Text transcript of show # 50. February 7, OpenID

Transcription

1 Hanselminutes is a weekly audio talk show with noted web developer and technologist Scott Hanselman and hosted by Carl Franklin. Scott discusses utilities and tools, gives practical how-to advice, and discusses ASP.NET or Windows issues and workarounds. Text transcript of show # 50 OpenID Scott and Carl talk about the Microsoft/OpenID collaboration. (Transcription services provided by PWOP Productions) Our Sponsors Copyright Pwop Productions Inc.

2 (Music) (Music) Lawrence Ryan: From hanselminutes.com, it s Hanselminutes, a weekly discussion with Web developer and technologist Scott Hanselman, hosted by Carl Franklin. This is Lawrence Ryan, announcing Show #50, recorded Wednesday, February 7 th, Support for Hanselminutes is provided by.net Developer s Journal - The World s leading.net developer magazine, online at In this episode, Scott and Carl talk about the Microsoft OpenID Collaboration. Carl Franklin: Hi, this is Carl Franklin; you re listening to Hanselminutes from hanselminutes.com. Hope you re having a good week. Scott, how are you? Scott Hanselman: I m doing okay. Carl Franklin: We haven't really announced on the show that we re moving the publication day of the shows to Thursday, and we re just a day late today. No big deal. Scott Hanselman: This is our 50 th show. Carl Franklin: It is huh? Scott Hanselman: Yeah. Carl Franklin: Wow! 50 Hanselminutes shows. Scott Hanselman: Yeah, and hopefully we haven't run out of anything to say. I mean one day we ll start talking about our pets, but until then keep going. Carl Franklin: No, we won t. Of course we don t want to waste people s time. And I think we spent just about enough time on the whole idea of it being the 50 th show. So, what s the topic today Scott? Scott Hanselman: Well, I think that we should about OpenID. We ve talked a little bit about CardSpace in the past, we ve talked about the general concept of identity on a show recently, but given the big announcement yesterday between Microsoft and a whole pile of Web 2.0 companies, I think it s worth talking about what OpenID is, and why our users should care, our readers, our listeners should care. Carl Franklin: So, why don t you start off by just telling us what OpenID is? Scott Hanselman: Okay. So, we know what CardSpace is right, so to put in the context of CardSpace, CardSpace is Microsoft s 2.0 attempt at solving a lot of the problems around identity, and they re trying to do it in a very open way. So, they re using the WS* protocol and Carl Franklin: Right. They re trying to solve the whole idea of identity across the network, across the Internet for everybody, not just for Microsoft users. Scott Hanselman: Right. except the thing that you use to log in, the thing that you use to express who you are and what you know, and all the different things about identity in the CardSpace and Vista world is a Microsoft thing, it s called an Identity Selector. So, the big curtain of gray that comes over the screen, as it pops up and says, Give me your CardSpace card. That s a Microsoft thing. Now, there are, as we talked about in a previous show, identity selectors for other platforms. There s a Java based one, Firefox 3.0 has announced in their functional requirements document that they re going to have an identity selector of their own. Now, this is all good and wonderful, but kind of simultaneously going on in the background, there are lots of other people concerned about the problem of identity. The problem of phishing; problem of phishing where you don t know where you re going, you don t know where you re visiting, and then the problem of pharming, which is where a user s sensitive information is being logged, this is like having a keylogger on your machine, and you don t know your passwords being taken by that. Carl Franklin: And let s not forget spam, which is all related to identity. Scott Hanselman: Absolutely. Because some of the things that are important about identity, what they call the laws of identity, or things like user control and consent, you only want to reveal information with the user s consent. You want to disclose the least possible amount of information that you need, and people need to have a, it s called a justifiable party. You need to make sure that the disclosure of information is really limited to those parties that are justifiable that really have a need to know. Justifiable party is the third law; it could be called the Need to Know law. Need to talk about directed identity, about private entities and public entities, and things like that. We need to make sure we have a consistent experience for everyone. Transcription by PWOP Productions, Page 2 of 9

