January 2007

Brian and Dag have been working hard over the past few months on our latest service, Jyte. Jyte is our latest foray into the world of OpenID identity services.

We have been thinking quite a bit about what it means to have an OpenID lately. Now that you have this unique identity as far as the Internet is concerned, what does that mean for who you are and the people you know? The possibilities are endless but we knew we had to start somewhere.

Jyte is a simple service that allows you to associate claims, credibility and contacts to build a reputation with your OpenID:

• Claims: Claims are exactly what you’d think they are; claims about you or someone you know. They can be as random as “Scott Kveton likes Red Bull” to something more meaningful like “Gabe Wachob is trustworthy”. Users can then vote on these claims helping either confirm or refute them. Since these claims are tied to an OpenID, you could feasibly use them anywhere that OpenID is supported. We’ll have a claim widget coming out soon that will allow you to embed claims into your blog, wiki, etc.
• Cred: Jyte uses a “gift-based economy” for people interested in developing their on-line credibility. A similar reputation currency called “whuffie” is featured in Cory Doctorow’s science fiction novel, Down and Out in the Magic Kingdom. You can give another user cred using tags to signify that you respect their abilities or qualities in a certain area. For example, if you think your friend Jason is good at darts, you would give him cred using the tag “darts”. If you are a dart expert, and already have lots of “darts” cred, then Jason’s “darts” cred will go up quite a bit. If you have no “darts” cred, Jason will get only a small amount of “darts” cred. If you know somebody that deserves some cred, you can give it to them on their profile page.
• Contacts: As you’re making and voting on claims, giving and building up cred you’ll also be creating a list of contacts. Since these contacts are made up of OpenID’s, you’re actually creating a list of contacts that is unique for you on the web. We have a simple API for accessing these lists based on the tags you give them that you can apply to your blog, photo sharing site or wiki. We’ll be publishing these lists in other formats such as XFN and FOAF in the coming weeks. For example, if you wanted to test to see if a certain user was a member of your contacts or also an avid gardener, you could query this via the API and apply it to do access control or whitelisting on your blog. See the contacts page in profile page to read more about the API.

OpenID is more than just single sign-on. OpenID is allowing users to do more with their digital identities than they could before and we’re excited about the possibilities. We hope you like Jyte and feel free to give us any and all feedback on the Jyte Blog. Spread the cred!

Mike Jones and Kim Cameron from Microsoft came in for a visit today to the JanRain World Headquarters (if you’ve ever visited here, you’d understand why that’s funny).

The JanRain engineers were interested in learning more about CardSpace. We’ve heard about it, seen Kim talk and even read his proposal on a way to integrate OpenID and CardSpace. However, we didn’t know enough about the technology to comment on it either way. Also, we wanted to hear more than just marketing hype and hand waving; we wanted some code. Kim and Mike did not disappoint … :-)

CardSpace is an identity meta-system that you use to manage InfoCards. InfoCards are like the cards in your wallet except these cards you present to sites that you want to visit to identify yourself with. I really believe that Mike and Kim have their hearts in the right place and the technology looks solid. It looks like Microsoft has learned a lot since their last foray into identity. I think OpenID and CardSpace could really compliment each other quite nicely as well as help address the phishing concerns that have become so prevalent.

The CardSpace InfoCard manager is an interface that comes up when the user is presented with a site that supports InfoCard login. Instead of giving the user a login form in the browser that might be phished, the user is presented with a dialog that allows them to deliver an InfoCard for the site they are trying to login to. This dialog is single-modal; you are locked out of doing anything else unless you complete the task at hand. This follows along with what Mike Beltzner shared on the OpenID general list and the difficulties in fighting phishing:

I can also sum things up for you even more succinctly:

- users are task oriented, driving to complete the goal the
quickest way possible
- users pay more attention to the content area than the browser chrome
- users don’t understand how easy it is to spoof a website

Kim went through several code examples where we could see how it all worked. Forget SOAP, forget complicated. There is no hook back to the mothership with this technology. As a matter of fact, OpenID and CardSpace could work together quite easily.

CardSpace is really good at handling the issues around phishing and personal privacy. But what if I don’t want to be private about certain things? I like that I can identify myself as me to lots and lots of different sites and I don’t mind if people correlate that data. As a matter of fact, I like it. Wouldn’t it be nice to have an OpenID tied to my InfoCard then? One of the greatest reasons OpenID is succeeding is that its a destination. Its a unique place on the Internet where you can learn more about who I am. Coupled with microformats you start to see some interesting possibilities. CardSpace doesn’t do the public side very well and both Kim and Mike admitted this. This is an interesting possibility for OpenID IMHO. Not only that, it could be done without any changes to sites that already support OpenID. You’d get the benefits of OpenID’s strengths while leveraging the anti-phishing and privacy mojo that CardSpace has.

