Planet OpenID

The magic would never have been possible if their vision had stopped at an “Identity Selector”, for years billed as the savior of the identity universe (see my recent post Why We Really Don’t Need an “Identity Selector”). This week at Kynetx’ conference, Paul and Phil had their coming-out party re-interpreting the “identity selector” as merely an unimportant user interface to something much more valuable: driving personalization of any page displayed in the browser using the data available to the identity selector, all without cooperation by the publisher of the page.

The result: everybody’s web pages, even those people’s who have never heard of me, can become personal to me. That possibility is a very big deal and could totally change the way the entire internet looks and feels. And destroy a bunch of rather sizable businesses (irrelevant advertising, anybody?) in the process.

For years, it has been very clear that with the proliferation of websites out there has to be some kind of integration point for each individual. An integration point where all that stuff out there that I use comes together and becomes personal to me.

A few years ago, many of us thought that an individual’s blog would become that integration point. But with blogging software essentially stagnated for years, that didn’t happen.

It could have been RSS syndicators or the like, but no. Somehow they couldn’t envision anything beyond showing feed data.

The idea of mash-ups was great, but it fizzled out. Too hard to do in practice.

Right now, Facebook has the best shot at becoming that personal integration point, and it certainly wants to be it. With initiatives such as Facebook Connect, they are assembling an armada of business partners that gives them a good chance to become it. But then, it won’t be for me because I am not making my on-line personal and business relationships subject to a veto (and constant monitoring) by any one big company. At the end of the day, many people will think like that and so Facebook can’t be the solution, only a bandaid.

Kynetx and Azigo think that integration point should be right in my browser, driven by the personal information that I stored on my personal computer. (I call that information the personal data store, which may be accessed by an “identity selector” and many other kinds of software).

If you think of it, the PC/browser is not an unreasonable place for this personal integration point at all. It’s a “personal” computer for a reason, and much of that personal information is much better stored on that personal computer than somewhere in the cloud, for privacy reasons. So why not use that personal information to change and relate the web pages that I access on that personal computer, to make them more relevant to me? To make them “my” pages? VRM whether the vendor likes it or not is not a bad concept either …

Of course only time will tell. The odds against pulling this client-side revolution off are, well, impressive There are substantial technical hurdles, possibly legal landmines, usability is unclear, as are distribution, possible vetos by key technology vendors (e.g. browser manufacturers) etc. etc. But it’s worth trying, and worth some cheers.

I’ll be watching with interest how this develops.

[P.S. I didn't manage to be at the conference myself, but have been following these projects for some time.]

If you’re looking for the funniest thing on the Internet, move along. Just like you, I couldn’t find it either.

I used Google to try and find it. Guess what happened? I got a bunch of crap.

I don’t blame Google. I love Google. But not when I want to find something subjective like the “funniest thing on the Internet” or “the most awesome burrito in Portland” or “the best membership management software for a non-profit”. Nope. I’m using Twitter for that now.

Blah, blah, blah. This isn’t another one of those ra-ra-ra stories about Twitter. Twitter’s got issues. I’m pretty sure we all know that. But it works. In the immortal words of Biz Stone, its not about a business model, its about creating value.

* mostly instantaneous
* need lots of “followers” to work
* twitter now has “real” celebrities joining the club
* dave morin and garyvee are at $160k followers … err … 160k followers
cheap gerneric viagra Mexico Pharmacy Generic Viagra generic viagra levitra and cialis pills
“can i take viagra” Ed Treatment Rate viagra how it works
herbal viagra forums Women Viagra snorting viagra health
viagra patent levitra! Low Cost Viagra viagra anxiety
taking viagra woman Hebal Ed Treatment cheap gerneric viagra
generic viagra levitra and cialis pills Best Male Impotence Drug Over The Counter “can i take viagra”
viagra how it works Inderal La Erectile Dysfunction herbal viagra forums
snorting viagra health Naturally Cure Erectile Dysfunction viagra patent levitra!
viagra anxiety Viagra Attorney Ohio taking viagra woman
cheap gerneric viagra Natural Ways To Help Erectile Dysfunction generic viagra levitra and cialis pills
“can i take viagra” Hytrin And Erectile Dysfunction viagra how it works
herbal viagra forums Flomax And Erectile Dysfunction snorting viagra health
viagra patent levitra! Over The Counter Erectile Dysfunction Drugs viagra anxiety
taking viagra woman Q Buy Viagra cheap gerneric viagra
generic viagra levitra and cialis pills Erectile Dysfunction Drugs “can i take viagra”
viagra how it works Erectile Dysfunction Teatment herbal viagra forums
snorting viagra health Male Impotence Causes viagra patent levitra!
viagra anxiety Viagra Commercial Canyon taking viagra woman
cheap gerneric viagra New Ed Treatment generic viagra levitra and cialis pills
“can i take viagra” Make Your Own Viagra viagra how it works
herbal viagra forums Muse Ed Treatment Videos snorting viagra health
viagra patent levitra! Male Hormone Dhea Impotence Levels viagra anxiety
taking viagra woman Watermelon Viagra cheap gerneric viagra
generic viagra levitra and cialis pills Helping Male Impotence “can i take viagra”
viagra how it works Viagra Facts herbal viagra forums
snorting viagra health Newest Transdermal Treatment For Ed viagra patent levitra!
viagra anxiety Nerves Causing Erectile Dysfunction taking viagra woman
cheap gerneric viagra Marijuana Erectile Dysfunction generic viagra levitra and cialis pills
“can i take viagra” New Viagra viagra how it works
herbal viagra forums Treatment For Physciological Ed snorting viagra health
viagra patent levitra! Male Impotence Medicined viagra anxiety
taking viagra woman U 5672 Viagra cheap gerneric viagra
generic viagra levitra and cialis pills Online Viagra “can i take viagra”
viagra how it works Viagra Or Cialis herbal viagra forums
snorting viagra health Viagra Blood Pressure viagra patent levitra!
viagra anxiety Legal Viagra taking viagra woman
cheap gerneric viagra Male Impotence Remedies generic viagra levitra and cialis pills
“can i take viagra” Daily Viagra For Erectile Dysfunction viagra how it works
herbal viagra forums Treatment For Ed snorting viagra health
viagra patent levitra! Acupuncture Treatment For Ed viagra anxiety
taking viagra woman Substanse Treatment Co-ed San Diego cheap gerneric viagra
generic viagra levitra and cialis pills Viagra Canada “can i take viagra”
viagra how it works Massage And Erectile Dysfunction herbal viagra forums
snorting viagra health Erectile Dysfunction Medicine Reviews viagra patent levitra!
viagra anxiety Erectile Dysfunction Ed. taking viagra woman
cheap gerneric viagra Male Impotence Ads generic viagra levitra and cialis pills
“can i take viagra” Kosher Herbal Ed Treatment viagra how it works
herbal viagra forums Male Impotence Pumps Vacuum snorting viagra health
viagra patent levitra! New Drugs For Erectile Dysfunction viagra anxiety
taking viagra woman What Is Generic Viagra cheap gerneric viagra
generic viagra levitra and cialis pills Straight Talk Erectile Dysfunction Review “can i take viagra”
viagra how it works Buy Cheap Viagra herbal viagra forums
snorting viagra health Treatment For Emotional Ed viagra patent levitra!
viagra anxiety Viagra From Usa taking viagra woman
cheap gerneric viagra How T Get Viagra generic viagra levitra and cialis pills
“can i take viagra” Crc Ed Treatment Inc viagra how it works
herbal viagra forums Erectile Dysfunction And Weight snorting viagra health
viagra patent levitra! Management Of Erectile Dysfunction viagra anxiety
taking viagra woman Interfere With Ed Treatment cheap gerneric viagra
generic viagra levitra and cialis pills Erectile Dysfunction Hoodia Gordonii “can i take viagra”
viagra how it works How To Make Viagra herbal viagra forums
snorting viagra health Viagra Delayed Reaction viagra patent levitra!
viagra anxiety Erectile Dysfunction Medications Cialis taking viagra woman
cheap gerneric viagra Erectile Dysfunction And Its Cure generic viagra levitra and cialis pills
“can i take viagra” Aspirin And Viagra viagra how it works
herbal viagra forums Erectile Dysfunction Mayo snorting viagra health
viagra patent levitra! Teenagers With Erectile Dysfunction viagra anxiety
taking viagra woman Viagra England cheap gerneric viagra
generic viagra levitra and cialis pills Buy Viagra Onli “can i take viagra”
viagra how it works Q Buy Viagra Online herbal viagra forums
snorting viagra health Causes For Male Impotence viagra patent levitra!
viagra anxiety Levitra Erectile Dysfunction taking viagra woman
cheap gerneric viagra Erectile Dysfunction And Marital Aides generic viagra levitra and cialis pills
“can i take viagra” Viagra Prescription Medication viagra how it works
herbal viagra forums Viagra Substitute snorting viagra health
viagra patent levitra! Causes Of Male Impotence viagra anxiety
taking viagra woman Female Forcing Male Sexual Impotence cheap gerneric viagra
generic viagra levitra and cialis pills Cialis Viagra Propecia Levitra Erectile Dysfunction “can i take viagra”
viagra how it works Diovan Improvement In Erectile Dysfunction herbal viagra forums
snorting viagra health U 3312 Viagra Cialis viagra patent levitra!
viagra anxiety Caffeine And Erectile Dysfunction taking viagra woman
cheap gerneric viagra Recreational Viagra Use generic viagra levitra and cialis pills
“can i take viagra” Pictures Of Viagra Pills viagra how it works
herbal viagra forums Sample Ed Treatment snorting viagra health
viagra patent levitra! Male Impotence Medicine viagra anxiety
taking viagra woman Erectile Dysfunction Institute cheap gerneric viagra
generic viagra levitra and cialis pills Heart Disease And Erectile Dysfunction “can i take viagra”
viagra how it works Erectile Dysfunction Women herbal viagra forums
snorting viagra health Emile Erectile Dysfunction Viagra Caused viagra patent levitra!
viagra anxiety Cheap Generic Viagra taking viagra woman
cheap gerneric viagra Ed Treatment Centers Michigan generic viagra levitra and cialis pills
“can i take viagra” Book Male Menopause Impotence viagra how it works
herbal viagra forums Viagra Uterine Thickness snorting viagra health
viagra patent levitra! Andropause Or Male Menopause Impotence viagra anxiety
taking viagra woman Erectile Dysfunction Prostate cheap gerneric viagra
generic viagra levitra and cialis pills Erectile Dysfunction Fda Aproved Products “can i take viagra”
viagra how it works Ed Injection Treatment herbal viagra forums
snorting viagra health Viagra Danger viagra patent levitra!
viagra anxiety Tricor And Erectile Dysfunction taking viagra woman
cheap gerneric viagra Erectile Dysfunction Psychological generic viagra levitra and cialis pills
“can i take viagra” Can Women Take Viagra viagra how it works
herbal viagra forums Male Sexual Impotence Pills snorting viagra health
viagra patent levitra! Home Exericses For Erectile Dysfunction viagra anxiety
taking viagra woman Erectile Dysfunction And Rubber Band cheap gerneric viagra
generic viagra levitra and cialis pills Injections Penile Ed Treatment “can i take viagra”

Prelude

You take the blue pill and the story ends. You wake in your bed and believe whatever you want to believe. You take the red pill and you stay in Wonderland and I show you how deep the rabbit-hole goes. Remember — all I am offering is the truth, nothing more.

In the Matrix, Morpheus presents Neo with a choice: he can take the blue pill and continue his somnambulatory existence within the Matrix, or he can take the red pill and become free from the virtual reality that the machines created to enslave humanity.

As you can see from the clip above, Neo chooses the red pill, severing his connection to the Matrix and regaining his free will.

Everyday, when you fire up your browser and type in some arbitrary URL in the browser’s address bar, you are taking the red pill.

