Scott Kveton

I got a note from Adam over at Wikispaces this afternoon telling me they just added support for OpenID. Way to go guys! I have another logo to put on my slides for OSCON! :-)

You can read more or just head on over with your OpenID and login.

This week is the start of JavaOne, Sun Microsystem’s conference on all things Java and with it comes an announcement that Sun will be supporting OpenID.

This is really telling news as Sun was one of the key companies to spearhead the Liberty Alliance initiative around federated identity a few years ago. Support for grassroots technologies like OpenID mean that Sun is continuing to expand its offerings in identity. This is great news for OpenID as well as Sun’s customers.

An interesting point in the article is that all of Sun’s 34,000 employees now have OpenID’s. The OpenID server they are using is based on their OpenSSO server they have been working on for quite some time. Now Sun employees can login all over the web on OpenID enabled web sites. Sun is working on ways to OpenID enable their sites as well (of course this usually takes a bit longer no matter the company).

David Recordon is presenting at JavaOne this week about OpenID so the timing is right to get a lot of people really fired up OpenID. Knock’em dead David!

What a great time I had at Ignite Seattle last week. Its a geek-heavy event that couples making cool things as well as speed rounds for talks. In all, 22 people spoke (each for 5 minutes; 20 slides, 15 seconds per slide) with about 400 people in attendance when all was said and done.

I was lucky enough to be one of the earlier speakers and I got to talk about OpenID (can you believe it?!). It was really cool when Brady introduced me and so many people applauded and ooh’d and aah’d when he mentioned I was going to talk about OpenID. Some folks have put up my slides and even talked about my talk. Very cool (and yet quite surreal).

My favorite picture that I found was this one that really shows the enormity of the event … very cool! Yep, that’s me up there talking about how OpenID is sweeping the nation! Thanks Brady and the rest of the Ignite Seattle crew for having me!

Videos are on the way and will be here when they get uploaded. I’ll post an update to this when its up.

There is some great new code that has just hit:

• Apache ModAuthOpenID: ModAuthOpenID conforms to the OpenID 1.1 specification and allows you to use OpenID in your Apache installation. This requires Apache 2.0 and is released under the GPLv2.0.
• ColdFusion OpenID Library: Dmitry Yakhnov sent us a note that he has released an OpenID library for ColdFusion. Now you can OpenID enable those ColdFusion apps! Thanks Dmitry!

I’ve also gotten wind that some folks are working on new Drupal integration for OpenID. I won’t say more lest I steal their thunder but hopefully we’ll hear more about it at the Mash Pit this evening … :-)

More code means more options for developers looking to deploy OpenID. If you have some OpenID code that you’re putting out into the wild, by all means, let the world know! :-)

Jason Barnabe (the keeper of the keys at userstyles.org) let me know via email today that they have added support for OpenID on their site. userstyles.org is a collection of styles that puts you in control of the appearance of websites and of Mozilla applications. Very, very cool.

At this rate, the world will be OpenID enabled in about 20 mintues. :-)

Do you remember playing with a Brio trainset when you were a kid? They are made out of wood, very solid, well-built toys. I loved them as a child and now I love them as a parent.

Until I found out how much they cost.

Brio is a toy company that has been around since 1884 and has a long history being a manufacturer of “Safe, Durable, Open ended Toys”. I even admit that their goals as a company are quite good as well.

I’m all for local artisans doing craft work. I’m all for supporting a vendor that has done great work over the years. But c’mon. $20 for a wooden train engines and even closer to extortion for the tracks it runs on?! Are you kidding me?! Fortunately we were gifted a big set of this stuff from my in-laws but still our son loves them and always runs to that part of the store when we go toy shopping. But last week, I got lucky.

I was wandering the aisles at Target in Albany, OR and Živio noticed it before I did; a knock off train engine set that is identical to the Brio stuff. Hooray!!

Now I know what you’re thinking. You’re not supporting this company and more importantly supporting a company that is ripping off the Brio train set style and setup. Agreed. However, its the 21st century. Why wouldn’t Brio just source this stuff through China (where the knock-off was made) and then have their folks in the UK focus on design of new cool engines and tracks? The price would go down, the volume would go up and the world would be full of Brio products.

