October 2006

The ability to link users data and more importantly their contributions on the Internet is becoming increasingly important. To me, identity is the key to unlocking the real potential of Web 2.0. Software is officially a commodity. Its what you can do with the software and the data that you can build/aggregate that will really define Web 2.0. Identity is at the root of this. If I have one identity that I can use everywhere and keep track of my contributions and data across the Internet then some really amazing things happen. More on that in another post.

How do we get a ubiquitous solution for identity out there? Do we focus on all of the edge cases first or do we just get something out that works for a good chunk of the users first? I’m a fan of the iterative “get-it-out-now-and-continue-to-evolve-it” school of thought. We’ve seen the other way of doing this stuff and those technologies haven’t seen wide-adoption among consumers. It’s got to work for users, be easy (and compelling) for sites to adopt as well as be secure. We’ve got the first two knocked out of the park with OpenID and things are getting easier and easier every day from a user/site perspective. We’ve even spun up a new user experience list.

Let’s remember that when the web originally was rolled out it was just a novelty. “Nobody will ever do banking on this thing.” But they did. SSL was created to solve the original limitations in HTTP and now billions of dollars/euros of commerce happen every day on the Internet.

There have been some heated discussions on the OpenID general mailing list regarding the lack of security in OpenID.

The one thing you should take away from this post is that security is a crucial concern of everyone in the OpenID community (including myself) and its something that is being addressed. We’re not there yet, but I do believe these things take time. Let me explain.

When OpenID was first developed, it was meant to be a very simple method of doing authentication. “I am this URL” was what it really was saying. This was perfect for the blogging community where it got its start. When commenting in the blogosphere, I’d like to be able to do it quickly and easily and ideally hook it back to my blog. OpenID was perfect for that.

OpenID v1.0 and even v1.1 were very rudimentary and solved maybe 80% of the use cases for what user-centric identity was aiming to do. In doing that it only took a 10 page specification. As you increase the use cases you want to handle, it gets more difficult to design and more importantly to implement and adopt. If we tried to cover all 100% of use cases from day one a) we would have gotten it wrong and wasted a bunch of time and b) it would be have impossible for anyone to implement quickly and easily.

The key factor we have to consider here is, does OpenID and its community have what it takes to become the ubiquitous solution for doing user-centric identity in a secure fashion on the Internet? I believe it does. An ever-growing eco-system of users, sites, vendors and communities are seeing its advantages based on its own merits. Lots of good discussions are happening on making this more secure and those changes are going into the specification.

OpenID is about striking a balance. User-centric identity is inevitable and its one of those problems that’s just perfect for solving in the “open source way”. The rate of adoption is quickly increasing and our ability to secure users’ identities with it is also getting better. If we hadn’t started out with something then there wouldn’t be anything to argue about.

We’re almost there. OpenID is at a tipping point. The users, sites and communities are coming and more importantly, are desperate for a solution to this problem. The best is yet to come.

I think one of my all-time favorite quotes is when Brad Fitzpatrick was referring to why he implemented OpenID. “I just wanted to make the Internet suck less.” (man I hope I’m not screwing that up)

A lot of really smart people have been trying to crack the single sign-on nut for quite some time. Its a hard problem. Somebody has to take a stab at it. Somebody had to do it. To me, a technology like this is something that is really going to enable Web 2.0. Its great that we’ve got all of these sites out there that do some amazing things, but do I really need another username and password combination to remember?! (Who is that other ‘kveton’ out there that keeps taking my username btw!!)

“Google, Yahoo and Microsoft will never adopt this!” you say. True. Possibly. The fact is, those sites have had quite a bit of their valuation placed on them by the number of users they have. Giving up “ownership” of the users would be bad in their case. But I disagree.

If you could quickly and easily participate in conversations on the web, wouldn’t that be great? No more registration screens. Period. You’d just login with your OpenID and be off and running. You could comment on blogs easier. Give props to some guy who just did a sweet video on YouTube. Share your photos with your family easier. (yes, I just said ’sweet’; in my defense I was talking about YouTube). Most of the sites in the long tail don’t have “manage user accounts” in their mission statements. OpenID is the platform that helps these sites focus on their main thing.

So why on earth would Technorati want to support this emerging technology? The blogosphere is curious too. Well, they are a company that tracks blogs. And OpenID was pioneered by Brad Fitzpatrick who works at a pretty big blog company. To me it makes perfect sense.

But really. Somebody had to do it. Somebody had to get the ball rolling on user-centric identity before the big players ace all of the smaller guys out of the game. At the end of the day, the Internet officially sucks less in my eyes.

Jason Barnabe (the keeper of the keys at userstyles.org) let me know via email today that they have added support for OpenID on their site. userstyles.org is a collection of styles that puts you in control of the appearance of websites and of Mozilla applications. Very, very cool.

At this rate, the world will be OpenID enabled in about 20 mintues. :-)

Very exciting news from Technorati about their support for claiming blogs via OpenID.