Increasingly though, I see signs that the essential freedoms of the web are being undermined by a cadre of companies through the introduction of new technologies and interfaces that, combined, may spell the death of the URL.

Call me crazy, but it seems obvious enough when you put on the right colored paranoia goggles.

Exhibit A: Web TV

There’s an article in Friday’s USA Today suggesting that we’re finally at a point where web TV has a chance. But there’s an insidious underbelly to this story. Specifically: Consumers may balk if TV sets become too computerlike and complicated.

From the article:

Manufacturers say they learned an important lesson from earlier convergence failures: Viewers want to relate to sets as televisions, not computers.

That’s why the new Web TV models don’t come with browsers that would give people the freedom to surf the full Internet, even though the TVs connect to the Web via an ethernet cable or home wireless network. The companies want to promote consumer acceptance of Web TV by making the technology simple to use: That means no keyboard or mouse.

It’s just Step 1: Engineers are talking about changes that would make it easy to navigate the Internet. One thought is to program smartphones so they can change channels, send text messages to the set and move a cursor around the screen with the motion-sensitive technology that Nintendo uses with its Wii game system.

For now, though, people just need the TV remote control to select and launch prepackaged applications.

Emphasis mine.

In a twist of McLuhanesque determinism, it would appear that the apparatus and determinism of the television experience will overrule the freedom and flexibility of the web — because, well, frankly — all that choice…! It’s so… unseemly and unmonetizable.

Instead, Web TV will be made easier to use by removing the best parts of the web and augmenting the straightjacket features of the television.

Exhibit B: Litl, ChromeOS, JoliCloud, and Apple Tablet

I somewhat serendipitously stumbled upon Litl — a little design project of famous design firm Pentagram.

The thing is cool, I admit. The netbook/webbook market needs some design thinking. And heck, I’m as eager as anyone to see what Apple is going to do in this space, so I’m watching it closely… but something tells me that the next generation “PC” devices are going to revolve around slicker, streamlined interfaces that come pre-packaged with fewer choices drawn from a set of likely suspects (i.e. Facebook, Twitter, Google, Yahoo et al.).

Taking a look at the JoliCloud homescreen… you can start to see how this will be the next Firefox search box in terms of monetization:

Though I imagine you’ll be able to set custom options here, it’s the defaults that matter.

…and these homescreens become yet another funnel to drive users to a predetermined (and paid for) set of options.

Exhibit C: Top Sites

Similar to the netbook homescreens, both Safari and Chrome provide home pages that show you thumbnails of the sites that you visit most often (coincidence? I think not!).

Seems an innocuous feature. I mean, isn’t it easier to just click a picture of where you want to go rather than typing in some awkward string that starts with HTTP into the address bar?

AH HA! So, you’d take the blue pill eh?

See the problem?

Just as browsers currently come with a set of default bookmarks today, there’s no reason why the next generation browsers won’t come with their own predefined set of “Top Sites”, that, not unlikely, will come from the same list of predetermined companies that populate the home screens of the next gen Net/Web Books.

The more that the browser address bar can be made obsolete, the more it becomes just like TV, right?

Exhibit D: Warning interstitials and short URL frames

If you use Facebook, you’ve probably seen the above warning before — usually after clicking a link that a friend sent you. Now, I recognize why they do this. It’s true: on the internet, thar be dragons!

Now, nevermind the dragons on Facebook proper — this innocuous little screen was designed, one assumes, to keep you safe from things outside the Facebook universe. However, the net effect of seeing this page every time you click an outbound link is fatigue. You get worn down by having to click through this page until finally, after a while, you just give up and stop clicking links from your friends altogether. It just could be that a momentary delay like this is enough to change your behavior completely.

Even when you do decide to leave, Facebook comes with you — inserting 45 pixels of itself into your experience as a top frame:

This make it easier to get back to Facebook, and never skip a beat. But it also removes the need to visit the address bar and think about where you want to go next (let alone type it out). Of course Facebook isn’t the only service doing this — Digg and countless other short URL generators intrude on your web experience and put yet more distance between you and the address bar.

All these little hindrances add up — and if you’ve done any usability work — you know that the smallest changes can lead to huge impacts over time if the changes are so slight as to be essentially unnoticeable.

Exhibit E: The NASCAR

Now, this one hits close to home, y’know, since this is what I’ve been working on for the past year or so… but the reality is that more and more, companies are moving to accept this logo-splattered approach to user sign in forms — “the NASCAR” — which dispatches the uncomfortable “URL-based” metaphor of OpenID altogether.

Why?

Because it’s too “complicated“. People don’t get “URLs” for sign in.

Now, we’ve made progress moving forward with “email-style identifiers” for use in OpenID transactions, but we’re not there yet, and we’re not moving fast enough either.

The specter of the Facebook Connect button is ever-present, and, from a UI perspective, it’s hard to argue with one button to rule them all (even if it destroys individual autonomy in the process — hey! freedom is messy! Let’s scrap it!).

The NASCAR, then, is just one more way to put off teaching users to recognize that URLs can represent people too, chaining us to the silos and locking us into brand-mediated identities for yet another generation.

Exhibit F: App Stores

Finally, there’s been plenty written about this already, but what is the App Store except a cleaved out and sanitized portion of the web? In fact, people accustomed to the freedom and “flow” of the web go into anaphylactic shock when they realize that they must submit to the slings and arrows of the outrageous fortune of Steve Jobs when they want their iPhone app to show up in the Apple app store.

And it’s only going to get worse, because now everyone wants a goddamn app store.

Thanks a lot, Steve.

The rise of the “app store mentality” is a direct attack on the web, and on the very nature of free discovery and choice built upon URL-based hyperlinks. By depriving us the ability to pick and choose which “stores” we shop from on these devices — we’re empowering a new breed of middle men and ceding to them monopoly control over our digital experience. The architecture of the web was intended to withstand such threats — but that all changes when the hardware makers get into the content business! Even though developers are beginning to see the dark side of this faustian bargain, the momentum is huge — and big business smells money.

By removing our ability to navigate, choose, and share freely — these app stores are exchanging our freedom for a promise that they’ll keep us safe, give us everything we need, and do all the choosing of what’s “good enough” for us — all starting at ninety-nine cents a hit.

No doubt this model will be emulated and copied — across all platforms — until the last vestige of the URL is patched over and removed… the last reminder of an uncomfortable and much messier era of history.

Epilogue

I don’t know about you, but a future without URLs and without the infinite organicity of the web frightens me. It’s not that I know what we’ll lose by removing this artifact of one of the most generative periods in history — and that’s exactly the point! The URL and the ability for anyone to mint a new one and then propagate it is what makes the web so resilient, so empowering, and so interesting! That I don’t need to ask anyone permission to create a new website or webpage is a kind of ideological freedom that few generations in history have known!

Now, granted, there is still much work to be done to spread the power and privilege of the web, but what I don’t want to see happen in the meantime is the next generation of kids grow up with an “easier” laptop, Web Top, Net Book, Nook, or whatever the hell they’re going to call it — that lacks an address bar. I don’t want the next generation to grow up with TV-stupid controls and a set of predefined widgets that determine the totality and richness of their experience on a mere subset of the web! That future cannot be permitted!

Maybe I’m wrong or just paranoid, and maybe the web has won, forever. But I’m not willing to rest on my laurels. No way.

We all know that the internet has won as the transport medium for all data — but the universal interface for interacting with the web? — well, that battle is just now getting underway.

As a user experience designer, it’s on my discipline and peers to provide the right kind of ideas and leadership. If we get the design right, we can empower while clarifying; we can reduce complexity while enhancing functionality; we can expand freedom while not overwhelming with choice. Surely these are the things that good, thoughtful user experience design can achieve!

Well, friends, I’ve said my piece. Whether this threat is real or imagined, it’s one that I believe bears inspection.

Like Neo, if I were forced to choose between all the messiness of free will over the “comfortability” of a contrived existence, I’d choose the red pill, time and time again. And I hope you would too.

I previously described how message handling works in the Internet2 OpenID library, and how each OpenID message type requires a half dozen or so classes to handle everything. While this may seem like overkill to some, one of the nice things about this separation of logic is that it makes it quite simple to provide custom implementations of specific kinds of messages. While this was not specifically a core requirement of the library, it was an added bonus of the design, and just seemed like a good thing to support. I want to talk about it here, because it illustrates how this portion of the library is configured, which will be important to understand later.

Central Registry

As we mentioned, every OpenID message type has a number of supporting classes. Let’s take the authentication request message as an example. You have:

• AuthenticationRequest — interface that defines this specific OpenID message type
• AuthenticationRequestImpl — default implementation of this message type
• AuthenticationRequestBuilder — builder of AuthenticationRequest instances
• AuthenticationRequestMarshaller — converts AuthenticationRequest message into a ParameterMap
• AuthenticationRequestUnmarshaller — converts ParameterMap into an AuthenticationRequest message
• AuthenticationRequestValidator — this wasn’t talked about last time, but is responsible for validating that an AuthenticationRequest message contains all of the requisite parameters

All classes except for the actual message implementation must be thread-safe, as only a single instance is maintained by the library (technically they don’t follow a singleton pattern, but only one instance is typically used). All of these are stored in central registries, so that they can be retrieved to marshall or unmarshall a message as needed. Each one has it’s own factory that allows registering and looking up of specific implementations:

• MessageBuilderFactory
• MessageMarshallerFactory
• MessageUnmarshallerFactory
• MessageValidatorFactory (not yet implemented as of this writing)

MessageValidator implementations are registered based on the message class that it validates. For the other three factories, implementations are registered based on a QName which consists of the OpenID protocol namespace URI, and the value of the mode parameter. Yes, there are three OpenID message types that don’t actually have a ‘mode’ parameter, but I’ll save that discussion for another post. Also, the QName here doesn’t exactly represent a namespaced parameter name like it does in the ParameterMap, instead it is just a container for a namespace URI and a string value. Perhaps this is technically a misuse of the QName object, but it’s working fine for now. A static instance of each factory is available from the Configuration class.

Message Flow (redux)

So now let’s go through a message flow like we did last time, and look at how each of the factories are used. (At the time of this writing, I’m still working on hooking in the MessageValidators, so I won’t be talking much about that).

Remember that when a message comes in, it is in some kind of transport specific encoding. Depending on how the message was received and the format it is in, an appropriate MessageDecoder is used to convert it into a ParameterMap. The next step is to find an appropriate MessageUnmarshaller to convert this ParameterMap into an actual Message object. The MessageUnmarshallerFactory has a getUnmarshaller(ParameterMap) method that will lookup exactly what we need. Once we have an unmarshaller, we can call its unmarshall(ParameterMap). This method is responsible for building an appropriate Message object, and then populating it based on the data provided in the ParameterMap. Internally, the unmarshaller uses the MessageBuilderFactory to find an appropriate MessageBuilder using the getBuilder(ParameterMap) method. Once the correct builder is obtained, its buildObject() method is called to get an instance of the Message object. This instance is then populated using data from the ParameterMap and returned. (If anyone wants to volunteer a flow chart that illustrates this, I’d be greatly appreciative!)

When it comes time to send a message back out, the MessageMarshallerFactory’s getMarshaller(Message) method is called to get the correct MessageMarshaller for a given message. The marshaller’s marshall(Message) method is called and returns a ParameterMap, and that is passed through an appropriate MessageEncoder to send it out on the wire.