3 Carl Franklin: Kim Cameron is one of the guys at Microsoft who s really blazed the trail for identity, especially for CardSpace. Scott Hanselman: Yeah. Definitely on the Microsoft side he is the man, he is the face of identity at Microsoft. So OpenID is an open framework as well, decentralized, and it basically introduces the idea of a URI, which is an old idea, right, not a URL but a URI. Carl Franklin: URI just to -- is a Uniform Resource Identifier, which is what a URL is. So, URL is a subset of URI. URI is the general idea of having a protocol and a colon and what else, but URL is a HTTP construct. (00:05:07) Scott Hanselman: Exactly. So, typically when you log in somewhere, of course you use your username and your password, and unfortunately a lot people have the same password duplicated everywhere. So, if someone got a hold of one of my passwords, -- personally, I use a different password for every site, but I ve got a tool that helps make that possible. If I was using foo for my password everywhere and someone found that out, they could login to Amazon and use my password, they could login to Newegg and use my password. I couldn't change it in one location. Now, Passport was the Microsoft, Hey, handle your identity through us, we ll handle it for you. OpenID could almost be called open and decentralized passport. In that no one can necessarily control this, you take control of your own identity. What they do is they take the concept of the URI, and they expand it to a user centric identity or identifier. Carl Franklin: So, in other words, your username is a URI? Scott Hanselman: Right, and what s the most common URI that people have, they have their Website. So, your Website address like Hanselman.com can then become your URI, because that s something that you have, you actually own that. Carl Franklin: That s a really important thing to just double mention, because when I think of a URI being an identity, I think of like the addresses and identifiers we used to use for remoting and for COM, and all sorts of crazy long URLs that are cryptic, but you re right, I mean your Blog, your Website, because you own it, that represents you. Carl Franklin: It s also very easy to when it is your Website to go there and make sure that it is you. Scott Hanselman: So, if you want to use your Blog, like I m sure many of our listeners either have a Blog or have a Website that they control, maybe it s somewhere that they put their family pictures, and they want to use that domain as their OpenID, it s pretty straight forward actually. You can just go to Hanselman.com and do a view source, and look right in the Meta tags there for two different links. You ll see links that point to an OpenID server, because my system isn t necessarily an OpenID provider, but I want to use the URI; I want to use my URI Hanselman.com. So, what I do is, I put links in my Blog s HTML that point to who s handling, who I m delegating this work to. So, what you do is you go to MyOpenID.com and you sign up for an OpenID, so I did that because OpenID.com is an OpenID provider, and then I just point from the source code of the HTML of my Website, and this is really easy even if you have a Blog address, and you don t necessarily control the domain, you can add this to your Blog s template. It doesn t show up, it s not seen by anyone, and then this is the way of saying, Oh, here is his provider. To use the passport metaphor if there was more than one passport.com out there. I would be able to possibly use my Website address as my passport, and passport would just be kind of a party there, a relaying party. Carl Franklin: Let s get back to this whole idea of the provider. Is the provider the thing that verifies and validates your identity? Scott Hanselman: Good point, okay let s get back to that. So, if you re going to log in to an OpenID enabled Website, a Website that s gone to the effort of doing this integration, which isn t very complicated. You would then type in your OpenID URI, so I could go to a Blog like I think that Simon Willison is a guy who s got a Blog, and I think we ve got a shrinkster URI for him. So, I could go to his Blog at shrinkster.com/lu4 and he explains how OpenID works, and I could leave a comment there or login to his Blog, and there s a spot for entering in my OpenID, so this is my username. Now, even though he may not have ever heard of me before. I m not necessarily making an account on his system in the classic username and password sense. A lot of times we want to enable a server or an application for something like identity. Scott Hanselman: Absolutely. Transcription by PWOP Productions, Page 3 of 9