This platform is just getting more and more exciting all the time. A couple of points from the article. First off, its Zooomr (note the extra ‘o’ in there). I also updated folks on the status of the bounty program as well.

Great news and fantastic work by the Technorati crew!

PS - feel free to leave a comment with your OpenID here … :-)

I noticed a post by Paul Madsen today about the proposed DTP specification that is up on the openid.net site.

This OpenID proposal ignores existing XML-based standards that provide the very same functionality.

These alternatives are admittedly somewhat obscure in the industry, little known specs like SOAP, WS-Addressing, WS-Security, XML Signature, and XML Encryption.

First off, the DTP specification is just a proposal. It is not a formal part of OpenID yet. Also, this is a really, really rough draft of the proposal that is constantly in motion right now. The fact that it ignores other standards may be true but one of the design goals is to do for data transfer what OpenID has done for single sign-on; light-weight, simple, easy-to-implement, etc. Think of the proposal as a best-of-breed of those heavier technologies. The same can be said of OpenID as it relates to SAML, Sxip and Passport.

DTP is the natural progression of the OpenID stack (at least we’re hoping we can make it work that way). First there was discovery with Yadis, then authentication and now we’re moving up the stack to look at things like attribute exchange and data transfer. These specifications are proposals today and will continue to evolve as we see how they play out in the OpenID eco-system.

Participation is always welcome! :-)

Kim: you’re officially the fastest person in the world at responding to blog posts … :-)

I’ve always said I’m for interoperability … heck, I’ve made a living at it. Choice for the user is always a good thing.

My answer? You build interfaces and test them. You look at the numbers. You test phishing approaches on a wide assortment of people. You find out what works and doesn’t, and keep evolving the interface. If we take this as a starting point, we’ll all end up agreeing.

The problem with redirection within the conventional browser is there is no way to know for sure where you’ve ended up - especially if you aren’t a network engineer.

I actually think we’re in agreement here; we both want to find the best experience for end-users and its going to require their involvement to make that happen. Just as InfoCard may not be the end-all-be-all, so too could be the same for OpenID. Either way, both move the ball forward and conversations are happening to make sure interoperability occurs.

There is wisdom in this. But if Kvelton is against giving the InfoCard visual metaphor a try, then I don’t get it. It does nothing to undermine OpenID.

I’m all for trying InfoCard visual metaphor. I’m just trying to figure out how you drive adoption of such a different paradigm, hence my comments on iterative development and the OpenID process.

Lots and lots and lots and lots of discussion going on regarding BBauth and OpenID.

Kim Cameron had an interesting post today concerning the interface issues with BBauth as well as OpenID:

My concerns really originate with the user interface issues. And OpenID has the same problems to the extent that people end up with multiple identity providers (which they will).

I appreciate Kim’s passion about InfoCards and the concept of a consistent user interface. I think its a fantastic idea. So let’s be pragmatic about it. We’re here today: no consistent user interface, lots of usernames and passwords and phishing is a huge problem. We want to get here: consistent user interface, one username and password and phishing becomes a thing of the past. Great. Where do we start? I don’t think InfoCard is the answer. Let me explain.

How do we know InfoCard provides a great interface for users? When I first saw and used an InfoCard it freaked me out. “What the heck is popping onto my screen?!” Talk about a paradigm shift. Answering the this-is-a-great-user-interface question is an iterative process. It takes time and lots and lots of user input. The fact is we have no idea how users are going to use user-centric identity so how can we make assumptions about the user interface today that aren’t iterative?

But if this type of SSO were to become a massive success, that success would bring about its downfall. For it would then be worth attacking and very vulnerable at the same time.

If something like OpenID or BBAuth takes off, there won’t be a downfall. The platform will continue to evolve and get better. Is InfoCard the final and complete answer? We have no idea. The real question is which platform is best suited to constant evolution? Like Kim is a broken record about InfoCards (his words, not mine), I’m the same way about OpenID … :-) I believe OpenID is best suited to this kind of evolution.

OpenID is incremental by its nature. Its not a quantum leap. Its a URL. Users today are starting to think more and more in terms of URL’s … just ask a MySpace or blog user (I have cold hard data on this one; my babysitter is a MySpace user). Its iterative. We’re not trying to boil the ocean in the first go at this. We don’t know how users are going to use this thing. So let’s make the fewest number of assumptions for the users before we deliver something. Watch how they use it, find out what makes sense. Repeat.

Is BBauth, CardSpace or OpenID the end-all-be-all solutions for single sign-on? Definitely not today. One thing is clear though; companies and users alike are seeing the value of user-centric identity and its slowly but surely happening; CardSpace, OpenID and BBauth are clear indications of this. This stuff doesn’t happen overnight but the ship is slowly turning in the right direction.

I was really excited today to see the release of a new Wordpress OpenID Plugin. This is a brand new plugin and I got it working with just a little tweaking for my specific install here.