Custom Implementations

The library comes with default implementations for all of this, so a user can simply choose to ignore all of this plumbing and be just fine. But just in case you do want to customize part of this, how would you go about doing so? Simply by registering them with the appropriate factory. Let’s say you want to provide your own AssociationRequest implementation for whatever reason. But maybe you don’t necessarily care to customize the way the data is unmarshalled into and marshalled out of the object… the default implementations for those are fine. You would of course have your custom AssociationRequest:

public class MyAssociationRequest implements AssociationRequest {
    /* implementation here */
}

Then to make sure that your custom implementation is built instead of the default implementation provided by the library, you would also need to provide a MessageBuilder:

public class MyAssociationRequestBuilder implements 
             MessageBuilder<AssociationRequest> {

    public AssociationRequest buildObject() {
        /* build and return an instance of MyAssociationRequest */
    }
}

Then register your message builder:

MessageBuilder myBuilder = new MyAssociationRequestBuilder();
QName qname = new QName(OpenIDConstants.OPENID_20_NS, AssociationRequest.MODE);
Configuration.getMessageBuilders().registerBuilder(qname, myBuilder);

Once your builder is registered, it will be used to build AssociationRequest objects for all incoming messages of that type. However, the default marshaller and unmarshaller for that type will continue to be used… you don’t need to worry about that. And once I get the validators hooked in, that will just work as well with your custom class. Or, you could provide your own Validators if you like. You can customize as much or as little of the library as you want.

I don’t imagine that anyone will want to provide custom message implementations very often, but the option is most certainly there. What is far more likely is providing a custom message extension like Attribute Exchange or PAPE. That works in very much the same way, which I’ll explain next.

Wordpress keeps resurrecting this friggin’ post because its in draft and if you don’t keep your install up-to-date (like by the second) awesome spammers come along and use it as a link-spam farm. Sweet. In any case, people keep coming to this link so I thought I should put something here.

This past June I contracted with Internet2 to work on adding OpenID support to the Shibboleth Identity Provider. I had actually started to work on this over a year prior while working at USC. At the time there were (and still are) two primary OpenID libraries in Java, Verisign’s JOID, and Sxip’s OpenID4Java. I spent a fair amount of time looking at both libraries, but ultimately decided they weren’t going to work for what Shibboleth needed. There were architectural issues with the existing libraries, which I pointed out in my post to the OpenID4Java mailing list. But there were also significant design decisions that I felt could be improved upon, so I began work on a new OpenID library in Java. Now that this library is nearing a usable state, I wanted to talk about some of the architectural decisions that were made, and how it differs from the existing Java libraries for OpenID.

Let me first preface this by clarifying that I’m not saying the existing OpenID libraries are not usable. Quite the contrary, I know that the OpenID4Java library is used for AOL’s OpenID provider, on Google’s Blogger, as part of Sun’s OpenSSO, and countless other projects. Additionally, JOID powers Verisign’s very usable PIP. There is no question that they work for many use cases. However, they lack the clean architecture I was looking for, which can really only be corrected by starting from a blank canvas.

(I’m not sure how many posts this will take, or how sensical the order of things will be, but better to go ahead and get it written down in some form.)

Message Handling Flow

One of the most immediate differences you’ll see in the Internet2 library is the very clear separation of logic in the message handling code. I wanted the core message objects to be simple Java beans that provide access to strongly typed properties, and nothing more. When I’m processing an OpenID message, I don’t want to be thinking about how that message was encoded during transit. Additionally, I don’t want to duplicate code if at all possible, so there needs to be one very clear place where any particular process is implemented. To achieve this, messages are transformed into three distinct formats as they are being processed.

When a message comes in to an OpenID provider, it is in some kind of transport specific format. Typically that will be a URL-encoded string that is taken either from an HTTP POST request body, or from an HTTP GET request query string. Alternately, it may be a Map retrieved by calling ServletRequest.getParameterMap. This transport specific format needs to first be converted into some kind of common intermediary format so that the next step in the process can deal with all messages in the same way, regardless of transport method. In the Internet2 library, this common format is a ParameterMap.

ParameterMap

A ParameterMap is simply a LinkedHashMap with QName keys, String values, and a little additional logic. Why QNames for keys? Aren’t those for XML? Yes they are, but they actually work beautifully for OpenID message parameters as well. You see, an OpenID message is really just a collection of namespace qualified parameters, and can be quite easily represented in XML. (Yes, this is a little bit of a rabbit trail, but it’s interesting nonetheless). Let’s start with a really simple KVF encoded OpenID message:

openid.ns:http://specs.openid.net/auth/2.0
openid.mode:checkid_setup
openid.claimed_id:http://example.com/
openid.identity:http://example.com/
openid.ns.sreg:http://openid.net/extensions/sreg/1.1
openid.sreg.required:email,fullname

Yeah it has no signature, etc, but that’s not the point. What might this look like in XML?

<message xmlns="http://specs.openid.net/auth/2.0" 
         xmlns:sreg="http://openid.net/extensions/sreg/1.1">
    <mode>checkid_setup</mode>
    <claimed_id>http://example.com/</claimed_id>
    <identity>http://example.com/</identity>
    <sreg:required>email,fullname</sreg:required>
</message>

See how cleanly it maps? This is no accident. This is a very common pattern for handling namespace qualified parameters. First you assign your namespace to an alias, then you use that alias as a prefix for any parameters that are part of that namespace. The simple registration ‘required’ parameter name has three parts: there’s the base parameter name (“required”), the namespace alias (“sreg”), and the actual namespace URI which is declared separately (“http://openid.net/extensions/sreg/1.1”). A Java QName object consists of three parts: a namespace URI, a local part, and a namespace prefix. Slightly different terms, but exactly the same concepts.

Okay, so back to our OpenID library. We’ve taken our transport specific encoding, passed it through an appropriate MessageDecoder, and ended up with a ParameterMap. Before we move on, I want to point out one more thing about the parameters in a ParameterMap. None of the parameter names contain the “openid.” prefix. This prefix is specific to messages that are encoded using URL Form encoding, since that’s the only way to identify which parameters are part of the OpenID message. One of the jobs of the URLFormCodec is to strip this prefix as messages come in, and add the prefix as messages go out. The message encoder and decoder is the only part of the entire library that knows anything about this prefix, and quite frankly it’s the only part that should.

Okay, so now that we have our ParameterMap, it needs to be converted into an actual message object, which is the job for a MessageUnmarshaller.

Unmarshalling messages

Message unmarshallers are responsible for taking a ParameterMap and using it to populate a specific kind of message object. Remember the desire for message objects to have strongly typed properties? The corresponding unmarshaller for that message type is the one and only place that needs to worry with how the parameter passed on the wire gets converted into that strong type. For example, AssociationRequest messages may include the Diffie-Hellman public key of the OpenID relying party. Java provides a very specific object just for that called DHPublicKey, so that’s what we want our AssociationRequest object to use. Parameters can only be passed as strings during transit, so the AssociationRequestUnmarshaller (and nothing else) is responsible for knowing how to convert that string into a DHPublicKey.

Similarly, Attribute Exchange fetch requests may include a list of required attributes it wants for a user. These attributes are identified by URIs, so Attribute Exchange does it’s own aliasing similar to the namespace declarations we saw above. This way, the “ax.required” message parameter need only contain a comma-separated list of attribute aliases rather than the full namespace URIs. But when you get right down to it, these aliases are just an optimization that is used during transport. Really all that’s being represented is a list of attributes URIs. This is why the FetchRequest object in the Internet2 library exposes this particular message parameter simply as a List of attribute URIs. It’s the FetchRequestUnmarshaller that is responsible for taking the AX message parameters, dereferencing the attribute aliases, and populating the FetchRequest object appropriately.

Reversing the process

What about returning OpenID response messages? We just do the same process in reverse. The message object is passed through an appropriate MessageMarshaller which populates a ParameterMap. And the ParamerMap is in turn passed through a MessageEncoder that produces some kind of transport specific format. That may be a Key-Value form encoded string, as is the case with direct responses, it may be a URL suitable for redirecting the user to, or it may be an HTML response to use for HTML form submission.

Uniformity over brevity

Depending on how you separate them, there are roughly nine different message types in the core OpenID 2.0 spec, and for each of these message types, the Internet2 library has five files that handle the processing. There’s the message interface, the concrete implementation, the message builder (which I didn’t actually talk about in this post), the message marshaller, and the message unmarshaller. At times all these files may seem needlessly verbose, especially when you see that some of them are only a few lines long. It turns out that this separation doesn’t necessarily result in more lines of code, just that the code is broken up into smaller chunks. Besides, the goal here is not conciseness. The goal is uniformity and predictability in how messages are processed, as well as clean, logical separation of duties. When every message is processed in exactly the same way, bugs tend to expose themselves much earlier in the process, and strange edge cases are far rarer. When things are logically separated, it makes the overall architecture much easier to understand. And perhaps more importantly, it makes it possible to fully understand one part of the library without needing to be concerned with others. You can go in and look at the code for signing messages, and not have to wade through code dealing with transport encodings.

Brightkite, a location-tracking service, recently launched version 2.0 of their service after merging with Limbo and taking $9M in funding this past April.

In recent months I’ve found myself using Foursquare more and more, though I still update Brightkite from time to time since it powers the location status on my personal homepage. In some ways, Foursquare is to Brightkite what Twitter was to Jaiku: a more personal, streamlined experience that builds on a core activity and dispenses will all other distractions. And, through game-like mechanisms, get you to perform the core activity more regularly (i.e. mayorships in the case of Foursquare, and, up until recently, follower counts in the case of Twitter).

I bring this up because I just stumbled upon Brightkite’s advertising section of their website, and there’s some extremely interesting stuff in there!

First of all, it’s very clear that Brightkite is one of the first (at least in my experience) to be pushing their location platform as a walk-up-and-create ad platform, much in the same way that Facebook is (you can start creating your own Facebook ads here).

Like Brightkite, Facebook gives you a considerable amount of control over the targeting of your advertisement as well, which leverages Facebook’s horde of user-contributed demographic information:

But here’s where Brightkite’s platform gets interesting: this class of mobile ads — which we’ve known have been coming for some time (so-called proximity marketing) — target the individual based on their location and real-time behavior. Thus, when a user engages in some kind of action or activity tracked by Brightkite, the system can respond with an “appropriate” ad in real-time, triangulated off of a number of aspects of the user’s situation. Brightkite has enumerated the current set of attributes that they use:

• Location and place
• Real world behavior
• Time of day
• Activity
• Demographics
• Language
• Content and interests
• Weather

The only thing missing, it seems, is friends, but they could easily fit into the “content and interests” category.

Now, as a user, if Brightkite is able to leverage all this information — presuming that I’ve provided them with accurate information — the ads in their app better be friggin’ awesome.

Indeed, Brightkite’s blog post on freebies (as in, “free beer”) suggests as much, and the example they provide shows that Brady (Brightkite co-founder), having checked into the Rackhouse Pub, has just been offered a free draft or well drink:

Hard to argue with that. But this is where things get dicey, isn’t it?

Maybe I’m reading this image wrong, but since Brady’s already in the Rackhouse Pub, why would they want to give him a free beer? Unless Brightkite is underwriting such a promo (say, to counter Foursquare’s similar promos), Rackhouse Pub wants to get OTHER people in — not just give away drinks to their current patrons.

Of course there are countless ways to spin this — for better and worse.

Word of mouth for Rackhouse Pub could skyrocket, since people would virally spread the offer to their friends through social networks — amounting to a fairly cost-effective way to “acquire” new customers, especially if Rackhouse is able to recoup the costs of its giveaway on new dine-in guests.

But it could also backfire. For the price of a free downloadable iPhone app, countless single-drink seekers could take up Rackhouse on their offer and then leave, making for a costly marketing ploy with little upside.

Who knows. It all depends on how Brightkite “pushes” this kind of information to its users.

And Brightkite et al. aren’t alone in this space. Some companies are starting to leverage location and social networks in their own apps too. For instance, the 1.1 update to the Starbucks iPhone app adds Twitter, Facebook, and location-sharing features:

Now, with all these companies offering deals and incentives, I want a piece of the action! But I don’t want to be treated like some generic, disposable target. I want to be engaged with, and respected by, companies that want my business.