We already have some great technology for changing the chrome in Firefox and discussions are on-going with Mozilla about how we can integrate this further and have it truly baked in (hopefully they’ll look at Dmitry’s thoughts on this). We’ve got the CardSpace code that is now shipping on Vista and available for Windows XP. We’ve got lots of options for fighting phishing and protecting privacy with more on the way. All of these solutions play to each technologies strengths and actually just might be what we need to get to the identity holy land.

There have been some intense discussions going on over on the OpenID general and security lists over the past week or so. Some great suggestions have been made about how to better secure users against phishing and we have just implemented a couple of them on MyOpenID.com.

• Personal Icon: A Personal Icon is a picture that you can specify that is presented to you in the title bar of MyOpenID every time you visit the site. The image is shown based on a cookie that is not tied to your account. This aids in fighting phishing as you’ll get used to seeing the same picture at the top of the page every time you sign in. If you don’t see it, then something might be up. Carl worked on this feature for us over the last few days and it employs several of the techniques discussed on the list to make it happen. You can see the picture next to this text that shows my Personal Icon which is a picture of my son Živio in the bathtub.
• SafeSignIn: The SafeSignIn feature was inspired by Simon Willison and was implemented by Mike on our Identity Provider team. SafeSignIn is an option that users can set on their settings page that makes it so you cannot be redirected to your MyOpenID.com to enter a password. If you are redirected to MyOpenID.com from another site, you are presented with the dialog you see below prompting you to either use a bookmark or enter the address in your location bar in the browser. This is an optional feature but we highly recommend you enable it.

While discussion on the OpenID specification continues to happen, we wanted to make sure we had the tools our users would need to protect themselves against phishing in the mean time.

We have a unique opportunity with phishing and OpenID. OpenID can make the possibility for bad things to happen from phishing that much worse. However, having an OpenID means you create a more intimate relationship with your OpenID provider. You go there everyday. You will more likely know when something is wrong. The Personal Icon and SafeSignIn tools help give you a clear indication when something might be up. The ability to fight phishing from one place really well could actually become a huge driver for OpenID; I know the place I always enter my password every single day. Asking users to deal with several layers of anti-phishing technology on every site they visit isn’t very realistic. These type of tools, coupled with OpenID, allow you to have the layers of security while giving you the ease-of-access to the sites you want to visit.

We still don’t have a complete answer to phishing yet but with the continuing work of the OpenID community, we just might get closer to one.

If you’d like to take advantage of these features for your OpenID enabled site or your own personal domain, you might want to check out our affiliate program or read up on how to delegate from your own domain.

Long, long ago we kicked around the idea of bringing a few folks together from OpenID and the SAML community to talk a little about each of the technologies and see if there are ways to work together. Well, last week before the OpenID Mash Pit, we had a gathering here at JanRain with a few folks from the SAML world.

It was a great meeting. Low-pressure and honest dialog about the technologies on each side. I feel much more educated as an OpenID user about SAML and what it brings to the table in terms of technology. Its exciting to see the traction that OpenID is starting to garner and more importantly how the community itself is self-forming and self-evangelizing. Earlier last week there was the meeting at Mozilla about Firefox 3.0 requirements and OpenID put on by Chris Messina and Alex Faaborg … this meeting with the SAML folks … Mash Pits all over the world!! Wow!

I’m really excited to hear that Ma.gnolia.com is having such great luck with OpenID. They have been one of the early adopters of this technology and its paying off:

So far, over 15% of new Ma.gnolia members are seeing the advantage and getting their OpenID when they join Ma.gnolia. Considering how new OpenID is, and that it takes a bit of un-learning of old sign-in habits, we’re really delighted to see this adoption rate.

Chris introduced Larry and I a few months ago and gave me a chance to give him an earful about how great OpenID was. It didn’t take them long to get it working on their site once they figured out some of the tricks of the trade. I was really excited that Ma.gnolia decided to become an affiliate as well!

Its sites like Ma.gnolia and Zooomr that are really great showcases for OpenID and the potential is holds.

Brian Oberkirch has a great post (that was picked up by ZDNet) about one of the biggest opportunities around OpenID.

An OpenID is more than just the identifier you use to login to OpenID enabled sites. Its also a destination. Its your unique place on the Internet that you can call your own. Identity has always had a hard time with 1) finding a unique, global name space and 2) making that name space addressable. OpenID solves that by using domain names and leveraging the global DNS infrastructure. I was talking with someone last week who mentioned a great Tim Berners-Lee quote:

If it isn’t a URL, it doesn’t exist.

Now, I’m para-phrasing that. Actually its a second-hand para-phrasing. So if Tim didn’t say that, I’ve got dibs on being the one that said it … :-) In any case, the quote applies to your digital identity as it relates to OpenID.