Props to Alan and Hans for getting this sucker ready to go!! Come one, come all OpenID users!! :-)

Now, if we can just get this into Wordpress core we could get a cool $5000 for Wordpress.org from the OpenID Bounty Program!

First off, I’m just summarizing a bunch of really hard work that everyone is doing on the OpenID specifications mailing list. Josh Hoyt, David Recordon, Brad Fitzpatrick, Dick Hardt and the entire OpenID community are really slaving away on making OpenID v2.0 really great.

There are a few changes still pending but the current goal is to have the v2.0 specification completed by Friday 10/13/2006. Code should be quick to follow for Python, PHP, Ruby, Perl and Java (quick == days not weeks). Most of the remaining changes are technical in nature and don’t have a major impact on the functionality of OpenID.

Work continues on the specification as we’re starting to move up the stack. Dick Hardt has proposed a specification around attribute exchange and the vocabulary around that exchange. Attribute exchange is one of those things that will really start to make OpenID compelling. OpenID gives me a unique identifier that I can use anywhere that consumes them. This is my single, unique identifier that describes me. Attribute exchange allows the user to associate name/value pairs with that identifier. Now I can do things like deliver shipping address or my avatar to a site once-and-for-all without having to enter it again and again. Very cool stuff.

We’re also working on a data exchange protocol for OpenID as well. This will really round-out OpenID as a real platform for identity. The use-case is simple; messaging today sucks. Email is broken beyond reason (anybody can forge the From: field), instant messaging is a completely fragmented market (I love Meebo but its a kludge because we have 4+ IM networks that don’t interoperate). If I have a single, unique identifier with OpenID wouldn’t it be great if I could use it for messaging? Wouldn’t it be great if I could do it securely? I could send a message to an OpenID user that they know came from me and that I know only they can read. The possibilities here are endless. Email. Instant messaging. Legal documents. Medical records, etc. Now we’re not delusional here; this is all going to take time. However, its coming.

We’re making progress and OpenID is really starting to gain some momentum. More and more users and sites are looking to adopt it and we’re so glad people have been patient while we’ve been getting v2.0 as ready-as-we-can-get-it. Keep an eye on this space for more updates about OpenID.

Its been almost three months since we launched the OpenID Bounty Program and I wanted to give a status update.

First off, we knew going into this it would take awhile. We have never wanted to try and force an issue like this with an open source community; if they are interested great. But it still takes time to work through the community plumbing. Secondly, we’re actually still working on OpenID v2.0 but we’re getting close. As soon as its out, we’ll be looking for sites to implement it to claim the bounty prize money. Now, onward to the summary! :-)

MediaWiki

Evan Prodromou from Wikitravel has implemented an OpenID patch for MediaWiki and enabled it on his site. He had this done in early August so somehow I believe he was thinking about it long before the bounty program.

I’m really excited about this one because of the possible impact this could have on the wikisphere (yes, I just coined that word). If I have a common login that I can use across sites I can now track contributions across those sites very easily. I won’t say more, but some very smart people are working on some very cool stuff to make that happen.

Zope/Plone

Wichert Akkerman wrote in to share that he has successfully integrated OpenID with Zope and by extension also Plone. This is really exciting as Zope and Plone have big audiences in Europe, non-profit and government spaces. Thanks Wiggy!

phpBB

Just today the OpenID general discussion list got word that there is a phpBB patch coming along quite nicely. Dmitry Shechtman chimed in with some great screen shots of the prototype. Go Dmitry go!

Joomla

The Joomla folks showed some interest early on but I haven’t seen much activity since. One of the concerns raised in the Joomla forum posting was about branding. The comment was that the bounty was great but had unacceptable strings attached. The reason we put those guidelines there is to help from the user experience. We’re hoping that with the logo in the form and a common “theme” for how OpenID logins look like we can ease the transition for users and make it easier for them to use them. Now, these are in fact guidelines and the fact is not every site will want to have the OpenID logo. We’re hoping in the (not so distant) future people won’t even need it because its as ubiquitous as “http” in a URL … how many companies put the http:// in their print ads or commercials?

Drupal

I’ve had several discussions with Dries Buytaert who heads up the Drupal project about ways we could get OpenID into core. As it stands right now, Drupal tries to limit its dependence on outside libraries as much as possible. Today, support for OpenID comes from outside libraries that are rather large in comparison to other Drupal modules. This is completely understandable IMHO. That said, I’ve seen some activity for possible integration into Drupal 5.0 as well as older versions like Drupal 4.6. We’re of course eating our own dogfood and using the patch that we cooked up for the Drupal-powered JanRain corporate website. I’d love for OpenID to make it into core there … :-)

Others

We’ve had some other discussions with other projects but nothing concrete yet. I’d really love to get Wordpress enabled as this blog is powered by Wordpress … :-) I also think that Akismet is a great solution to help with comment spam with OpenID comments. Spammers are bound to start spinning up identity providers for the sake of comment spamming. Akismet would be a great way to up-end that.

Do you have an update about an application that you’re OpenID enabling? Feel free to let me know and I’ll get it up here!