July 2006

OSCON 2006 was a big success last week. Lots of buzz generated around the bounty program for OpenID. A couple of questions came up while I was roaming around on the showroom floor that I’d like to address here.

First off, there is still a bit of confusion between centralized v. federated identity.

OpenID is a federated identity system. Great. What the heck does that mean anyways?! Technically it means the ability of a user to login to multiple systems or even organizations. Yes, that is an insanely simplistic view of it and I could probably go on for hours about it but I won’t … you’re welcome …

On the other end of the spectrum we have the centralized identity solutions. The obvious example here is that of Microsoft’s Passport.net. You can get a login to Passport that allows you to login to all of their services (MSN, Messenger, Mail, etc) as well as a few outside services that are part of the Passport network. The problem with centralized identity like this is that I’m stuck with the network; if they do evil things, there is no recourse for me. Industry is fickle and people don’t want to be at the whim of the bottom-line (”What if we delivered *more* ads to the users?! We’ll triple our profits!!”). If there is one thing you take away from this post its that OpenID is not Passport. Take just about everything that Passport is and reverse it. I have to wonder if that’s how Brad came up with it in the first place.

The best example I can give to describe how OpenID is different from Passport and the centralized model is to look at the cell phone space (bear with me here). I consider my cell phone number to be an identifier of me. Now, with cell phone number portability, I can take it with me when I move from provider to provider. I’ve had my last number with 3 different providers. This just great. Even if a provider goes out of business or does “bad things” I can keep my number and change providers. Now apply this to OpenID. I can go to a provider and get a free OpenID account and use that or, I can get my own domain and do it there. The best part about this is its like being able to bring up your own cell network; I can land a box under my desk behind my DSL line that serves up my identity. That’s pretty cool (albeit not very scalable/wise/etc. from a single-point-of-failure standpoint).

The major downer here, and one that will hopefully be addressed soon, is the fact that if you’re foo.identityprovider.com and identityprovider.com goes belly up, so too does your identity. I don’t have a good answer for this other than “we should fix this”. Its a problem for people that want to rely on an identity provider to handle everything for them (not many people will want to run their own OpenID servers).

As a final note, I’ll mention the fact that even if all of the companies supporting OpenID go belly up, OpenID will still exist. There is no cabal. If you have a web server that can run PHP, Perl, Python, Ruby, Java or .NET (BTW - those libraries are all open source), then you can set yourself up with an OpenID server and co-exist with the rest of the global OpenID eco-system.

What better place then OSCON to announce the OpenID Code Bounty for open source projects. Integrate OpenID into your open source project and we’ll give $5,000 to your project.

We’ve seen OpenID really start to gain some momentum over the past couple of months and this Bounty program is really the exclamation point on that. There is a great list of sponsors for the program that includes people, organizations and businesses focused on building a simple, light-weight and decentralized user-centric identity platform around OpenID. Working with all of these people over the last couple of weeks has proven to me that convergence is really happening around OpenID.

I hope to see everybody down on the exhibit hall floor today as we spread the good word about the OpenID Code Bounty!! I’ll be the guy in the JanRain t-shirt …

Oh man!! This week is gonna be a hoot!! OSCON is here in our stomping grounds and its already shaping up to be a blast!

I have been chatting with people here in Portland as folks have trickled in for the conference and a frequent theme that I’ve heard is that “OpenID is just the Web 2.0 folks giving the finger to the big guys.” Hmm. Well, personally, I’m not that crass … ha! Seriously though, I think this is a good point and one I’d like to address here.

At the outset, OpenID was really a very simple idea; make it so you can login to multiple websites without having to create a new account if you want to comment on a blog or a forum. Wow. That’s pretty simple. Too simple some might say. Well, it meets a largish chunk of use-cases for a specific type application. Great.

Today, the story for OpenID is much richer as the specification has matured. OpenID v2.0 is looking to be a very solid platform that addresses many of the concerns people had with v1.0. OpenID v3.0 is making the tent even bigger and talks with some of the “big guys” are already happening in earnest.

Now, let’s look at where we’re at today and where OpenID v1.0 was less than a year ago. Take all of the people sitting around the OpenID table right now and go back to a year ago and say “create a simple, light-weight, decentralized protocol for doing authentication on the web”. Ugh. It most likely would not work.

Instead, we’re seeing a different approach. The simple specification got out there. People liked it (and some didn’t). It has changed. It’s evolving. It will continue to evolve. As the “big guys” work to make it simpler to integrate their stuff in general, we’ll be working to make it simple to integrate the “big guys” themes into something that is already simple. Do you see what I’m driving at here?

Is this the best method for adoption? Is this the best method for creating a user-centric protocol that can become ubiquitous? Is OpenID the best technology in the world? I can confidently say ‘No’ to all of those things. But for some reason, the train keeps moving forward, the tent keeps getting bigger.

Convergence is a journey. No beginning. No end. Today OpenID doesn’t meet all of the use cases. Tomorrow, it just might. As users use it, as we watch it mature, as people beat it up, as it changes, it will become a better platform because of it.

I’m really excited that Kristopher and the folks over at Zooomr have worked out their difficulties and have finally launched Zooomr 2.0. We here at JanRain are really excited because Zooomr 2.0 leverages our OpenID IdP site MyOpenID.com.

The MyOpenID infrastructure is doing just great and we’re excited about the influx of new users that are officially taking control of their identities!

People have been asking me over the last couple of weeks what it is exactly that I’m working on (not the least of which are my parents). When I first was introduced to the identity space I talked about it on my blog and with people all over the place. Invariably, I have people ask me, “So why OpenID?”

In December of 2005 I happened upon OpenID and I was intrigued. Brad’s specification and the information he put up at openid.net were minimal at best. For me, that really rang true. Fewer assumptions?! Easy to implement?! 10 page specification?! C’mon! Identity is supposed to be complicated. There are too many nuances, problems, etc to deal with it in 10 pages. But the fact remains when you don’t have ubiquity; less is more.

What always has interested me about OpenID was that within only a few minutes you could get up and running and using it. There are some great libraries (shameless plug) as well as a growing user base. It really is a decentralized, it really does allow users to take control of their identities.

Is OpenID the best technology? Not yet. However, some of the best technologists I’ve ever met are working on it. That gives OpenID something that a lot of technologies haven’t had before them; collaborative momentum. The people involved with OpenID realize that a) we have to have something that is defacto and b) we don’t really know how users are going to use this stuff. We’ve realized that we don’t need a Sony Betamax, we need VHS.

Alright, so what do I mean by we have to have something that is defacto? Over the past 10+ years there have been a lot of really smart people trying to solve the problem of distributed/user-centric/federated identity. Literally thousands upon thousands of hours have gone into developing specifications, use cases and actual code but today we still don’t have any sort of standard. So. Maybe we should try a different way. Something organic. Something that is incremental that actually watches how the users use the technology and adapts from there. Hence b) … figure out how users are going to use this stuff. Then repeat.

Think about the concept of truly horizontal identity. Really take a moment and think about how disruptive a technology like this will be. Add to that the fact that its decentralized and user driven. The technology is going to adapt and mature based on where the users go. Developers will innovate on top of the OpenID platform (another benefit of its simplicity) and users will find and use the best apps. Then again, we’ll repeat.

So, b). Imagine going back to 1985 and trying explain eBay. You can’t do it. “First, there’s going to be this thing called the Internet.” Heh. I honestly believe that the ability for users to maintain their own identities that are horizontal (not multiple instances of themselves in vertical silos) to the web will be hugely disruptive moving forward and will result in a major win for end users.

But first, there will be this thing called OpenID …