4 Carl Franklin: So, his Website is going to go to where your Website tells him to validate and that will give him a yes or no that Scott Hanselman: No. so, I enter in my OpenID URI and then his Website redirects me to the OpenID provider that is listed. So, he goes and he says, his library, his OpenID library fetches my Website, finds that link at the top and looks at it, and then says, Ah I see. We re going to parse this HTML content, see the tag for OpenID server, and then it s going to communicate with that server, because I ve just redirected him to, in this case, my OpenID Website. I am going to then login to that Website, this is why I use the kind of the passport metaphor, but I don t want anyone to think that this is the next version of passport, it was just an example. But I m giving my secret, my password at this point to the centralized OpenID provider. (00:10:25) Carl Franklin: So, the provider is the guy who keeps your password. Is there a password involved? Scott Hanselman: Yeah. Well, this is the trick. So, there s nothing about OpenID that says there has to be a password. Certainly this is part of -- and we ll get to this when we talk about how they integrate it with CardSpace, because I ll be able to login to an OpenID provider and give them a card at some point, or I could give them a -- there s nothing about OpenID that says I couldn't use a Smart Card or some other secret, but basically I ve been redirected to the OpenID server, and it is to them that I need to prove that it s me, or I have an account with those guys, in this case, I give them my name and my password. I don t need to give them my name actually because the consumer will let them know that. Now, the server and the person who wants my information have negotiated a one time shared secret, and then I get logged in and I actually get a warning from the OpenID provider that says, Such and such a Website, Simon s Website is requesting your information, he wants your address or whatever other bit of profile. Carl Franklin: You say, I get this warning, who s me, who s I, and how does it come to you? Scott Hanselman: Okay, I m sorry. So, I m a guy who wants to log into a Website, I go to an OpenID enabled Website like Simon s Blog, I put in my OpenID, in the background his Blog parses that HTML, figures out who the server is, gets a shared secret temporarily with that server. He actually redirects in the browser, so I ve actually redirected to another Website in the browser that is my OpenID provider. I login to my OpenID provider, and because enough context has been sent over to that provider, he can then go all right, I see that it s you, here s someone who s requesting information from you, is this okay? Carl Franklin: So, you get a dialogue box in the browser? Scott Hanselman: I get just a Web page in the browser. This is all done in HTML, there s nothing about OpenID that requires JavaScript. So, then I m being told by this particular implementation of the OpenID server, do you want to allow this once, or allow it forever? Allow it forever would be the way of saying, I want to auto login to this guy s Website just by giving him my name if I m logged in and I want to remember my password. Then the consumer gets redirected to the server, the server then redirects back, and then it checks to see did anyone tamper with things, that shared secret, is that still legit? So, there is some backwards, chatter going on in the background, it s not an entirely client side, because the client can t store state, you can t store things like cookies. Now, there s an alternative state called a DOM Mode Carl Franklin: Well before we get too ahead of yourself, I just want to make sure -- I want to get the consumer experience from this. So, basically what I m going to do is when I go to login to somebody s Weblog, I have to paste in my URL, so it should be pretty short, right? Scott Hanselman: Well, you just type in your URL, whatever your URL is... Carl Franklin: And you type it in or you paste it in or whatever you do, you type it in. So, then you re redirected to another Website that says, Hey, this Website wants to do such and such, and so and so, will you allow them, yes or no? you go yes, and then you re effectively rerouted back or redirected back to the place that you wanted to login to. Is it that seamless? Scott Hanselman: It really is. Like if I go to -- like you can try this and follow with me even though you don t have an OpenID. We go to Jyte.com, and it is a low Web 2.0, kind of cute CMI hot or not type site, it s a little social site. In the upper corner it s a sign in with OpenID. So, I click on that, and notice the big text box has an OpenID icon in it, it s kind of an orange and gray icon, that s the kind of the standard way, it s a little overlay that lives in the text box a standard way of saying, I support OpenID. You can go ahead Transcription by PWOP Productions, Page 4 of 9