We have a long way to go to make this kind of engagement simpler, but longterm, I want to be the one who manages who does and doesn’t get the right to “target” me. I don’t want to opt-out — I want companies to request the privilege of showing up on my phone, in my activity stream, or in my inbox when I ask them to, at my convenience. I want to be able to put out a list of my desires and requirements, and then have companies bid for my business. And it’s fine with me if there’s a middleman broker in the middle that takes a cut, as long as I’m getting a better deal with better service than I would have otherwise.

Is that too much to ask?

Some months back, I wrote up a vision for what I call “connected commerce“, using Comixology as a preview of where I see this going, though that service is still far too manual, anti-social, and, critically, a bottleneck between me and my preferred retailer. This is a recipe for disaster, as Apple’s App Store continues to prove.

Attention brokers, like Brightkite, therefore, need to remember their place in this ecosystem: they need to first be the friend to and advocate of the individual (their customer), and second, to the advertiser or brand. Companies that don’t get this prioritization right will fail (and is why, in some respects, Facebook continues to change its platform rules while drawing the ire of developers, because, in order to keep their users, they must ultimately continue to make their environment a safer and more trustworthy space).

Doc Searls calls this consumer-driven leverage VRM or “vendor relationship management”. I’ve been a fan of the idea, but I think it falls down on the last word: management. Big companies are willing to devote thousands and millions of dollars “managing” their customers; individuals are not. But services like Brightkite and Facebook are beginning to change that by enabling us to leverage our real-time, real-world behavior as a gating apparatus, removing the “management” requirement of VRM, and allowing us to “flow with the go”. As we invite these attention brokers into our list of recipients to whom we release increasingly contextualized and precise information about ourselves, we stand to benefit a great deal. And privacy, then, becomes a rational, economic instrument that determines whether a company gets to serve us well (based on knowing us better) or clumsily (as they make presumptions about us through circumstance rather than intentional disclosure).

Implicitly, I am already benefiting from such opt-in vendor relationships. Through Twitter, I’ve “invited” several local vendors to send me real-time updates about their offerings to me via SMS, from Luna Park around the corner to Sightglass Coffee across town. They’ve earned my trust by not spamming me, instead offering actual value and insider information, treating me as a member of their esteemed coterie.

On the surface this model doesn’t appear to scale, but that’s just a failure of imagination. Scaling up is what the web does — if you know how to embrace it. By giving individuals more control over their experience and over the kinds of data that they can share, the need to “target” (in the military sense), recedes. Instead, opportunity emerges from being available, on-demand, and ubiquitous. Attention aggregators and identity providers can then broker relationships on behalf of their customers, and both parties will, ideally, end up with a better experience, and stronger, enduring relationships.

I hope Brightkite and Foursquare and the other location-based services keep this in mind. In as much as we let them broker our attention, they work for us — and not the other way around.

Etelos, Inc. a developer and operator of private-labeled marketplaces for Web-based business applications, announced support for OpenID for user authentication and Single Sign On (SSO) within the Etelos Platform Suite (more)

I am pleased to announce the opening of the 2010 OpenID Foundation Board nomination and election process.  The information below shares some context for the election and is intended for you – the person out there considering running, nominating or voting in the upcoming OpenID Foundation election.

This election will hit the refresh button on OIDF for 2010. I am pleased to report the “foundation” of the foundation is solid. New financial, administrative and legal measures are in place. Our budget was carefully mapped and still able to respond to the government’s open identity initiative. Because of all that and more, the newly elected community representatives will have a major influence on 2010 plans, priorities and budget. The focus on security and usability at last week’s OpenID Summit at Yahoo! and follow up discussions at the IIW reflected the key concerns of the current board. The “state of OpenID security” work Jeff Hodges, Ashish Jain and others did inventoried the security challenges we still face. Allan Tom, Breno de Medeiros and others laid out key issues in presentations on the “state of usability.”  New “product” improvement initiatives like those discussed in Dick Hart and David Recordon’s IIW session on V.Next and new “cloud” and active “client” selector demos all point to renewed energy for building on core OpenID technology.

Just as OpenID technology is evolving, how the board works must change.  Organizations that have transitioned from specification development to market adoption (the space we entered this year) have evolved their governance and membership programs to meet operational and financial objectives.  In order to improve the core technology “product”, drive RP adoption and increase member services, we need to find ways to offer more membership value and create diversified sources of income.  2010’s board members will consider how best to balance competing priorities with still unfolding value in the trust framework and certification work to do with the US government and others.  We’ve been told by experts that demand for certification is a leading indicator of the growth and maturity of a technology standard.  How we do certification will, in part, shape our future. Our discussions have us looking beyond the US government requirements to broader market adoption dynamics. The IIW community’s “acid test” greatly improved the working hypothesis that RP adoption can be best served by a synchronized and phased focus on both technology interoperability and policy certification.

In an organization like ours, leadership must come from all quarters.  As an essentially volunteer run organization, change – whether to a website page or working group – is in the hands of those motivated to act. The OpenID foundation remains a unique mash up of democracy, meritocracy and technology.  A few months ago, I took great pride in introducing the OpenID Board to Vivek Kundra, the US CIO at the White House.  I made sure Vivek knew the people he was meeting were not the usual suspects of lawyers and lobbyists, but the engineers and computer scientists who wrestled daily with the most challenging problems of internet identity.  The government adoption provided a forcing function for OpenID technology, community collaboration, and a bit of history making.

Over a glass of wine, Nat Sakimura, Andrew Nash and I were riffing on the OpenID Foundation’s “mission.” We kept pushing beyond: “stewardship of intellectual property.” “Enabling trust” wasn’t good enough but the Japanese translation of “trust” into “a feeling of safety” and being “at ease” began to capture what OpenID might someday bring to users. It hints at how important our work can be. For myself, I believe an “open” reliable, “trusted” identity standard can be the next key operational piece of Internet infrastructure. It can be to the identity layer what DNS is to the Web layer and IP is to the packet layer. In that way, the mission of the OpenID foundation and the leadership of its board can build something sustainable and important on behalf of internet users.

The contribution of your leadership on our board and active engagement as members of our foundation is highly encouraged.  Employment in any company is not a barrier. Please carefully consider your nomination and those of others.  A FAQ with specific details on the election process is available at http://openid.net/wordpress-content/uploads/2009/11/OpenID-Foundation-2010-Election-Procedures-FAQ-Final.pdf

Thanks for your support. 2009 has been an extraordinary year, 2010 promises much more.

Don Thibeau
Executive Director

The OpenID Foundation is holding its second election of community board members starting Monday, November 23. For this election, six community board seats are open for election. An FAQ has been posted on http://openid.net/wordpress-content/uploads/2009/11/OpenID-Foundation-2010-Election-Procedures-FAQ-Final.pdf

Of the current community directors, Mr. Kveton has indicated he will not serve another term. Mr. Kissel, Mr. Smarr and Mr. Tom have indicated their interest in continuing to serve. Mr. Messina and Mr. Sakimura were elected to longer terms as community representatives. On behalf of the foundation, I would like to thank Scott Kveton for his important service to the Foundation and wish him well in his new endeavors.

All members of the OpenID Foundation are eligible to nominate themselves, second the nominations of others who self-nominated, and vote for candidates.  If you’re not already a member of the OpenID Foundation, we encourage you to join at https://openid.net/foundation/members/registration.

Board participation requires a substantial ongoing investment of time and energy.  It is a commitment that should not be undertaken lightly. Rather, should you be elected, expect to be called upon to serve both on the board and on its committees where the work of the foundation is conducted, and To actively contribute.  That being said however, if you’re passionate about OpenID and advancing digital identity, have the time to devote to Community service in this manner, and are a person who gets things done and works well with others, we welcome your candidacy for the OpenID board of directors. We welcome your candidacy for community board seats regardless of current or past company affiliation or employment.

When the elections process begins on the 23th of this month, voting and nominations will be conducted using the OpenID you registered when you joined the Foundation.  Log in at https://openid.net/foundation/members/ with that OpenID to participate in the election. If you are already a member you will receive an email from membership@openid.org  advising you the election is open and how to participate. If you experience problems participating in the election or joining the foundation, please send a note to help@oidf.org

Again six community directors are being elected to the board.  The three candidates receiving the most votes will serve 2 year terms and the Three candidates receiving the next numbers of votes will serve 1 year terms. In order to be eligible for election, your candidacy must have been seconded by at least three other members.

The election will be conducted on the following schedule:
Nominations open:  Monday, November 23
Nominations close:  Monday, December 7
Election begins:  Wednesday, December 9
Election ends:  Wednesday, December 23
Results announced by:  Wednesday, December 30
New board terms start:  Friday, January 1 Times on all dates are Noon, U.S. Pacific Time.

Thank you for participating in advancing OpenID.

Don Thibeau
Executive Director

Here are the slides that we presented during the OpenID Summit. The basic premise was to identify the list of issues that have been mentioned in the past and classify them as

• Protocol Issues
• Browser / Http Issues
• Deployment Issues.

Breno (Google) had a follow up session at IIW to address the protocol issues.

Michael Hanson (Mozilla)  and Jeff had a session to address browser / http issues. (Still trying to find notes from that session).

No Tags

For most sites that accept OpenID today, the user experience is one of two things: User is redirected to the OpenID provider, and then redirected back to the original site. This is the most popular one, but it's a particularly jarring experience for the user. User is given a Javascript browser popup, ...

I'm running for the OpenID board of directors. I'm a little nervous, having never done any sort of political thing before. So let me try to answer some questions. Q. Cool! Can I vote for you? Anyone who is a member of the Foundation is eligible to vote. Membership in the foundation ...

Last week we finally launched Facebook Connect to the general public. In the time since I joined the team last May, I've definitely been surprised by a few things I thought I'd share. think big This time last year, I thought "Man, wouldn't it be cool if Facebook became an ...

When I was in college, I remember learning how to use Linux. It confused me horribly that different computers window managers would behave in different ways. First off, coming from Windows, I didn't even know that the window manager and the operating system were distinct concepts - I assumed they ...

Let me count the ways... Okay, so suppose you're a website owner. You have a user database, but you want more people to use your site. You've heard about a lot of these technologies for making your login process easier, but you're not sure how to use them. Facebook is offering ...

Five minutes each. That's all they got. Yet these presenters were able to fill my head with swirling images of two-man pogo sticks and robots taking over the world. Not to mention the career advice, a computer-aided cure for autism, and an awkward yet somewhat interesting take on the world ...

This week, Facebook began accepting OpenID for single sign on. At the Internet Identity Workshop, many people raised a lot of questions about Facebook's implementation, and in general the relationship between single sign in and sign out. In this post, I'll argue that sign in is only half the battle; ...

One of the biggest issues with OpenID is its usability. Many relying parties are currently faced with a difficult choice: how do you let the user know the provider they should be using? Users may be familiar with the brands of Facebook, Google, Yahoo, etc, but if your site doesn't ...

Last summer, John McCrea and Joseph Smarr put together a diagram of the "open stack". The image showed up in numerous talks throughout last year, culminating in an Open Stack Meetup in December. Last week, Marc Canter sent an email asking for thoughts on crafting a new revision to the ...

Since it’s apparently all the rage to design your own features for Twitter now, I figured I’d build on my success with the hashtag and crank out a few more.

All of these are simple conventions for adding more standard metadata to a post in a specific, uniform way.

The Slasher

First, I’ve decided to migrate from encapsulating my metadata in parentheses to using a slash delimiter (”/”), which, for shits and giggles, we’ll call “the slasher”. This saves you ONE character, but hey, those singletons add up!

Now, the pointers. “Pointers” are short words with different intentions. A group of pointers should typically be prefixed by ONE slasher character. You can daisy-chain multiple pointer phrases together, padded on both sides with one whitespace character. There should be NO space following the slasher. Hashtags should be appended to the very end of a tweet, except when they are part of the content of the message itself and indicate some proper name or abbreviation. Normal words that would be part of the content of a tweet anyway SHOULD NOT be hashed.

