September 2006

Just another busy weekend of blogging here in the Kveton household. New baby is doing great but its funny being home for such a long stretch without being at work. Now I know what Kami is talking about when she says she’s getting ‘cabin fever’ … haha … :-)

Couple of funny/discouraging things happened in the last couple of days that just make me want to laugh/cry:

Qwest: The spirit of service! Just not rebates!: I had had free Internet at the home for about 8 months when it finally got shut down. No problem. I looked at both a cable modem and DSL. I know, I know. DSL stinks in comparison no matter how many Verizon or Qwest commercials tell you otherwise (do people still use dial-up?!). That said, there was an offer for $25 off and only $19.99 per month for the first year for DSL from Qwest. I bit and went for it. Flash forward a few months later. The DSL is awful. Constantly down, never a reliable speed, etc. This morning I checked my email and said my request for the $25 rebate had also been denied because I didn’t include my first months bill. Huh?! It was a web form. How do I do that?! The email said I’ll be getting a note via snail mail with instructions on “how you might be able to rectify the situation”. Huh? So at $19.99 (really $26+ when you factor in “taxes & fees”) per month you get bad service and no rebate. Sweet!

Press 1 if you’re stupid!: I’m on the National Do Not Call List but I’ve been noticing a lot of calls lately from foreign countries to my house. I never seem to get to the calls in time except for last night. I pick up the phone only to hear that long pause that usually means one of the telemarketers hasn’t gotten to the phone only to be greeted by a recording telling me about a great offer for lower mortgage rates. “If you would like to hear more about this offer, please dial 1!” he says. I of course dial 1 just so I can give an operator a earful. About a minute later my call is switched across two oceans to some poor woman in India. “Hi” I say. “I’m on the National Do Not Call List, could you take me off of your call list?” “But sir, you opted to hear more by dialing 1 when prompted.” At this point, I of course started to cry.

Yahoo! announced yesterday that they are opening up their authentication mechanisms so that you can get access to users’ data stored in Yahoo (with their permission of course) as well as leverage account information for single sign-on. They offered up some PHP example code and have even opened it up further than Google has with their efforts.

I’m going to say it: this is fantastic. I know, I know. I’m reading a bunch of notes on the identity gang mailing list about how bad this is going to be or how this isn’t really open (just deepening the silo). I think some of that is true but in the grand scheme of things this is a fantastic step in the right direction.

With the emergence of technologies like OpenID and InfoCard its clear that there are some excellent technological solutions to the concept of user-centric identity. My biggest concern is that Yahoo!, Google and Microsoft join forces and do a federation between their sites (and only their sites). If I still have to keep all of my data in any one of those places, its no worse than me only being able to get cable, phone and Internet from a very few providers (read: monopolies). Could that happen? Dunno. I don’t think its likely with the way things are shaping up between Google and Microsoft; those two companies are way to competitive to collaborate on something like this.

It really would be great if instead of deepening their silo, Yahoo! had instead chosen to use OpenID. I do think people are still a little weary of this new technology. I get it time and again when I see the rolling of the eyes and the ole’ “been there, done that” look on people’s faces when I tell them about it. That said, every day the momentum is continuing to pick up. I see more and more sites adopting it, the use of our identity provider platform is just exploding and there is a palpable shift as we’re approaching a tipping point. Is it ready for a Yahoo!? Probably not quite yet. 6 months and we’ll be there. And guess what? Both Yahoo! and Google are getting closer to what we really want which is a truly open, decentralized, user-centric system for identity management.

You’ve got to crawl before you can walk.

Do you remember playing with a Brio trainset when you were a kid? They are made out of wood, very solid, well-built toys. I loved them as a child and now I love them as a parent.

Until I found out how much they cost.

Brio is a toy company that has been around since 1884 and has a long history being a manufacturer of “Safe, Durable, Open ended Toys”. I even admit that their goals as a company are quite good as well.

I’m all for local artisans doing craft work. I’m all for supporting a vendor that has done great work over the years. But c’mon. $20 for a wooden train engines and even closer to extortion for the tracks it runs on?! Are you kidding me?! Fortunately we were gifted a big set of this stuff from my in-laws but still our son loves them and always runs to that part of the store when we go toy shopping. But last week, I got lucky.