5 and try this Carl, I m going to type in Hanselman.com in my OpenID, you go ahead and do the same thing. Carl Franklin: I m actually not at a computer so. Scott Hanselman: Oh, okay. So, I m doing that I hit Sign in. Now, in the back I ve just been redirected to my OpenID, and I look in my URL, and there s a shared secret, it s a big long complicated thing. It looks like a typical passport of Google account, it s kind of really complicated URL thing that s been passed in, and it says, You must login to authenticate as Scott Hanselman. So, MyOpenID, this free OpenID server, you can go and get one of these yourself. Carl Franklin: So, yeah that s the missing thing is. Somewhere you have to put in a password, obviously. (00:15:02) Scott Hanselman: Right. If you look at my URL, I m on a secure site for OpenID on MyOpenID.com, and again, there will be many and there are many OpenID servers, MyOpenID is just the one that everyone is using right now. So, now I login it says, all right. It says, The site identifying itself as Jyte.com has asked us for confirmation that this is your identity URL. I have the choice, and this is actually just in HTML on the MyOpenID site allow for ever, allow once, or deny. So, I m just going to say, allow once. Now, I m looking and I ve been redirected back to Jyte.com, and I ve negotiated back and forth, and it says, Hello, Hanselminutes.com. because that s all it knows about me. Carl Franklin: But this a good segway to this. Obviously you can store more than just your identity, your password, you can store pieces of your address and all that other stuff that you like to fill in when you order stuff from Amazon or whatever. Scott Hanselman: So, you can actually have what s called personas, and this is one of the neat things. You can have multiple personas, and this is really up to the implementation of the OpenID server. So, on the MyOpenID site I can go in and I can say, Here's my default persona, and then I could say, But this is different from my public persona. I mean if I m person, if you may be you just want to be Carl F, and you don t want to spread yourself around as Carl Franklin, you could do that. You could basically have multiple personalities and sign in for some things as one person, and other things as another, and then you can go back to the OpenID site and see, I m clicking on sites, and I can see the twelve OpenID sites that I have trusted. I can see how many times that I ve approved that site, and I can also deny them. So, I could actually go back and say, Well, I m not going to allow Jyte.com, I m going to remove that from the list now. So, I have a complete list, and then it says, If I want to allow them explicitly. They actually won t prompt me if I m already logged in, they ll automatically send confirmation of my identity to these sites. So, it really puts you in the control, it s a lot like what CardSpace intended to do, intends to do, but it s all done in the browser, it doesn t have anything to do with any kind of client side stuff. So, it s of course as such and not requiring any JavaScript or anything, it s very friendly. If someone wanted to do AJAX implementations of sign in and stuff, it s really -- it doesn t care, it s very open in the way that it does things. Carl Franklin: I can t help but my mind is wandering to how can this work for not just a Web identity, but for spam and phishing and all of those other kinds of things. How does it apply to those problems? Scott Hanselman: Okay. Well, spam is a larger problem, but there s a thing called XRI, which is a new kind of Internet identifier, an XRI is an Extensible Resource Identifier, and an Iname is something that is a kind of an XRI. Like if you go to my Blog and you underneath my face, it says contact me and it says, Equals Scott.Hanselman. So, Equals Scott.Hanselman is my Iname, it s a unique identifier that represents me. Carl Franklin: Now, unique to what, the world? Scott Hanselman: Unique to the universe, exactly. Carl Franklin: Okay. You think you re the only Scott Hanselman in the world? Scott Hanselman: No. Now, there are Inames and then there are Inumbers. Carl Franklin: So, my flip question there gets to the question. The real question is how do you pick one while making sure it s unique? Scott Hanselman: Well, they handle the uniqueness. I mean a good question is, am I the only person that has Hanselminutes.com? Yes. Does that suck for the other Hanselmans in the world? Yes, it does. I give them if they ask. Carl Franklin: But when you picked it, did something validate the fact that it was available? Transcription by PWOP Productions, Page 5 of 9