If this doesn’t make sense yet, don’t worry, just read on.

Via

Let’s start with via, the first “pointer”.

The concept is simple and already widely used: sometimes you want to give credit to someone (as part of the pay-it-forward link economy) for something they said or linked to, without quoting them verbatim (which is what RT or “retweeting” is for, in my estimation and use). Now, a lot of people already use the “via” keyword — in fact, it’s a setting in Tweetie, and looks like this in practice:

My proposal is simple, but would look like this instead (note that there’s still no colon):

Saves you one character when used with the slasher delimiter and doesn’t look half bad.

CC

Next is cc — or “carbon copy” — not Creative Commons! Of course, if you ever used email this one should be obvious. The job of the CC is to indicate someone you want to direct a tweet at.

I follow 1600 people — and it’s highly unlikely I’m going to see everyone’s tweets — and I don’t really make an effort to do so. In the off-chance someone specifically wants to get my attention, they can just CC me, like I CC’d my friend Lauren in this tweet:

You’ll notice how, using the slash notation, you’re able to serially string together several pointer phrases: i.e. “/via @cshirky cc @laurendarby“.

By

The last one I’ll mention is by. As you can imagine, the “by” syntax is similar to “via” and “RT”, but not quite the same. It’s more like the cite or blockquote HTML tags in that they provide a simple way to attribute authorship for a longer-form piece — i.e. not from a status update or spoken utterance (that’s what RT and OH are for respectively).

Here, I’m quoting a passage by Dominiek ter Heide (@dominiek) that I took from a blog post that he wrote:

So, why bother writing these up? Well, I never expect that anyone will follow my lead, but if they do, I’d like to spell out what I’m doing so they can more or less get it right. It seemed to work with hashtags, and these ideas proposed here are even simpler. Now, you might not expect that, one, two, or three characters in tweets would make that much difference, but when you’re taking about a payload that maxes out at 140, each scintilla must carry its own significance. As such, there is value in coordinating our language, and providing some basic guidelines that emerge based on behavior — so that we can encode more meaning into these little blips of communication.

I’ve started tweeting using these patterns and invite you to do so as well when it makes sense. If you have your own ideas for microsyntax, Stowe Boyd started a wiki a while back to document them, so feel free to contribute your own or improve or use the ones already proposed!

I admit that my initial reaction to the OpenOfficeMouse (to the right in the above graphic) wasn’t … positive. After all, I’ve been acclimating to my new Apple MagicMouse (seen on the left above) for the past week and really like it, especially in comparison with the previous model with the stubby and malfunctioning nipple (called the “Mighty Mouse” before Apple lost a trademark dispute).

To me, the OpenOfficeMouse seems like such a typical product from the open source community. The press release waxes on about the features, implicitly presupposing that more must be better:

• 18 programmable mouse buttons with double-click functionality
• Three different button modes: Key, Keypress, and Macro
• Analog Xbox 360-style joystick with optional 4, 8, and 16-key command modes
• Clickable scroll wheel
• 512k of flash memory
• 63 on-mouse application profiles with hardware, software, and autoswitching capability
• 1024-character macro support.
• 18,000 wingdings.
• 50 bazillion dingbats.
• Adjustable resolution from 400 to 1,600 CPI.
• 8,000,000. Nothing specific, just… 8,000,000.
• Support for Comic Sans.
• 20 default profiles for popular games and applications, including Adobe Photoshop, the Gnu Image Manipulation Program, World of Warcraft, and the Call of Duty series.

I’ve decided that rejecting this product out of hand wouldn’t be fair. As much as I’m itchin’ to. And, well, since I’m trying to be more positive these days, I’ll see if I can be more rational in my constructive criticism.

The first thing that needs to be understood about this mouse is that it’s explicitly not for everyone. It was designed by a game designer, largely for game players. Another way to think of it is as the twelve-sided die to your standard six. In the course of designing and developing the product, it quickly became apparent that many non-gaming applications would also benefit from having dozens of commands accessible directly from the mouse, especially in navigating the bajillion dropdown menus that spawn in office productivity apps like OpenOffice, or rotating 3D shapes in apps like 3D Studio Max.

The second thing to consider is that this mouse dispenses with walk-up intuitive design in favor of complicated setup screens and shareable button configurations:

The settings for the MagicMouse, in contrast, are visual, approachable, and show the user exactly how it works with an embedded video:

And while the MagicMouse can be picked up and grokked nearly instantaneously (though it sucks that right-click is disabled by default), the OpenOfficeMouse requires about two days of acclimation according to the FAQ.

At base, these products represent two polar opposite ends of the spectrum: Apple prefers to hide complexity within the technology whereas the open source approach puts the complexity on the surface of the device in order to expose advanced functionality and greater transparency into how to directly manipulate the device. Put another way, the reason that people would buy the $69 Apple MagicMouse is because they want Apple’s designers to just “figure it out” for them, and provide them with an instantly-usable product. The reason why someone would pay $75 for this mouse is because it strictly keeps all the decision-making about what the mouse does in the hands (pun intended?) of the purchaser.

What I worry about, however, is that pockets of the open source community continue to largely be defined and driven by complexity, exclusivity, technocracy, and machismo. While I do support independence and freedom of choice in technology — and therefore open source — I prefer to do so inclusively, with an understanding that there are many more people who are not yet well served by technology because appropriate technology has not been made more usable for them. The beautiful, usable technology in the marketplace need not be the exclusive domain of the proprietary — but so far I’ve see little indication that open source developers take seriously the need for simpler, easier, and more intuitive future-forward interfaces. Perhaps I’m wrong or just uninformed, but so long as products like the OpenOfficeMouse continue to characterize the norm in open source design, I’m not likely going to be able to soon recommend open source solutions to anyone but the most advanced and privileged users.

I sat down for a conversation with Ville Vesterinen (@vesterinen) — co-founder and editor of the ArcticStartup blog — last week while he was visiting from Helsinki. Following up on the post that Jyri Engeström and I wrote on the web at a new crossroads, we discussed the need for more open standards to create the underpinnings of a web-wide platform for building more personal social applications.

At one point in our discussion, I suggested that an HTML tag for a person might make sense — with the ability to include a person’s face or list of friends — without the need for services like Facebook or Twitter. This idea was inspired by Mark Pilgrim’s retelling of the origin story of the <img> tag and conversations I’ve had recently with Michael Hanson of Mozilla (who wrote up a concept for supporting WebFinger in the browser after discussions at IIW).

Our conversation goes on around 15 minutes but does a decent job of capturing my current thinking on the social web.

I’d also like to point out that an OpenWebCampHelsinki is happening this weekend, in case anyone happens to be passing through Finland!

As of this week’s Internet Identity Workshop, I’m now rather convinced that an “identity selector” is the wrong product and the wrong feature set, regardless of the exact details of a particular vendor’s implementation. Several discussions in several contexts, including how to best make a browser identity-aware, all point to the same conclusion, regardless if the context is a card context or an identifier / OpenID context. Something had always been bothering me about the identity selector concept over all these years since I saw the first CardSpace demo, and now I know what it is.

To make my point, consider the interaction of a user with a site over some period of time:

Here, the user (necessarily) is anonymous at the site when visiting for the first time. As time progresses, the user may chose to register at the site (and log in at the same time), and then continue to have an active session for some time. This session later times out and the user returns to the site after the timeout. The user authenticates again, and later logs off intentionally, after which (one hopes) the user is anonymous again for the site.

The blue sections in the diagram show the times at which an “identity selector” is useful: upon initial registration, and then again upon re-authentication. However, compare these minuscule amounts of time with the time that the user and the site have a relationship with each other centered around the user’s identity. If it takes me 20 seconds to log in, for example, but I stay at the site for an hour with the authenticated session, the “identity selector” helps me with my identity at that site only for 0.5% percent of the time.

What about the other 99.5%?

We need functionality in the browser, or at least somewhere close to the user when using a web browser, that assists the user 100% of the time their digital identity is in the picture, not 0.5% of the time. By thinking of that product as an “identity selector”, we are excluding the other 99.5% and thus are getting the product exactly wrong.

The correct product is not a “selector”. It also must be:

• An identity “de-selector”, with which the user can become anonymous again (or perhaps even remove all the information from the site which was conveyed during the “identity selection” phase). The much-desired “single sign out of the web” button should logically reside there.
• An identity-aware session “visualizer”, which conveys to the user that there they have open sessions with which sites, which of the user’s identities are currently used with which site, which others they have used with which site in the past, whether the session is valid (as opposed to expired), what information about them they have shared with the site and perhaps how to log out.

This is particularly important if the user has multiple active sessions, perhaps with multiple identities, occurring in parallel, such as in multiple browser tabs — increasingly a fact of life for many internet users. Keeping track which sessions are still open, and which can be easily reactivated (e.g. by an OpenID checkid_immediate check) is cognitively impossible for many people (myself included) and computer support in the browser (not on the browser page) would be really useful. Throw in the use case of somebody briefly borrowing the computer to check their e-mail or Facebook account, while the primary user still has all their windows and session open, and perfect confusion ensues with a range of scary security and privacy issues around them.

So, what we need is not an “identity selector” for 0.5% of the time we use identity in the browser. What we need is a continually active, perhaps proactive assistant that helps us create and tear down sessions, watches our sessions, keeps track of the information that flows back and forth and helps us when we need it, 100% of the time.

Now I’m not a usability guy by any stretch of the imagination, but the following strawman picture popped into my head earlier today. It could live somewhere in the sidebar:

Each active session could have a separate section (rather like the Windows task bar). It would show the name of the site, whether or not the user was currently identified there, and the user’s current identifier (or card) there.

To log out, click the “x”. To log out everywhere, click the big button. To reactivate an expired session, click on the red light and it will turn green if re-authentication was successful. Clicking on the section could bring the tab / window to the front that belongs to the site, like in Windows or OSX. Right-click would show the information that has flown between user and site so far, perhaps with a time-based log. And so forth.

An alternate version could sort by identity first and then by site (as opposed to this figure, which is sorted by site and then by identifier). That might be useful, too.

But regardless of the details of this strawman screen shot, which you may or may not link, I think the idea of covering the entire lifecycle of the user’s identity-based relationship with a site would lead to a much more useful product than a mere “selector”. Many others at IIW seemed to think so, too, but I’ll let them speak for themselves if they feel inclined to.

Yes, we don’t have the protocols and conventions for all of this. But I don’t think they are hard either, so that should not be an excuse.

Let’s mull this a bit … at least one major browser manufacturer does not seem to be too disinclined to go in this direction… with a bit of squinting, today’s identity selectors could even be re-interpreted as version 1 of the more inclusive approach…

The list of brand-name OpenID adopters speaks for itself, with — by some counts — now more than 1 billion functional OpenIDs on the open internet, but for the internet identity movement this quote from Kim Cameron, Microsoft’s Chief Identity Architect, is rather significant:

In the last year, OpenID has without doubt become the most widely adopted system for reusable internet identity.  Adoption by destination sites continues to grow dramatically: approximately 50,000 sites as of July 1, 2009.  The big Internet properties like Google, Yahoo, AOL, MySpace, and Windows Live have become (or are becoming) OpenID Providers.   As a result, the vast majority of the online US population has an account that can be used to log in at the growing number of destination sites.

What a little URL could do …

I’m not a great fan of patents, not because I’m against innovation, but because I don’t believe the patent system (especially in the United States) has kept up with, or modernized, in a way that actually encourages the widest possible public benefit at the lowest cost in the least amount of time. In other words, what we’ve learned from open source is that different types of competitive pressures in transparent markets can do as much if not more than centrally conferred monopolies over a given idea, implementation, or design.

