One of the most difficult decisions in developing a Web site is how to manage user identity. As a user you have to assess the implications of connecting your Twitter or Facebook user to other random services. Meanwhile, enterprises are challenged to evaluate ever more magical products for connecting their silos with other silos, often in direct conflict with any desire for a RESTful architecture. Did innovation in authentication on the Web stop at usernames, passwords, and the HTTP Cookie? Does Firesheep mean you should serve everything over HTTPS? What happened to OpenID? Can outsourcing your userbase to Twitter, Facebook, Google or some other commercial entity really be a good idea? This talk has some answers, but mostly offers a wide-ranging and opinionated tour of the current state of identity on the Web. There will be URIs and angle-brackets, but mostly anecdotes involving venn diagrams, famous bridges, self-destructing kiosks and quantum computers.

1. Who are You?
Who am I?
Who is Anybody?

2. Who am I?
Who are You?
Who is Anybody?

3. Who am I?

4. I’m not ...

5. <a href="http://lanyrd.com/people/psd" rel="me" >Lanyrd</a>

6. http://tools.microformatic.com/help/xhtml/rel-lint/

7. http://socialgraph-resources.googlecode.com/svn/trunk/samples/findyours.html

8. Social Graph API

9. https://twitter.com/hotdogsladies/status/121634890612617216

10. FAIL!

12. http://inmaps.linkedinlabs.com/share/Paul_Downey/254787113202758123919768153472111744090

14. Who are you?

15. https://twitter.com/Jermolene/status/121537205608001536

16. https://twitter.com/paulmadsen/status/122271400336699392

17. Basic Authentication
http://en.wikipedia.org/wiki/Basic_access_authentication

18. Digest Authentication
http://en.wikipedia.org/wiki/Digest_access_authentication

20. PASSWORD
REHABILITATION

22. sha1

23. Secret URIs
• http://farm3.static.flickr.com/2291/1806225034_50df5b8ba4_o.png
• http://inmaps.linkedinlabs.com/share/Paul_Downey/
254787113202758123919768153472111744090

25. http://en.wikipedia.org/wiki/HTTP_cookie

26. http://softwareas.com/signing-up-to-websites-1999-2009-a-montage

30. https://github.com/hanssonlarsson/express-csrf

32. EU Privacy Directive on Cookies

35. http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-guide-to-25th-
may-and-what-it-means-for-you.html

36. UX

37. More
Secure
Less pleasant to use

38. DNS Is B0rken
http://blog.icann.org/2008/11/why-the-dns-is-broken-in-plain-language/

39. HTTPS

41. $ openssl s_client -connect www.google.com:443 <
/dev/null | openssl x509 -outform DER | openssl sha1
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte
SGC CA
verify error:num=20:unable to get local issuer
certificate
verify return:0
DONE
405062e5befde4af97e9382af16cc87c8fb7c4e2
$ dig +short
405062e5befde4af97e9382af16cc87c8fb7c4e2.certs.googled
nstest.com TXT
"14867 15062 74"
http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html

42. Client Certs?

43. http://codebutler.github.com/firesheep/

44. https://www.eff.org/https-everywhere

46. you have to opt-out ..
.. in every browser ..
.. this is evil ..
.. and doomed to failure
http://xauth.org/

48. http://en.wikipedia.org/wiki/OpenID

50. <XRD>
<Subject>http://blog.example.com/article/id/314</
Subject>
<Alias>http://blog.example.com/cool_new_thing</Alias>
<Expires>2010-01-30T09:30:00Z</Expires>
<Type>http://blgx.example.net/ns/version/1.2</Type>
<Type>http://blgx.example.net/ns/ext/language</Type>
<Link>
<Rel>author</Rel>
<URI>http://blog.example.com/author/steve</URI>
<MediaType>text/html</MediaType>
</Link>
</XRD>
http://hueniverse.com/2009/03/xrd-sneak-peek/

