Single sign-on will save us, will give us just one log-in.

Done before: Microsoft Passport, and Typekey. But do you trust Microsoft? And if you don’t trust them, surely you trust the Trotts? San Francisco’s cutest couple? But what if they turn evil? Not good for one company to manage your log-in.

Want single sign-on, but don’t want a single point of control. OpenID decentralises who manages your identity. You can pick one place to manager. You can even run your own identity server. Doesn’t matter where it is hosted.

Your identity is an URL. So your username is your URL. LiveJournal started it, e.g. Also solve the namespace issue, because a URL is globally unique.

Technorati Tags: ,

Demo. Zoomr, and you log in with openID. Enter your URL. Then you need to log into to, say, LiveJournal, then you grant identity validation to Zoomer via LiveJournal, redirected back to Zoomr. But then if you sign out, and sign back in again, then you just go straight in, because you’re still logged into LiveJournal, and you’ve given permission, so you’re straight in.

Account creation is still important. So you still have to go through filling out a form.

But, OpenID provider, e.g. allows you to set up an identity, and then that hands that identity over to a new account with a new OpenID using service, pre-populates required fields that it can.

How does it work?
OpenID is a URL, and at that URL is a page. Don’t care about what the page looks like, just the line in the HTML <link rel=”openid.server” href=””>. Cryptography happens. (If you want the details, read the spec.)

But this should be decentralised. What if you use your LiveJournal ID everywhere and then want to leave LiveJournal? So you can set up your own server, so can then pick a delegate so that you can change your providers at any time.

AOL is now providing a valid OpenID accounts. Verisign PIP. MyOpenID, ClaimID, Digg coming soon.

Simon’s blog puts a yellow box round people who have used OpenID.

OpenID doesn’t dictate the authentication method. Jabber authentication where you get a Jabber message if you’re trying to log into a site, secure browser certificates, RSA keyfobs, secure browser certificates.

Yahoo! have own authentication, so can build an OpenID provider to support OpenID for Yahoo! even though Yahoo! don’t actually support it. If you provide an authentication API but don’t support OpenID, someone else will support it for you. Google could do with this treatment.

Aren’t enough sites yet that people can log into. Needs to be built into a lot more.

Good reason for this: Start-up fatigue. People don’t like to create a new account just to try something out. If you support OpenID, you’ll be more likely to get people trying your service.

But OpenID isn’t just about single sign-on.

OpenID is a ‘dumb network’, i.e. it has no intelligence, doesn’t care what you do with it. It’s up to the endpoint application to decide what to do with it. Let’s X tell Y that Z can prove ownership of URL. It’s up to X and Y to do the smart stuff.

Can do more. OpenID is a URL and globally unique. So you can share your profile information if you want to. Think about lightweight accounts. Quite a few blogs require sign-up to allow comments. So any application where you wouldn’t bother to create an account you get more participation by using OpenID. Wikis are a good example.

Use OpenID to extend the lifetime of cookies. If someone clears their cache then you lose context. So can keep cookies going between browsers and accounts.

Can pre-approve people, so can just log-in with OpenID.

Can use OpenID behind the firewall, so can use ‘’. Then build internet apps that only allow logins from OpenIDs of that format.

OpenID and microformats
– hCard, your OpenID can embed your public contact details.
– XFN – you can import a user’s contact by introspecting their OpenID. Can import social networks from sites you’ve already used.

Site-specific OpenID hacks
– “log in with your LJ OpenID and we’ll import your LJ contacts” or “Log in with your AOL OpenID and we’ll send you updates over AIM”.

Social whitelisting
– Blacklisting is a nightmare, doesn’t work, tryig to hold back the flood. Instead of blacklisting bad people, whitelist good people to skip the moderation queue.

Publish a list of the OpenIDs that you trust to comment on your blog without needing moderation. Syndicate the trusted whitelists from your friends. Decentralised service.

Built around OpenID, lightweight trust network. Can give you cred points, and can make claims about people, which people can agree or disagree with.

You can expert a Jyte group as a simple whitelist-style list of OpenID. Can mange an invite-only group using Jyte, then hook that into another site’s authentication system.

Decentralised social networks
Constantly recreating your social network in different tools. OpenID can create a decentralised social networks.

What are the problems?
Number one problem is phishing. Problem for everyone, but OpenID is susceptible. Kitten Overload, you log in with more kitten photos, and if you are not paying attention to the URL and Evil Kitten Overload could then steal your ID and log into a lot of things as you.

Phishing works because you’re expecting some random untested site to redirect you to your log-in form. So can make people type in the url to progress, although that’s not foolproof.

Vista has ‘CardSpace’ which is supposed to prevent you from phishing. So could do a CardSpace enabled OpenID space.

Solution to phishing lies in competition. Lots of OpenID providers, so if one is good protection against phishing then it’ll hopefully gain ground.

What happens if my identity provider goes down? The applications that you’re logging into need to think about this – similar to password reset. Need to think about “I’ve lost my OpenID”, so maybe let you associate multiple OpenID accounts so that if one goes down. Should let people have full account or OpenID, and let people associate multiple IDs.

Privacy. “I don’t want my boss to know that I’m a furry”. Use multiple OpenIDs. People have been managing multiple online identities since the net began. Have professional identity, personal, gaming, etc. It’s not about knocking you down to one user account, but reducing the number to a sensible amount.

OpenID is hard to explain. Not ready for the mainstream, but it is ready for the early adopters. Hopefully in six month’s time these bumps will be ironed out. Need more people to help out, or to turn this into an ‘Exciting Business Opportunity’, e.g., the .name registrars run, give people free OpenIDs, and does all the configuration.

Don’t just implement OpenID, innovate with it. Think of smart things that you could do now!