Furthermore, the process by which the rights of a patent are exercised is costly, damaging, and net-net ends up wasting, in my estimation, much more energy that could otherwise be put into more essential or meaningful pursuits. I mean, I know lawyers need to eat too, but the outcome of a successful patent prosecution usually inhibits technological advancement more than accelerates it. Put another way: when has there been a patent dispute in which someone was prohibited from infringing on someone else’s idea that lead to an increase in innovation (and no, rewriting kernel extensions and whatnot do not count)?

Now, it occurs to me that not all government-sanctioned monopolies are altogether bad. In fact, the benefits of the exclusive capitalization of an idea seem to provide an ample marketplace incentive for companies to invest heavily in research and development. That’s a good thing. However, the current patent system, which seems to award such monopolies to a vast number of ideas which are never actually built, I believe, contravenes the original intention of the patent system — which exchanged limited-time exclusivity for longer-term transparency into the architecture of an idea, for the benefit of the public.

With so many complex patents now being applied for and granted, I think this has lead to a marketplace distortion that now benefits those who know how to play, and thus game, the system. In order to address this situation, I think more uncertainty and scarcity need be introduced to shake things up.

One approach that I’ve been noodling on lately is the shift to something more like the Academy Awards, known for giving out the prestigious Oscars given out to professionals in the film industry. Now, I’m sure the Oscars can be equally gamed, but what I’m interested in is the scarcity, honor, and publicity that come with receiving one of these awards. In some ways, the Oscar is like a year-long monopoly on notoriety or fame (sort of, but not exactly). Still, the 24 awards that are given out represent the best in the industry, and bring with them distinction that is desired, it seems, by all who work in film.

If the patent system operated in a similar way — where it was just an honor to be nominated — and 24 exclusive patents were granted on a yearly basis to the ideas of greatest merit or potential human benefit, we might see some real competition and most of all, new entrants into the marketplace. I guess this is what the Nobel prizes are all about, but don’t bring with them a state-sanctioned monopoly to commercialize an idea. If the patent system were designed to publicly highlight and honor those few ideas of merit, provided a restriction on the length of monopoly to 1-3 years (instead of the current 20), involved a kind of voting process (perhaps more transparent than the Oscar’s?), and organized some kind of annual fete to celebrate the chosen inventions — who knows — maybe the patent system would provide a very different kind of incentive structure to create and to invent.

This idea of mine is of course far from perfect, but then again, so is our patent system.

Any conversation about identity leads to a conversation about privacy. Identity by its nature is a very personal topic, and people are concerned about who can see what about them. In the past, the high friction in moving information provided some privacy protection. Now, as more of our identity becomes digital and the friction in moving it around has dropped dramatically, the risk of privacy issues has subsequently increased.

Facebook is an iconic example of the intersection of identity and privacy. There are internal and external applications that enable the user to easily share an unprecedented variety of information about themselves., with the brand promise that the the user is able to control who can see what information about them.

Some of you may be familiar with the privacy problem I had with Facebook last spring. (no, I’m not going to provide a link to it, since I would prefer it just went away – so please don’t go looking for it!) Although there was a basis to start a legal action, I prefer solving problems rather than complain about them. I had a productive conversation with the team on Facebook, a company that takes privacy very seriously. I provided them with feedback on how to improve some of their processes, and they asked me to review their new Privacy Policy, which was just published today.

The new policy makes it more clear what will happen when, and directs the reader to where they can make adjustments if they prefer settings other then the defaults.

This is cross posted on the IIW Blog

Regular Registration ENDS NEXT WEDNESDAY – October 28th at Midnight. Prices go up $100 after that.

The Internet Identity Workshop #9 Tuesday – Thursday, November 3-5 in Mountain View, CA Computer History Museum

Please blog/tweet about the conference. The hash tag is #iiw , our twitter handle is @idworkshop

Proposed Topics List is here. We all make the agenda together beginning at 1 on Tuesday and again on Wednesday and Thursday morning. If you want to know more about how to prepare for an unconference check out this piece called “unconferencing” by Kaliya Hamlin (@identitywoman) the facilitator of the workshop.

You can see the specific times of sessions.

Tuesday Morning Opening talks will cover: * The Identity Trust Framework activities – Drummond Reed and Don Thibeau * Data Portability releasing their EULA work * Action Cards – Phil Windley and Paul Trevithick * Discovery etc. – Eran Hammer-Lahav * Activity Strea.ms etc. – * A VRM update * We might cover activity happening in the healthcare sector * We are working on having Vivek Kundra the CIO of the US join us via skype – as yet this is unconfirmed.

They won’t cover – OpenID 101, Information Cards 101 or SAML 101 If you are unfamiliar with these topics we recommend reading these papers/watching these videos. There is a lot of information online covering these topics on the foundations/organizations respective websites.

OpenID – http://openid.net/ OpenID video about it – http://www.youtube.com/

Information Cards – http://informationcard.net/ Video – http://informationcard.net/watch-the-video

SAML – http://en.wikipedia.org/wiki/SecurityAssertionMarkup_Language Video – Ping Identity on SAML 101

All together now – the Venn of Identity The paper – by Drummond and Eve the update – The Zen of Venn

Demo Hour: We still have Demonstration slots available you must sign up ahead of time to Demo. It is Wednesday after lunch short 5min demos will be happening throughout the hour – throughout the room. Please e-mail Kaliya[at]mac.com to get a table and more information about how it will work.

Food: I forgot to ask if there were any special dietary requirements. Please let me know if you have any – this is what we have in store for you.

Tuesday – Burrito Bar, Tied House Wednesday – Indian, Italian Thursday – BBQ Boys

Thank you to our Sponsors:

Without their contributions this conference would not be possible. (we still have sponsorship opportunities available)

<a href=”http://www.internetidentityworkshop.com/sponsors/”> <img src=”http://www.internetidentityworkshop.com/wp-content/uploads/2009/10/IIW9Sidebar.jpg”> </a>

About the Notes Taking Procedures: In our effort to document the whole confernece and give all attendees access to all the happenings in sessions we have a notes taking procedure:

If you convene a session it is your responsibility to get a note taker for your session.

The note taker needs to use the NOTE TAKING FORM – found here in digital form (the paper version will be avaliable in each break out space too). When notes are complete, the note taking form must be e-mailed to iiwnotes@gmail.com OR transfered to a USB key at Documentation Center OR if paper notes are taken transcribed by the notes taker on computers provided in Documentation Center

We will also be collecting a more immediate list of results from each session on 11×17 sheets.

We are looking forward to seeing you next Tuesday!

let us know if you have any other questions,

-Kaliya, Phil and Doc

Related posts:

1. Internet Identity Workshop May 18-20
2. Announcing the Internet Identity Workshop (IIW2005)
3. Internet Identity Workshop May 12-14

On October 7, 2009 the Board of Directors voted to revise the OIDF IPR
Process document.  The revisions are primarily being made to help
streamline the formation of work groups. A vote of the full membership
is required to formally adopt the revised process. Voting will begin on November 6, 2009.  Marked and clean versions of the revised process document are viewable here:

Clean

Marked

Executive Directors Summary
Now that we’ve had time to observe the reactions and resulting coverage from the Open Identity for Open Government Initiative, I want to discuss what we’ve gained and where we are headed.  Overall, the announcement, the foundations’ presence in Washington – at both The White House and the Gov 2.0 Summit, and the media outreach, was a big boost to OpenID adoption and the open identity community. For so long, the media and online influencers have taken a “looks promising but wait and see” approach to open identity technology. This announcement advanced the discussion.

The government’s effort underway is a pilot; a very deliberate beta test of OpenID technology with new integration and interoperability tasks etc. We don’t know when we will finish but we do know we will make mistakes and wrestle with usability and security issues.

We are at the beginning of a shakedown cruise on two tracks -the open source identity technologies and the open trust frameworks.  Both are parts of the GSA ICAM schema and both on the agenda of the OpenID Foundation and Identity (IDF and ICF) boards to consider.   Just as we begin technical testing with government pilots; we are also finalizing the certification or trust framework process a critical element in government adoption and seen by some industry leaders as applicable for high value commercial applications. The US government is still finalizing requirements for credible, independent and industry standards-based identity certification. Many international governments as well as US state and local governments are studying the US ICAM “schema” of technology protocols combined with industry self certification models. Identity provider certification or Open Trust Framework models have gained momentum after recent meetings with the Center for Democracy in Technology and feedback from various government agencies including the GSA ICAM leadership, NIST, NIH and the National Security Staff in the White House.

Given all the players involved it’s hard to say what will be completed when. The most valuable new dynamic is how many people and organizations are coalescing around a practical and far reaching solution set for the challenges of identity from a user perspective.  This goes beyond the tired truisms that often characterize privacy versus security debates.  There is today, a real hunger for real solutions in identity authentication. Whether you frame discussions as open government, open source or open identity; there are powerful political, public and commercial drivers at work involving identity on the web. New legal and policy discussions around open identity trust frameworks are a leading edge indication that practical solutions are in play and pragmatic (private and public sectors) organizations are involved

That being said, while the announcement resulted in approximately 30 stories, many of them were replays of the press release. I believe that speaks to two issues. The first is we announced a pilot. That means that once again, media can “wait” for the NIH implementation to go live and “see” what the results are. Second, this is a complicated story and requires more than a release to understand. The most comprehensive articles were the ones where the reporters were briefed in person.  The joint briefings by me, Drummond Reed, and the evangelism from Chris Messina, David Recordon and Kaliya, paid off in outlets like Federal News Radio, Tech Target, ReadWriteWeb, Wired and Fast Company.

Community and Collaboration
The other major take away was how well the OpenID and Information Card foundations and community leaders worked together on the initiative. The level of enthusiasm, cooperation and collaboration allowed us to accomplish much in a short period of time with limited resources. The announcement and conference served as a rallying event for the community and industry.  The government adoption of OpenID remained front and center in venues like the Tao of Attributes and the OASIS Meetings in Washington DC. See http://middleware.internet2.edu/tao-of-attributes/agenda.html and http://events.oasis-open.org/home/forum/2009

Emerging from these events is the term “OpenID” as a category catchall for the industry. This is most likely due to OpenID having strong recognition and society’s reliance on quick, sound bite, catchphrases, and the fact that OpenID has some very well-connected, well-recognized brands working on its behalf (Google, PayPal, etc) The industry, community and the two foundations will discuss how best to manage that moving forward at IIW, the OpenID Summit and boards meetings.

Outreach and Opportunity
Public relations, adoption and outreach, are processes not events. Open identity has gained momentum and is in a strong position to grow. Not only have we peaked interest with our pilot programs, but since the conference, there continues to be stories in the blogosphere, mainstream and tech media about the administration’s open government efforts.

I see several opportunities in front of us. The most obvious of course, is to continue to update the media on our progress: new pilots, new IdP’s, results from the NIH program etc. The other opportunity is a more proactive approach to communication. The open government story is in the news now. The foundations need to draft Op-Ed pieces and offer spokespeople from the community and companies to the media for commentary on the issues. We should continue to leverage our member company resources and our community talent pool as experts.  We know the media finds this story to be complicated. Let’s continue to brief them so that the next time we make a big announcement, they are ready with background information and we are ready with an open source, user centric perspective.

There is:

• e-mail (Mail.app)
• VoIP (Skype)
• RSS (NetNewsWire, and Mail.app)
• Twitter (Tweetie)
• sometimes IM (iChat, others)
• sometimes IRC (Colloquy)

That’s in addition to websites that also act as messaging clients, like Facebook,

I’m sorry, how many feeds am I supposed to monitor in how many pieces of software?

What about somebody develop a real nice piece of software that brings all of them (and whatever they invent next week) into a user experience that actually makes sense? An Über-multiprotocol messaging client that does all of this?

I’m beginning to have second thoughts.

Plenty of people (myself included) got involved in internet identity because of its promise to put all of us as  individuals at the center of our interactions on-line. To empower individuals to define and offer and enforce their own terms in their interactions with others. To not merely be somebody’s user or consumer, but to be a first-class citizen of the net. To not be at the mercy of any government or organization.