6 Scott Hanselman: In this case, the people at the Iname provider in this case, just like when you decide to get a -- there s a directory just like DNS. Carl Franklin: User, if your username on a particular site. Okay, I get it. Scott Hanselman: Okay. So, in this case XRIs are also backward compatible with IP addresses and DNSs, DNS addressing rather. So, you could actually use your IP address as your Iname. I could just use Hanselminutes.com and that could be my XRI as well. Now, you can use your Iname as an OpenID identifier, and then they ll automatically do resolution of that. This is going to be an OpenID version 2, although there are a few implementations of 1.1 that will do this. So, this will mean that if I m not necessarily an individual who wants to have a Website or I don t want to use my Website as my identifier for some reason, I could use an XRI. (00:20:02) Scott Hanselman: Now, I got my Iname from a company called 2idi.com, and I use this to prevent spam, because it basically gives me a form that people can have to fill out rather than ing me, and it proves that they re a person by doing the whole, -- send them an , and then they have to click on a link, and it identifies that at least, if they re a bot they re a clever enough bot that could do all that work for me. I haven't got any spam through it yet. So, the point is though that they re trying to have ways for people to have these unique identifiers, and yes there are more than one Scott Hanselman, so there s no, probably no way to solve that problem. I m the only this case, person with Hanselminutes.com and the only person with that Equals Scott.Hanselman, so those can be used as my identifiers. So, now I don t have to go and pick a username in all of these different places, theoretically ever again. Now, how do I identify myself back to the OpenID server, that s really up to that implementation of the server, and again the OpenID spec doesn t necessarily say that it has to be a password. So, what they ve announced is a cooperation between the CardSpace team and the OpenID kind of group of people, because it s many, many people who re working on this kind of thing. Carl Franklin: I was going to say, I mean CardSpace overlaps a little bit in OpenID, does it not? Scott Hanselman: Yeah, OpenID could sit by itself, but there are some concerns that you could do a phishing attack by faking out an OpenID provider, so they could redirect me to a bad guy, and then I might type my password in. Integrating CardSpace with OpenID gives you kind of the best of both worlds. You get the CardSpace UI, the flexibility of them, of being able to export your card; it s more cryptographically significant on the client side. Future versions of CardSpace will include things like Smart Cards and rotating tokens and stuff. But OpenID is flexible enough that people will be able to use it, and they won t, may not necessarily have CardSpace on their system. So, by them collaborating, it allows kind of Identity 2.0 to happen regardless. This CardSpace is a brilliant idea, but to be clear, CardSpace is just an implementation of this concept called Information Cards, and there will be many implementations, CardSpace will just be the one that s the most ubiquitous. Carl Franklin: So, tell us a little bit again about this announcement that Bill Gates made at the RSA Conference about supporting OpenID? Scott Hanselman: Right. So, it s a big conference that s going on, actually right now, I think it will be done Friday in San Francisco, we ve actually got some people down there working the Microsoft both. Stuart Celarier is down there, giving demos on how to do CardSpace Banking Integration, which is something that we do at Corillian. I think there s about 15,000 people down there, and they basically announced a partnership between Microsoft, companies like JanRain, Sxip and VeriSign to integrate and interoperate between CardSpace and OpenID. Carl Franklin: Well, that s huge. Scott Hanselman: It is huge, and it s huge because it shows that this is such a big problem, there s really not as much time for bickering as there was in the past. I think that Microsoft is starting to recognize when a good idea happens, and it s not Microsoft s idea that they should still get excited about it, and get behind it. OpenID is a good idea. Carl Franklin: Yeah, Amen to that man. Scott Hanselman: So, Microsoft obviously recognizes that OpenID is going to be huge, and Kim Cameron is very pragmatic. He is the chief architect of Identity. So, they re going to work with the community and integrate OpenID support in any of the Microsoft Identity Server products, and they re going to make it, lets call, Transcription by PWOP Productions, Page 6 of 9