51. https://dev.twitter.com/docs/auth/oauth

52. Delegation UX

53. The “F” Word

54. Federated

55. https://twitter.com/hipsterhacker/status/77716476873801728

56. https://twitter.com/jtauber/status/60586912196460544

57. Transport Independence

59. ww .w3.org/
ss >http://w le.org/
<w sa:Addre ttp://examp
dd ressing"> ustomer="h
.org/2 005/08/a ers xmlns:c </
merKey> wsdl/">
.w3 et sto
tt p://www eferenceParam </customer :Cu mlsoap.org/ /
mln s:wsa="h ss><wsa:R 56789 m as.x rg /2006/01
eference x </wsa:Addre y>K ey#1234 lns="http://sche ttp://www.w3.o ce>
< wsa:E ndpointR essing/none r :Cus tomerKe efinitions xm "h
n xmlns= sa:EndpointRefe
ren
r me d tio
200 5/08/add tomer"><custo <wsa:Metada>< itions><descrip adata></w
cus > n et
Par ameters re! --></defi iption></wsa:M
wsa:R eference of WSDL 1.1 he ! --></descr
e
<!-- load WSDL 2.0 her
e
wsdl"> <!-- mor

60. <?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://sdk.bt.com/2007/01/WhiteLabelAuthentication"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
HEADERS?
utility-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SOAP-ENV:Header>
<wsse:Security>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#ac016ffe-a6e9-23d4-ebd1-ccef7ea31db7">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>bwlAKau7KQAubgGNJzysZoEEF8o=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#78223460-ef68-5501-83d6-a5edb6d452b6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>kyBw9fnMjhi2I39+wfBIklyk8g4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>XW2FqP9o/A1J+NOg6Kv3ncn3PvSg5lzr2V4H/AQpRycXUSk7bzWK8kzhtMrlXUwkykrJ2AyEzw+xrRtSBIeaId1Iveme2KO02p21MTglr73cPCft/
GHvEvAHZ4B6N6gSaX7NcGFrYnsYKP0nX5vT7jBh7WZ7Euqn0PyjCHyYxbU=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#CERTID"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="ac016ffe-a6e9-23d4-ebd1-ccef7ea31db7">
<wsu:Created>2007-02-23T07:47:01Z</wsu:Created>
<wsu:Expires>2007-02-23T08:47:01Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CERTID">MIICdzCCAeCgAwIBAgICAX0wDQYJKoZIhvcNAQEEBQAwezEnMCUGA1UEChMeQnJpdGlzaCBUZWxlY29tbXVuaWNhdGlvbnMgUExDMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3
JpdHkxDzANBgNVBAcTBkxmRvbjELMAkGA1UEBhMCR0IxEjAQBgNVBTCUJUIFNESyBDQTAiFxEwNzAxMDMxNTE5MjIrMDAwMBcNMDgwMTA0MTUxOTIyWjCBgjELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxv
bmRvbjEPMA0GA1UEBxMGTG9uZG9uMQ8wDQYDVQQKEwZCVCBTREsxLTArBgNVBAsTJDM0ZDU0NTkwLTRkZTEtNGJmNi04ZGMxLWZjODQzNzM1MmM4MjERMA8GA1UEAxMIcGhvbmVib3gwgZ8wDQYJKoZIhv
cNAQEBBQADgY0AMIGJAoGBANKIQf+DOAKNZqs+HvCBYJ7+Q/wdCQBfFslIOGMnKN5zxpCuwB/pPW4DjLnqcWkIIVIH4A7RlWRemIO5e5caTW9bwvz0Fl1ZM6e2Mx9XKT0ZkxvXq8Dxn0abqWzoKyD3IJ2/
tUhqriWveFR+6PY3PSBcj7NpJaqr7yH3z6RtEGNlAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAmabZVFeAXfXcBKR6NUK7kYqHhtX7YdNtxZcULRMMpFEkCMGERWCH5bK6/xnFtNXG09RkwkSTGs2dhM6/
jQNvd1jJhLR6E2ejYrYWWf6Sap0Etok7sJqrS9awdbFmQGenFZKRUAEeyHeZhdFil8trzyJv1VzgPIjDRZmhnpItzQ8=</wsse:BinarySecurityToken>
</wsse:Security>
<wsa:Action>http://sdk.bt.com/2007/01/WhiteLabelAuthentication#login</wsa:Action>
<wsa:MessageID>urn:uuid:e12edac3-f87d-3e0a-b621-04fa4d0b8cda</wsa:MessageID>
</SOAP-ENV:Header>
<SOAP-ENV:Body wsu:Id="78223460-ef68-5501-83d6-a5edb6d452b6">
<ns1:login>
<ns1:userName>paul.downey@bt.com</ns1:userName>
<ns1:password>2344324t</ns1:password>
</ns1:login>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