I was wandering the aisles at Target in Albany, OR and Živio noticed it before I did; a knock off train engine set that is identical to the Brio stuff. Hooray!!

Now I know what you’re thinking. You’re not supporting this company and more importantly supporting a company that is ripping off the Brio train set style and setup. Agreed. However, its the 21st century. Why wouldn’t Brio just source this stuff through China (where the knock-off was made) and then have their folks in the UK focus on design of new cool engines and tracks? The price would go down, the volume would go up and the world would be full of Brio products.

I also know that Brio likes to support the many small toy shops that carry their products. They do this by not providing the means to purchase directly from them on-line via their website. Again, this seems a little nuts to me. Its not like I can’t get this stuff on-line if I want to. Why not take advantage of that and sell directly cutting out the middle man? If I have a local shop and look at the toys there, I’ll buy them. But if I live in a small town (like I do) odds are its harder to find a dealer of Brio toys. Not only that, they don’t do any favors for dealers in any other countries than the UK and Ireland; there is no store finder for those places.

Doing these two things would be a great IMHO - I love these toys. So simple, very few bells and whistles and I know my son has spent literally countless hours playing with them. Making it easier to get them, driving down the price and increasing their ubiquity are all good for Brio and kids alike.

Just my $0.02 as a parent and purchaser of toys.

Kami and I are proud to annouce the birth of our daughter Anežka Ann Kveton who was born today at 11:54 AM PST here in lovely Corvallis. She weighed in at 8 lbs 12 oz and 21 inches. Mother and baby are doing wonderfully well.

I’ve been watching with much interest into the recent changes that have happened at Facebook. The gist of it is that they added some new functionality to the site that changes the way user profile information is shared and more importantly how changes are shared.

I ran across some great posts by Fred Stutzman about the whole debacle. Fred has some great comments in there and good insight to why such a screw up is really such a screw up.

Lesson #1 in community building/management: community feedback is critical to the success of your product. The Facebook community does not like these new features. Guess what? They can (and will) vote with their feet here and either a) not use Facebook b) use Facebook less or c) go somewhere else. I find it ironic that Facebook overlooked the key component that has made them successful; their community. Facebook, MySpace, even Digg and Slashdot are sites that are meant to cater to the needs of their communities. If you don’t meet those needs, users leave. If you piss them off, they revolt. This is a pretty simple formula.

Facebook replied effectively saying “Relax, Breathe” … and what? Get over it? That’s nuts. The first thing I would have done? Pulled the features. Yep, that’s right. I would have reverted immediately. Actually waiting a little bit longer to pull the features might be good for them. They might actually achieve the New Coke formula fiasco that actually resulted in a major win for Coca Cola. Make a big splash today about removing the features and your users will thank you. Not only that, they will be that much more loyal.

What would have been a better way to go about this? With large social networks like this you can’t introduce features like this with the flip of a switch. Was there any testing done? Any feedback from users? In fact, did the users even ask for it? If I were Facebook I would launch, you guessed it, labs.facebook.com where they could vet new features and engage the users so there aren’t any surprises. There will always be people who don’t like change or new functionality. However, if you can sway the early adoptors and thought leaders, that impact will be much less.

Update: It looks like the folks at Facebook have listened to their users. Great news.

OpenID has been around for almost 18 months now. In its original form, it was extremely simple. As a matter of fact, it was too simple. So OpenID v1.1 came out with the Simple Registration Extension based on user/site feedback. The scope and momentum of OpenID started to pick up with LiveJournal being OpenID-enabled and folks like JanRain, Cordance, Verisign, Sxip and others getting into the mix. The technology evolved, the umbrella grew but the premise remained the same; keep it simple, light-weight and decentralized.