7 using Information Cards with OpenID profile. So, if I wanted to make a Website, I really wanted to support either of these options. I want someone to come to my site and be able to login with an OpenID or with an XRI, with a CardSpace, I want it to just work. I don t want to store passwords on my site. I mean imagine, think about that, you want to sit down tomorrow and make a site to login, first okay, username, password, these aren't things that we really want to be in the business of doing. I want to store a unique identifier for this individual, I might want to ask him for information about himself like his name, his first name, his last name, and his address, and I want to be able to retrieve that in such a way that it is secure, and I m not going to really store his secrets now, there s couple of different things there. Each time he logs in, I can retrieve those claims, those bits of information like his first name and his last name from the identity provider. (00:25:05) Scott Hanselman: So, I don t even technically have to store his first name and last name if I don t want to, that s a claim about who he is, I can store this unique identifier. Carl Franklin: It also takes the heat off of you as a Website owner who right now currently is storing personal information in your database, you re liable for that information if it gets out. Scott Hanselman: Right, exactly. Now, of course having it centralized like this, of course there s all sorts of anti-phishing things that they can go and add like this safe sign in, where you could have them show a picture, picture of yourself. So, if you ve visited a site and somehow you got phished and you didn t see that picture of yourself, and you might say, Well, I m possibly getting phished. People are also talking about creating a white list. So, I could go and rather than -- if someone stole some information, and somehow was able to start pretending to be me, I could go and say, I m only going to share my information with these sites, blacklist everybody else. Carl Franklin: Well, don t you do that anytime you login? Don t you do that? I mean the provider should have a list of the sites that you ve logged into? Scott Hanselman: Yeah, they do have a site, but right now they ll prompt you if you want to -- they ll say, This new site is designed to ask you something about yourself, do you want to allow that? You can allow or disallow. With a white list you d actually just automatically disallow. Carl Franklin: I see. Scott Hanselman: Now, there s also some cool stuff going on. All the different Web 2.0 companies are getting behind this, like have you ever done claiming your Blog on Technorati, at Technorati? Carl Franklin: I looked at that, and it looked a little bit complex and I just said, nah. Scott Hanselman: Yeah. So, claiming your Blog, Technorati is a Website that keeps track of all the technical folks that are Blogging and Carl Franklin: It s like a Google search for Blogs. Scott Hanselman: Yeah, and it also keeps track of the inter-relationships between those things. When you make a profile on Technorati, you have to claim your Blog, basically they need you to put a little bit of HTML in your Blog, so they can visit it and prove that you are the guy that really owns that URL. So, someone else can t go and claim Hanselminutes.com. They re integrating OpenID services, so you ll be able to claim your Blog by giving your OpenID, because if you could log in, then obviously you own that URL. Carl Franklin: Now, what is the benefit -- it s a side tangent I know, but what s the benefit of claiming your Blog for Technorati? Scott Hanselman: Oh yeah, that s totally a tangent. It just allows you to put a picture up and say that this is my Blog, go in and manage your ranking and different stuff like that. I don t pay any attention to that, to Technorati, but my point was that, this is an example of a Web 2.0 company who had an existing concept of identity, and they wanted to prove that someone owned something, and they invented a way to do it. Here put some HTML on your Blog, and we ll trust that it s really you. Go make a post, put the word poop in it, and then like, hey, look he posted, so he must own the Blog. That was a weird little dance that you had to do with this particular Web 2.0 Company, but with OpenID, that had an identity solution that was just obvious. So, it makes a lot of sense that they would just say, Oh, we ll use OpenID. That s exactly the problem that we re trying to solve. So, there s a really great screen cast, I know this is really not a very easy thing to talk about when you re doing it over audio like we are. Simon Willison has got a great screen cast that is up at shrinkster/lu3. If you look at one link Transcription by PWOP Productions, Page 7 of 9