I also know that Brio likes to support the many small toy shops that carry their products. They do this by not providing the means to purchase directly from them on-line via their website. Again, this seems a little nuts to me. Its not like I can’t get this stuff on-line if I want to. Why not take advantage of that and sell directly cutting out the middle man? If I have a local shop and look at the toys there, I’ll buy them. But if I live in a small town (like I do) odds are its harder to find a dealer of Brio toys. Not only that, they don’t do any favors for dealers in any other countries than the UK and Ireland; there is no store finder for those places.

Doing these two things would be a great IMHO – I love these toys. So simple, very few bells and whistles and I know my son has spent literally countless hours playing with them. Making it easier to get them, driving down the price and increasing their ubiquity are all good for Brio and kids alike.

Just my $0.02 as a parent and purchaser of toys.

I often receive questions from folks via email about OpenID. I like getting the notes but always feel like I could be doing more in terms of answering them. Plus I’m a geek so if I do something more than once I think there should be a bash/perl script to do it for me. Here is one of the questions I recently received (the names have been changed to protect the innocent):

If I create today an identity say at `bob.foo.com’, can I move that identity later to a different location? Say my initial identity is hosted by my employer, and I switch jobs, I would like my identity to come with me; For instance are there mechanisms to:

* Not depend on the actual string `bob.foo.com’, but some actual key generated that actually is hosted in bob.foo.com?

* Be able to fetch the data so I can later host it at bob.newdomain.com?

This is not the first time time we have heard this question come up. My advice today? Make sure you pick an OpenID that you’d like to have for a long time. There isn’t a solution for this yet as most of the solutions out there today (for example, i-names) require some sort of centralized registry. (Full disclosure: JanRain is bringing up an i-broker as part of the i-names eco-system). The main premise around OpenID has been de-centralization and simplicity. Having a centralized registry flies in the face of that as well as adds another level of complexity. What I’m saying is I don’t have an answer for this, but again, I believe the community and marketplace will solve this problem in the very near future.

I should also mention that from its inception, OpenID was meant for really light-weight applications. Yes, its maturing and adding new functionality that makes it more robust. However, if you change your blog from LiveJournal to Wordpress today you can’t take your posts with you and more importantly your “identity” with you (unless of course you leverage something like claimID).

Finally, OpenID also has the concept of delegation. I can have two lines of code HTML on my site and delegate that to some identity provider. View source on Brian’s page to see an example of delegation in action. Its not ideal, but its definitely a start and it does give users more of a sense of control.

* What kind of security is there to prevent someone breaking into one of the openid servers from pretending to be me?

Today, it is a strong password. Versign recently proposed the concept of security profiles. The ability to choose the level of security you use for different applications. For things like blogging or commenting in forums probably don’t require heavy authentication. As we move into the realm of doing more “important” stuff with OpenID’s, these profiles will be critical and give the users choice in terms of picking how much/how little security they want. I also see the opportunity for value-adds in this space on top of OpenID as great business opportunities. However, it all starts with a unique identifier and that identifier is your OpenID.

These security profiles will hopefully go a long way towards addressing possibilities with man-in-the-middle and phishing attacks. DNS poisoning is also still an option but IMHO one of those “The Internet Sucks ™” problems.

Are there any available OpenID servers that I can run myself?

As a matter of fact there are. Shameless plug: we’ve developed a PHP Standalone Server that is open source and soon to be part of the ASF Heraldry Project. In addition, Verisign will be donating the Ruby on Rails code base that powers their PIP identity provider to the Heraldry project as well. I’m sure we’ll see versions of these servers in many more languages soon as the libraries start to mature and proliferate.

The most prolific community organizer and fire-in-the-belly-generator Chris Messina announced BarCampEarth which will happen all over the world August 25-27th, 2006. Who would have thought so many BarCamp’s springing up all over the world in such a short time?!

Way to go Chris and way to go to the BarCamp community the world over. I’ll be joining folks at BarCampPortland that weekend to join in the celebration/fun/antics. Hope to see you there!!