OpenID started with a very simple assumption by one guy. Its grown over time and is really starting to mature as a protocol. Sometimes it takes a person who can just say “screw it, I’m doing it this way” to get something going. I call it the Firefox Effect; two or three people that solve a major pain point can gain adoption quickly. Blake and Ben did it with the original Firefox; not everybody in the Mozilla world was really excited with that product when they did it. Had you gone back to the drawing board from the start and said “Let’s build Firefox” with a team of developers and stakeholders it most likely would have failed. The same thing is true with OpenID. Something like that requires a big push, minimal tact and a serious pain point.

Although announced awhile ago, Sun finally released their Open Source Single Sign-on solution on Tuesday.

It’s great that Sun is embracing open source by releasing their products under the OSI-approved CDDL. I can see some great applications for OpenSSO in the higher education space that is leveraging a lot of Java technologies already. However, I’m still left thinking this is another attempt by a big company to say “Hey! Internet! Come build an eco-system around our product! Look, its Open Source ™!!” Yes, I’m biased. I think there is a better way with OpenID.

OpenID really is a grassroots, bottom-up approach. For something like this to be compelling there can be no hook back to the “mother ship”. Its truly got to be open and decentralized and that’s one of the main reasons people are finding it compelling. Has federated identity failed? In the past, yes. I believe in 5 years, there will be a federated identity that people use all over the Internet; you’ll have one login and it won’t be controlled by anyone but you. OpenID is hopefully going to be the driver of that; the HTTP of identity. Nobody but you should own your identity.

I often receive questions from folks via email about OpenID. I like getting the notes but always feel like I could be doing more in terms of answering them. Plus I’m a geek so if I do something more than once I think there should be a bash/perl script to do it for me. Here is one of the questions I recently received (the names have been changed to protect the innocent):

If I create today an identity say at `bob.foo.com’, can I move that identity later to a different location? Say my initial identity is hosted by my employer, and I switch jobs, I would like my identity to come with me; For instance are there mechanisms to:

* Not depend on the actual string `bob.foo.com’, but some actual key generated that actually is hosted in bob.foo.com?

* Be able to fetch the data so I can later host it at bob.newdomain.com?

This is not the first time time we have heard this question come up. My advice today? Make sure you pick an OpenID that you’d like to have for a long time. There isn’t a solution for this yet as most of the solutions out there today (for example, i-names) require some sort of centralized registry. (Full disclosure: JanRain is bringing up an i-broker as part of the i-names eco-system). The main premise around OpenID has been de-centralization and simplicity. Having a centralized registry flies in the face of that as well as adds another level of complexity. What I’m saying is I don’t have an answer for this, but again, I believe the community and marketplace will solve this problem in the very near future.

I should also mention that from its inception, OpenID was meant for really light-weight applications. Yes, its maturing and adding new functionality that makes it more robust. However, if you change your blog from LiveJournal to Wordpress today you can’t take your posts with you and more importantly your “identity” with you (unless of course you leverage something like claimID).

Finally, OpenID also has the concept of delegation. I can have two lines of code HTML on my site and delegate that to some identity provider. View source on Brian’s page to see an example of delegation in action. Its not ideal, but its definitely a start and it does give users more of a sense of control.

* What kind of security is there to prevent someone breaking into one of the openid servers from pretending to be me?

Today, it is a strong password. Versign recently proposed the concept of security profiles. The ability to choose the level of security you use for different applications. For things like blogging or commenting in forums probably don’t require heavy authentication. As we move into the realm of doing more “important” stuff with OpenID’s, these profiles will be critical and give the users choice in terms of picking how much/how little security they want. I also see the opportunity for value-adds in this space on top of OpenID as great business opportunities. However, it all starts with a unique identifier and that identifier is your OpenID.

These security profiles will hopefully go a long way towards addressing possibilities with man-in-the-middle and phishing attacks. DNS poisoning is also still an option but IMHO one of those “The Internet Sucks ™” problems.

Are there any available OpenID servers that I can run myself?

As a matter of fact there are. Shameless plug: we’ve developed a PHP Standalone Server that is open source and soon to be part of the ASF Heraldry Project. In addition, Verisign will be donating the Ruby on Rails code base that powers their PIP identity provider to the Heraldry project as well. I’m sure we’ll see versions of these servers in many more languages soon as the libraries start to mature and proliferate.