As Brian mentions, there are a bunch of possibilities with what you could put at that URL. Maybe a list of your friends in XFN format? How about your hCard? Since you’ve made the claim that this is your personal identity page, people should know they can trust that that information is in fact yours. I also like the idea of publishing my busy/free information from that URL in iCal format. Note, just the busy/free information. If the user was logged into my “page” they could view more or even possibly schedule a meeting. If the user can login to your personal identity page you could put all kinds of interesting information behind an access control list of OpenID’s. OpenID and microformats together seem to be the logical next step for what you can do with your OpenID.

There have been some great proposals about ways to build access control lists for fighting blog spam or even locking down some content you only want your social network to see. These could easily be consumed by sites that want/need your information. Now these really cool Web 2.0 companies could focus on making their blog, photo/video sharing or wiki sites that much better for the users. They could consume OpenID’s and groups automatically from users that login. Its that much less they have to do.

There has been a bunch of discussion about OpenID 2.0 and how the latest draft does not address phishing at all.

First and foremost; phishing is an extremely important problem and one that is more than just OpenID-related. It just so happens that OpenID really exacerbates the problem because if you phish someones OpenID you could potentially have access to all of the sites they login to. I couldn’t agree more.

Alright, so let’s step back for a moment and ask ourselves; why hasn’t phishing been solved before this? Its been a huge problem for folks like PayPal and eBay. I think the main reason is that the problem is compartmentalized. Today, you might get one account (albeit a very important account) phished, but its just that one account you have to deal with. As such, no real definitive solutions have come up to completely (or mostly completely) solve the problem.

Enter OpenID 2.0. OpenID 2.0 is the culmination of lots of technology, ideas and people from many different schools of thought on identity. With pieces of Sxip, LID, XRI and others involved, we have a unique solution that is quickly gaining market and mind share. What’s really interesting is the firestorm that this has kicked up on the mailing list about phishing. Wow! This is fantastic! People are actually devoting some serious attention to and proposing some excellent solutions to phishing. If anything, the OpenID discussion might help move the phishing discussion (and thus OpenID) move forward.

We’ve got the proposal for Petnames/Passpet, SRP, the creation of an identity manager, the use of InfoCards with OpenID and a raft of others. This is great. The conversation is happening and solutions are being worked on. Wow. Talk about cool.

What’s most interesting to me is the nature of OpenID and why its succeeding. OpenID is the HTML to the world’s SGML identity solutions. Yes, SGML was infinitely superior to HTML but it was HTML that “won” out. Simple works and not only that simple wins. The barrier to adoption has to be low and the ability for the technology to proliferate from a bottoms-up standpoint is critical to for the success of a technology like OpenID.

I was going to write more on this but when I found Gabe Wachob’s post I just stopped and realized it couldn’t be said any better:

No, OpenID doesn’t solve all problems, and maybe today it only solves a very narrow set of problems with an acceptable risk profile. But to me, thats not the point - its the unleashing of creativity and the power to let developers and architects focus on what they are interested in and good at. Security and identity nuts can focus on authentication and let the social networking, wiki-touting, web 2.0-heads do what they do best! OpenID is an abstraction, a key middle ground for these folks to meet and leverage each other’s work - that OpenID is deployed for use in a fairly narrow set of use cases TODAY should not mean that it will not be very important in they very near future…

Gabe is dead on … OpenID makes the problem of phishing that much more important … the people on the general list and all of the great discussion in this space are leading to a solution. This is a solution that might not have been possible were it not for OpenID. If done correctly, the technologies and methods adopted for by OpenID providers could be a significant driver of the technology.

Thanks everybody for coming out and braving the crazy weather here in Portland … what are the odds we’d get our 20 year storm on the day of the Mash Pit?!

We still had about 20 people turn up and David Recordon and I did an update on OpenID. We’ve got folks hacking away on a new version of the Ruby OpenID plugin, people getting help configuring OpenID for their sites and all kinds of general questions.

There is some great new code that has just hit:

• Apache ModAuthOpenID: ModAuthOpenID conforms to the OpenID 1.1 specification and allows you to use OpenID in your Apache installation. This requires Apache 2.0 and is released under the GPLv2.0.
• ColdFusion OpenID Library: Dmitry Yakhnov sent us a note that he has released an OpenID library for ColdFusion. Now you can OpenID enable those ColdFusion apps! Thanks Dmitry!

I’ve also gotten wind that some folks are working on new Drupal integration for OpenID. I won’t say more lest I steal their thunder but hopefully we’ll hear more about it at the Mash Pit this evening … :-)

More code means more options for developers looking to deploy OpenID. If you have some OpenID code that you’re putting out into the wild, by all means, let the world know! :-)

Well, here we go and schedule this amazing event … this fantastic Mash Pit for OpenID … we get people all over the world looking to do the same thing on the same day. Then what happens? Well, we get the 10 year storm here in Portland:

Have I mentioned that people don’t know how to drive in the snow?!

In any case, the show must go on! The Mash Pit will still happen, we’d never let a little silly snow get in our way. So c’mon out, we’ll still have snacks, food and plenty of connectivity for learning about OpenID and hopefully helping you make the OpenID connection.