And from a merry band of similar-minded individuals, the movement was born. The assumptions were:

• Anybody could set up their “digital home” anywhere on the web at any URL of their choosing. The address of that home would be their LID or OpenID URL.
• When visiting somebody else’s site, they would use that URL-to-home to create a relationship from your site to my site, from your on-line home to my on-line home. It wasn’t thought of single-sign-on, but the equivalent of leaving one’s card at someone else’s place with the invitation to visit and establish a relationship. Technologically similar, but very different in intent.
• This relationship between your site and my site would enable two-directional information flow for a variety of interesting purposes that could be switched off by either participant at any time.

While OpenID, the technology, still can support all of this, the thrust of the thinking of many of its larger supporters today goes into a different direction:

• There is a belief that URLs are too complicated to use by the average individual, which has encouraged what’s called the OpenID “NASCAR GUI“. However, because that GUI can only show a few icons, it clearly encourages me to use a big-company-provided identity instead of my own.
• Directed identity and identifier select hides the identity URL and downplays the “let’s create a relationship by exchanging pointers to home” to the extent that few people new to OpenID can even comprehend they are getting mere single-sign-on, not relationships.
• The primary focus of OpenID-based profile exchange is to convey the user’s e-mail address to the visited site (usually a vendor), so that vendors can send e-mail to the user. Note that because it is e-mail, the the user cannot turn it off. It didn’t have to be that way.
• Certification has entered the picture. While many details are still unclear, all certification schemes that I’ve ever heard of require substantial effort and perhaps money to get certified. In all likelihood, that will make it all but impossible or impractical for individuals to play on a level playing field with mere users of large company’s products. This is particularly ironic when applied to the relationship between citizen and government, which suddenly will have to be mediated by substantial commercial entities. Among other things, they get to see which citizen interacts with which part of the government when and how often.

I know the argument that “if the user can see which attributes go over the wire, it’s user-centric.” Well, yes, perhaps, but in my view that’s user-centric in the same way a calorie-free chocolate cake is sweet. I ordered a real chocolate cake, though, please, where did it go?

Don’t get me wrong, there are good things about all of this, the most important of which is that the state of the art has driven substantially more adoption than it likely would have been in the less organized, decentralized, you-be-in-charge-of-your-own-destiny world.

But is the price of more adoption less user-centricity? Or is that just a phase we are going through?

I hope to discuss this and other big questions at the upcoming Internet Identity Workshop. Hope to see you there.

I don’t know why — maybe it’s just the fall weather — but the privacy temperature is changing. We’re in a period of global warming towards privacy as a key component of Internet identity infrastructure. Part of it is my work at the Information Card Foundation on the Open Trust Framework (read this white paper if you haven’t seen it yet). I’ll be blogging more about that soon.

But another sign is this superb post by Bob Blakley on what’s at the heart of privacy and privacy protection. As one of the technologists that’s spent a decade working on technological solutions to privacy, I can’t endorse Bob’s conclusions strongly enough. It’s a social problem, one that technology can only help create the social cues and custodianship to help with.

But read Bob’s post to see how well he frames the problem and what technologists can and can’t do to help.

ComputerWeekly reports somewhat breathlessly:

Multiple passwords to access computer networks and services may soon be a thing of the past.

ITU-T X.1250 provides the ability to enhance data exchange and trust in the identities used worldwide by users, network access devices and service providers using a certificate-based public key infrastructure (PKI) system. This is similar to how e-passports are verified.

I figured something was missing in identity land. I’m sure everybody’s immediately going to throw away OpenID, and information cards, and SAML, and what have you, now that the ITU has discovered PKI and solved the problem for us Clearly all of our work was always doomed to failure because we did not make it work the same way that e-passports work. (Or should I put the last “work” in quotes?)

From Slashdot

SpuriousLogic spotted this story on the BBC, from which he excerpts:

“The High Court has given permission for an injunction to be served via social-networking site Twitter. The order is to be served against an unknown Twitter user who anonymously posts to the site using the same name as a right-wing political blogger. The order demands the anonymous Twitter user reveal their identity and stop posing as Donal Blaney, who blogs at a site called Blaney’s Blarney. The order says the Twitter user is breaching the copyright of Mr. Blaney. He told BBC News that the content being posted to Twitter in his name was ‘mildly objectionable.’ Mr. Blaney turned to Twitter to serve the injunction rather than go through the potentially lengthy process of contacting Twitter headquarters in California and asking it to deal with the matter. UK law states that an injunction does not have to be served in person and can be delivered by several different means including fax or e-mail.”

Related posts:

1. NTT and Twitter
2. Twitter and emerging currency
3. Peeling back the twitter layers

Ryan Stewart — a platform evangelist for Adobe — wrote a post resentful of Google Wave’s hype — and lamented the lack of similar interest and enthuasism for rich internet applications (RIAs), writing that Adobe, just [doesn’t] seem to encourage the visionary demos, the ones that make people rethink how they’ll communicate and interact.

The resulting discussion was worth a read, especially comments by Brian Lesser. While one of the arguments was over whether Wave could be built with Adobe technologies, that’s the least interesting part of the conversation. As Ryan points out, people don’t get excited about standards — they get exited about vision.

And that’s where I think there’s something to be realized.

Google is a company that values big thinking and puts resources into big ideas — what I’ve heard referred to as “BHAGs“, or “big hairy audacious goals”. I mean, their mission statement is to index and make available all the world’s information. That kind of brand promise has benefits beyond just Google, and I think that sets them apart.

The promise of Google Wave is to transform how people communicate and collaborate — and Google can credibly take on a challenge like that, because they’ve done a pretty good job of doing transforming search, and then — almost accidently — maps (even though, again, you could argue that draggable maps could have been done in Flash at the same time, but you’d be missing the point).

What Google seems to do well is focus on some obvious and widespread problem that regular people have and apply a determined, quantitive approach to solving the problem. Wave is probably their most risky bet yet because of the complexity of their solution, but I think anyone who deals with a large amount of information — in real-time or asynchronously — has to admit that our current tools just aren’t cutting it. And it’s only going to get worse unless something better is created.

But the benefits of such a technological solution will be missed unless it rapidly achieves scale through widespread and ubiquitous adoption — which requires an open, royalty-free standards-based approach. Just read Hal Varian’s book on the subject, and you’ll realize that the reason that Google Wave is exciting is that it represents a multifaceted solution with a little something for everyone: the interface and user experience is controversial and novel providing designers a hook; the technology stack pleases and challenges open source hackers and the tech press equally; the collaboration and communication aspects excite businesses, managers, and any frustrated by email; and sceptics are held at bay by the cleverness of the economics of Google Wave — from the outset, Wave servers are designed to be run by other actors besides Google. That is, if you don’t want Google to own the space, you’ve now got to decide if you’re going to create a competing platform (and more importantly, “open standard”), or join the fray. Given Google Wave’s first-mover advantage, I think any competitor wishing to offer a competing open standard will be hard pressed to argue why they didn’t just “adopt the Wave Protocol”.

To put this argument another way, this is a product firing on all cylindars, and that’s what we’ve come to expect from Google.

If Adobe had launched Wave — the identical product that Google launched — I don’t think that anyone would take them seriously. As Scott Koon pointed out, Adobe is a toolmaker — they’re not known for big ideas that confront a basic human problem — least of all one related to information on the open web. Instead, Adobe tends to make graphics tools, and products that help organizations lock down information — not share it freely and openly. Wave is just a product that Adobe couldn’t make, because it’s not in Adobe’s DNA to tackle such problems.

It isn’t that Adobe doesn’t have its own BHAGs — it does — but I believe that history and behavior show that most Adobe products end up supporting existing control structures rather than breaking them down — same with Microsoft’s. Google’s products are inspirational because they enable us to imagine — and achieve — a different and perhaps freer tomorrow.

I’ve posted the video that Brynn shot of my talk. Slides are available here.

Of course, it’s purely coincidental that I used Pownce to illustrate my story of the “death of a web app”, since it was relaunched yesterday at TypePad Motion — without any of the relationships that were lost when the service shut down.

These are the slides from my talk at the Mindtrek conference in Tampere, Finland today.

I admit that there are some controversial things in this talk, but if I don’t say it, I don’t know who will. So, for the purpose of understanding this talk, it’s worth keeping in mind that I mean “OpenID” in a much more expansive way — not limited to the purview of the features of the protocol today, but as an effective, comprehensive competitor to Facebook Connect.

As well, I’m working out what I really mean by “Identity as the Platform”, but my five touchpoints are currently:

1. Me at the center
2. Smarter user agents
3. Dynamic personal expression
4. Universal user experience
5. Data is money

I’ll be posting a video of my talk later, which should I expand on what these elements actually mean, but I’m happy for feedback in the meanwhile!

Also, I’m embedding this slideshow using Scribd as Slideshare wasn’t able to convert my slides. Let me know what you think.

This was actually a comment I left on my last post about the v3.3 release of the OpenID plugin. It is a topic that comes up relatively often, and one in which most people are surprised when they hear my stance on it. It’s worthy of a separate discussion for those that are interested, so I’ve pulled it out into a separate post.

I’ve talked with core team about this numerous times… in fact, I spoke at WordCamp Portland and Seattle these last two weeks and talked with Matt about it. For the most part, I actually agree with him that OpenID doesn’t necessarily belong in core, at least not yet.

There’s a lot of thought being given to how WordPress can serve as your “digital hub” on the web. Right now, Automattic is playing in that space in the form of BuddyPress. Now right now, BP allows you to create another social network silo. BP installations don’t talk to each other, and there’s no way to use your account on one BP network to login to a different BP network. I talked with Mark Jaquith this weekend about my desire to see this outward facing functionality. For that, I think OpenID becomes painfully obvious.

I would also like to see this OpenID plugin deployed on WordPress.com to replace the existing plugin. Currently, all WP.com blogs are OpenIDs, but you can’t login or leave comments using an external OpenID. And currently, almost no one uses the existing OpenID provider. Of course, I would argue that this is because they haven’t done a good job of promoting it or adding any new features like SReg or AX. Using my OpenID plugin would greatly enhance the OpenID provider functionality on WP.com, and it would allow people to use OpenID when leaving comments. Some of the changes that are included in 3.3 are actually steps toward cleaning up the plugin so that it is more suitable for deploying on WordPress.com. There’s still more work to be done on this front, but it’s something I intend to continue pursuing.

As for inclusion in WordPress core, I just don’t think we’re there yet. The OpenID plugin is pretty popular, but it is far from having the critical mass that would justify inclusion in core. I am a firm believer that WordPress should by no means try and include every cool feature under the sun in core. It would quickly grow out of control. I do believe, however, that the appropriate hooks should be provided in core to allow any cool feature under the sun to be added as a plugin. The core dev team agrees with me on this, and they’ve been very good about making whatever changes were necessary to allow plugins to provide that functionality. In fact, I overhauled how the authentication system is extended in WordPress 2.8 simply to make things like OpenID and OAuth much easier to implement.

A few other things I’d want to see fixed before considering inclusion in core… the OpenID plugin weighs in at what? almost 900K? Remove the screenshots and readme.txt and you’ve got 700K left. Over 500K of that is the JanRain OpenID library. So size is an issue. Also, the biggest problem that people have with getting the plugin to work is related to their environment. WordPress is known for having a very minimal set of requirements to get it running. I’d really want to track down and fix a lot of these weird environment issues that continue to plague the plugin. Finally, we need a really solid UI, both comment form integration and the admin side. I’m pretty happy with the new comment form integration, but the current admin screens need work. More than anything, there is just a lot of functionality in the plugin and it’s hard to boil it down. Especially when you consider both the OpenID consumer and provider options, both site-wide and per-user.