61. http://www.xmlgrrl.com/blog/2007/03/28/the-venn-of-identity/

62. http://www.xmlgrrl.com/blog/2007/03/28/the-venn-of-identity/

64. http://connectid.blogspot.com

65. http://www.xmlgrrl.com/blog/2008/09/04/venn-and-the-art-of-data-sharing/

66. http://kantarainitiative.org

68. http://en.wikipedia.org/wiki/OpenID

69. http://www.bbc.co.uk/news/technology-13749010

70. https://twitter.com/IdentityWoman/status/110622242127364096

71. https://twitter.com/robinberjon/status/109611765435875329

72. very cool!

73. http://www.w3.org/wiki/WebID

74. http://webfinger.org/

78. correct
horse
battery
staple

79. http://nigelparry.com/news/guardian-david-leigh-cablegate.shtml

80. .. but .. wait!

83. https://twitter.com/rem/status/123392299320344579

84. Verified by Visa not only protects your card against unauthorised use, it
also means you can have confidence that the online retailer you’re
buying from has made your security a priority.
http://www.visaeurope.com/en/cardholders/verified_by_visa.aspx

86. http://cyberelk.net/tim/2008/11/20/chip-and-pin/

88. http://krebsonsecurity.com/2011/09/gang-used-3d-printers-for-atm-skimmers/

90. http://berglondon.com/blog/2009/10/12/the-ghost-in-the-field/

92. http://gizmodo.com/5366022/sniff-the-rfid-dog-likes-to-smell-your-credit-cards

94. http://www.chromaroma.com/

96. http://www.bijlmereuro.net/

97. http://www.cerealbits.com/

99. http://en.wikipedia.org/wiki/Blue_box_(phreaking)

100. https://bitcointalk.org/index.php?topic=9047.0

101. http://en.aureatechnology.net/

102. http://cs-exhibitions.uni-klu.ac.at/index.php?id=258

103. Bio-meh-trics

104. http://www.flickr.com/photos/jeff-barnes/76948611

106. Something you have
Something you are
Something you know

107. The Mobile
is
The Dongle
™
not really

108. http://www.duosecurity.com/

110. Who is anybody?

111. http://isaach.com/2011/07/mention-constellations.html

112. BUTTON SLUTS

113. https://twitter.com/beng/status/118026274148073472

114. https://twitter.com/monkchips/status/117246164839043072

115. http://www.ghostery.com/

117. Yikes!

118. http://collusion.toolness.org/

119. • Standard HTTP Cookies
• Flash Local Shared Objects
• Silverlight Isolated Storage
• auto-generated force-cached RGB values
• PNG/HTML5 Canvas tag to read pixels
• Web History
• HTTP ETags
• Web cache
evercookies • window.name caching
• Internet Explorer userData storage
• HTML5 Session Storage
• HTML5 Local Storage
• HTML5 Global Storage
• HTML5 Database Storage (SQLite)
• HTTP Authentication
• Java NIC based unique key

120. https://panopticlick.eff.org/

124. https://twitter.com/9600/status/117309784130199553

125. “The thing that makes newspapers so
fundamentally fascinating — that serendipity
— can be calculated now.
We can actually produce it electronically.
The power of individual targeting — the
technology will be so good it will be very hard
for people to watch or consume something
that has not in some sense been tailored for
them”
— Eric Schmidt
http://googlesystem.blogspot.com/2010/08/eric-schmidt-on-future-of-search.html

127. Privacy Window

129. four legs good,
two legs better ...

131. https://twitter.com/danbri/status/114241481346252801

132. Test Driven Development
Behaviour Driven Development
Jenga Driven Development
Domain Driven Design
Development Driven Development
Design Driven Driving

133. Investor Driven
Development

135. Confusion
Conclusion

136. Who am I?
— someone who treasures linking
Who are you?
— someone who deserves grokable
security
Who is Anybody?
— mind your own bloomin’ business!