8 in this whole show, just go to shrinkster/lu3 because it explains to you how to use OpenID, and then he has a link there called How to turn your blog into an OpenID. So, I think that the kind of the call to action for everyone is to go, add these two lines of code to your Blog, sign up with a MyOpenID.com, and then turn your Blog into an OpenID, and then kind of take a look around, practice logging in, and then maybe we ll do a show about how to actually integrate with OpenID, because there s a lot of really interesting things going on around that. For example, a company has made a plug-in to Apache that basically -- it s like how in IIS we ve got forms authentication, and basic auth and Windows integrated auth, they made a module for Apache that just boom poof, it s automatically OpenID enabled. So, I always do this, I think that I ll get the time to do that, I ll write an HTTP module or forms auth module for OpenID. So, I ll declare here that I ll try, and then probably two days from now someone smarter than me will have already pulled it off. Carl Franklin: That s the way it goes though. (00:29:52) Scott Hanselman: But creating something like that, like an authentication module for OpenID would be pretty awesome, and that s the kind of integration I think we re going to see. So, the Apache guys have already got that pluggable auth module, it makes it really, really easy. We were adding it do DasBlog, I talk to a couple of guys that have said, Yeah, when I get time I ll get around to doing it. Kevin Hammond already did the integration with CardSpace for DasBlog. So, I think more and more you re going to see at the very least in the short term. This will be a great way to associate your identity with an OpenID for the purpose of leaving a Blog comment, right, that s the obvious thing. Have you ever gone to a Blog, and wanted to leave a comment, and then they said, Go ahead and login, and go ahead make a new ID. Like Rory s Blog did this, didn t it? Carl Franklin: No, I don t remember that. No, I know that they use the chopska or whatever the heck it s called. Scott Hanselman: Capture, Carl Franklin: Capture, yeah. Scott Hanselman: It s been a couple of times in the last week where I really wanted to leave a comment somewhere, Engadget is another example, Engadget s a really popular Blog, and then they want me to create a profile, I m not going to -- there s a limit to the kind of site that I m going to go and create a profile on, and I m certainly not going to Carl Franklin: Yeah, some of those bigger sites I ve had that experience, yeah. Scott Hanselman: So, like for example, I m logging into a WordPress Blog. WordPress is a real popular Blog system, and it says, Well, you can login as a WordPress user with your username or password or your OpenID identity. So, then I m getting to MyOpenID site again, and it actually says, Select a persona and then it s saying, they would like to know my nickname, and my full name, and my address. At this point I could just decide to deny and say, I m not going to give this access, but they ve actually said, well, your nickname we d like that but your full name is optional. Like well, that s cool, so I m only going to give them my address, and I m only going to allow at once, and now I m logged into this WordPress Blog. It really puts people in control of their stuff, control of their identity. It actually makes me want to run around to a bunch of different Websites and just delete my information. Know what I mean, start cleaning up your identity online, because I ve got so many different accounts, probably 50 or 60; I mean just at all the different places that you ve very visited. Carl Franklin: There s a benefit to having all those accounts and all those passwords, and that is if one of them gets compromised, the rest don t get compromised. Scott Hanselman: Yeah, totally. Carl Franklin: Having anything in one place, has to be that much more secure in order for the world not to fall on your head. Scott Hanselman: Well there s a lot of really good resources out there, just search for OpenID on Google with one word, OpenID as one word. We ve put a collection of links up on the site, there s some really good PHP libraries for OpenID. Carl Franklin: OpenID.net I believe is one of the home bases for OpenID. Scott Hanselman: There s a couple of.net libraries as well. I haven't personally looked at them. Although one person has created a a guy named Andrew Arnot, I didn t put this link up, has created an OpenID control. So, it s just a drop the control on the page, and it enables that for Transcription by PWOP Productions, Page 8 of 9

9 OpenID. So, I haven't looked at that control personally. There s Ruby implementations of this. Carl Franklin: Well, we ll add a link to it anyway. Scott Hanselman: Yeah, we ll add a link. There s lots of different ways to get involved in this, and I think that we re going to see it becoming easier and easier. Now a control from a ASP.NET perspective is definitely a little different than I would do things, I might want a HTTP module, but if you go up to openidenabled.com. That is kind of the all things OpenID; you can get Python,.NET libraries. The.NET version is just a port of the OpenID stuff. Carl Franklin: Alright Scott. Well, that s a show. It s been a good one. I can t wait to dive into OpenID a little bit more. Thanks for whetting our appetite as always. Scott Hanselman: Thank you. Carl Franklin: All right. We ll see you next week on Hanselminutes. Transcription by PWOP Productions, Page 9 of 9