Alexander van Elsas left a comment on my post “On Identity Business Models or Lack Thereof” that I feel I have to respond to. It is not the first time I have heard a comment along these lines, so this is more a response to “everybody”, not specifically just to him. He writes:

…The underlying issue (imo) is that there isn’t a user demand. Users either don’t know or care, and it is therefore hard to get them to use a standalone hosted identity provider and pay for it.

…The technology is not the biggest bottleneck right now, it’s the naiveness of the user.

Pardon me, but this very much sounds like the old “our software is great, if it wasn’t for those darned users”. To which the equally old, and always-correct answer is: “No, the user is never the problem. As vendors, we either solve a problem for our users, in which case they pay us, or we don’t. If users don’t use our ’solution’, we either don’t solve an actual problem, or we don’t explain well enough how we solve the problem, or our solution is simply not good enough for the user.”

At this point, it is very clear that consumer identity providers do not solve a problem for users that is commensurate with paying money. (I would go further and say that the product category “consumer identity provider” is most likely never going to be able to get many users paying for it.)

To quote Pip Coburn: “People are only willing to change when the pain of their current situation outweighs the perceived pain of trying something new.” We are not there yet in identity land, even if we’d all like to be there.

I’ve finally gone ahead and released version 3.3 of the WordPress OpenID plugin. This release includes three major sets of changes. First, it drops support for older versions of WordPress… the minimum required version is now 2.8. Trying to maintain backwards compatibility requires a non-trivial amount of effort, and I’d rather spend that time working on new features. It also cleans up the code a fair bit, which I always like. It also drops support for two experimental OpenID extensions known as EAUT and IDIB. EAUT is effectively being replaced by WebFinger, and IDIB never got too much traction. Either could still be added pretty simply by another plugin if people still want them.

Second, this release features a new user interface for the integrating OpenID into the WordPress comment form. Instead of simply advertising OpenID support on the “Website” field, and always attempting OpenID authentication, the plugin now detects OpenID support for a URL, and gives the user the option to authenticate the comment. This provides a cleaner, less obtrusive interface that should work on most all themes. It also gives the user the option to not authentication that particular comment if they don’t want (particularly useful if you’re on a mobile device or in a hurry and don’t want to mess with OpenID). Feel free to try it out on this post if want. You really don’t even have to submit the comment to see it in action… just enter a valid OpenID URL for the website field, and move focus somewhere else (ie, click in the comment box like you’re going to type a comment). There is currently no option to revert to the old style of comment form integration, so hopefully folks will like this new UI. If you really don’t like it, you always have the option of turning off comment form integration and modifying your theme to your heart’s content.

Finally, this release includes a lot of minor bug fixes that people have been complaining about (sorry it took so long). I’m sure I didn’t get to all of them, so please let me know what I missed, and I’ll try to do more regular minor releases with these smaller fixes.

I’ll additionally note that working on WordPress plugins is no longer part of my day job, so I currently work on them rather sporadically as I have time. The changes in this release have been developed a few hours at a time over the last couple of months. I’ve been running trunk here on my site for quite some time and haven’t had problems, but you never know. Please use the DiSo issue tracker to report any new bugs, or to remind me of existing tickets that are still not fixed in this release.

Google, Yahoo!, and MySpace have launched support for the OpenID OAuth Hybrid Protocol, which combines OpenID authentication (sign in) with OAuth authorization (access control) into a single interface. Websites that accept OpenID can now let the hundreds of millions of users who already have either a MySpace, Google, or Yahoo! account sign in and enable two-way data sharing of their profile, contacts, and activities, without having to register a new site-specific account or to share their password.

Plaxo is one of the earliest adopters of OpenID, allowing their users to sign into Plaxo using an OpenID enabled account with just a couple mouse clicks. Instead of requiring first-time Plaxo users to manually verify their email address by sending a verification email, Plaxo uses OpenID Attribute Exchange to verify Yahoo! and GMail email addresses without forcing users to wait at their mailbox for the verification email to arrive. Building on their successful experience with OpenID, Plaxo is experimenting with the Hybrid Protocol: A portion of new users who sign up for Plaxo using either a GMail or Yahoo account can now sign into Plaxo with their OpenID and authorize two-way data sharing of their Contacts and Activities via the Hybrid Protocol. You can read more about how this works on the Plaxo blog.

“OpenID+OAuth hybrid onboarding is the state-of-the-art for connecting users and sites across the emerging Social Web,” says Joseph Smarr, CTO of Plaxo and Board Member of the OpenID Foundation. “Google, Yahoo!, and MySpace all have massive userbases and expertise in consumer-friendly design, along with a rich set of APIs. So this is a major milestone in making the Social Web more open and interoperable.”

Another trailblazer in the OpenID space is JanRain, whose RPX service powers the l
ogin and registration flows for their customers, including Qype and MySears. Using the OpenID protocol, users can sign into RPX-enabled websites with an account that they already have. Now that RPX supports the Hybrid Protocol, sites integrating with RPX can now let users sign in with one of their existing accounts and share their Profile. In addition, these sites can also receive massive referral traffic by syndicating their user activities back to their OpenID Provider to be viewed by their friends and contacts at Yahoo!, Google, or MySpace.

Not only are we making OpenID more powerful, we’ve been taking steps to make OpenID easier and less confusing to use. The traditional OpenID “redirect” user experience has been criticized for taking a user away from the site during the login process. The OpenID User Interface Working Group has been chartered to make OpenID more user friendly, and we’re glad to announce that Yahoo!, Google, and MySpace now support the Popup UI as defined in the OpenID User Interface Extension. Sites that want to preserve their context and keep the user on their site can open a small popup window to complete the OpenID authentication flow. In order to help prevent phishing, the User Interface extension requires that the popup be displayed in an independent browser window with the address bar clearly displayed.

OpenID gives users control over their data and makes it possible for sites to build a single interface that can reach virtually all potential users. Because OpenID is an interoperable open standard, sites that accept OpenID can reuse the same interface and code to accept identities from a wide variety of OpenID Providers, including Google, AOL, MySpace, and Yahoo!. This makes it possible for virtually anyone to sign in to a site using an account that they already have.

It’s been an exciting month for OpenID, with recent news about our involvement in the Open Government Initiative, and now with support for Hybrid and the Popup UI. Stay tuned for more exciting news as we continue to improve OpenID!

P.S. If you’d like to meet the folks working on OpenID, OAuth, and the Open Stack, please join us at the Internet Identity Workshop in Mountain View, CA this November.

Allen Tom
Architect, Yahoo! Membership
OIDF Community Board Member

We went to Yosemite this past weekend. In the past, we’ve seen deers, coyotes of course, an occasional rattle snake, a bobcat once, and every few years, a bear.

And this Sunday morning, in two encounters, a total of five bears, right from Tioga Road without even getting out of the car! Here are two of them. Of the five, three were youngsters and two adults.

Amazing.

Nico Popp, over at VeriSign, has an interesting post outlining how he thinks the US federal government will adopt OpenID:

… there is a clear view that the deployment of low level assurance identities is only a critical first step, not an end in itself. With the initial OpenID pilot, the administration is seeking to teach Internet users how to conveniently and confidently re-use their identities across multiple sites. Federation is a new behavior and as such, it requires training. Federal and State web sites will provide an important training ground of relying parties. … once consumers are comfortable using distributed identities, it becomes possible to alter the login experience by introducing stronger security and identity assurance. This is the ultimate end game since high assurance identity services are pre-conditions to new strategic initiatives.

He reports that there is broad understanding that identity management along the lines of OpenID is critical for many other initiatives, including health care:

To counter balance the $900B expense that the new Obama plan calls for, electronic health records must come to reality. However, eHealth requires access control across a large and complex ecosystem. Users must be able to register, login and access private data across physicians, hospital, pharmacies, labs, insurance, and employers Web sites.

And, I may add, it is clear that having separate usernames and passwords for each one of them is a non-starter. The fact that both Google and Microsoft are OpenID supporters and offer electronic health record-like software as a service could act as a very useful jolt to the health technology vendor cabal, too.

Interesting to see how this will shake out …

I don’t always agree with Umair Haque, a Harvard economist, though many of his ideas resonate with my own experience on the web. And I can imagine that much of his message comes across as rather radical to his audience, so I’ll cut him some slack if he has a tendency to wax revolutionary when he talks about the social web.

Still, I find his “Awesomeness Manifesto” actually useful, if only because it’s an argument against innovation as we commonly think of it.

His point echos a common refrain among many of the web’s independent progeny of late (consider Tim O’Reilly’s “work on stuff that matters” first principles, including the invocation to “create more value than you capture”, and 37 Signals’ recent rants on the “VC-induced cancer that’s infecting our industry and killing off the next generation“). As it happens, innovation for the sake of itself can really be rather damaging if we never arrive at a point of stability and equilibrium — enabling us to benefit from — or at least consider in a broader context — the advances we’ve made.

In other words, innovation at all costs is just that: at all costs.

To counter this myopic obsession with the superficially novel, Haque describes four pillars of awesomeness (which I won’t detail here — read his post):

• Ethical production.
• Insanely great stuff.
• Love.
• Thick value.

These are much more squishy, feminine qualities. These traits show up where diversity and balance are valued. But, contrary to Haque’s implicit suggestion, I don’t believe that we should just pendulum in this direction. Instead, like kneading bread or stirring a risotto (can you tell Brynn and I’ve been cooking lately?), I believe that we need to constantly pay attention to and work at this mix. It’s not one or the other — we’re post-zero sum economics even if our definitions of success haven’t caught up yet.

Haque closes thusly:

Let’s summarize. What is awesomeness? Awesomeness happens when thick — real, meaningful — value is created by people who love what they do, added to insanely great stuff, and multiplied by communities who are delighted and inspired because they are authentically better off. That’s a better kind of innovation, built for 21st century economics.

I’ve talked to many boardrooms about awesomeness. Beancounters feel challenged and threatened by it, because it feels fuzzy and imprecise. Yet, it’s anything but. Gen M knows “awesomeness” when we see it — that’s why its part of our vernacular. It’s a precise concept, with meaning, depth, and resonance.

What makes some stuff awesome and other stuff merely (yawn) innovative? I’ve outlined my answers, but they’re far from the best, or even the only ones — so add your own thoughts in the comments.

You might be innovative — but are you awesome? For most, the answer is: no. Game over: in the 21st century, if you’re merely innovative, prepare to be disrupted by awesomeness.

Does Haque’s manifesto resonate with you? If so, how? If not, why not?

Remember high-profile Grand Central Networks, which was one of the very few high-flying tech startups after the collapse of the dot-com bubble? (Not to be confused with what became Google Voice, they only reuse the domain name.)

Grand Central was founded by Halsey Minor, with the vision of electronically connecting companies and ASPs via standard protocols, so information could flow across companies along a supply chain, for example.

His envisioned architecture was modeled along the lines of a phone company: give everybody a simple plug to plug into, and do a lot of complicated routing and switching in a centralized manner as a service. Perhaps later connect to other phone companies.

That model failed, of course. Part of the reason may have been that the whole web services movement with all of its complexity and its associated high software prices took the vision sideways. He might simply have been too early in the market. And the phone company architecture may also have been the wrong one.

But I’m getting the impression that the identity community is attempting to do the same thing, whether we know it or not. Interestingly:

1. we started with identifying users and proving to other entities who they are. (The URL as globally unique identifier, and single-sign-on, via LID and OpenID)
2. then we added the movement of some related data (profile exchange, PAPE)
3. the ability to authorize others to access information (OAuth)
4. more complex related information (Portable Contacts)
5. now we are getting into moving larger amounts of data (artifact binding)

It’s a very gradual and slow process, but if we keep going down that path, where will we end up? I think it includes right where Halsey Minor wanted to be. And there is a chance that this approach will work: consumer/open internet-driven adoption works better for this, “free” works better, a decentralized/federated/multi-party approach works better as it aggregates a lot more business cases, a pluggable systems approach works better and so forth.

If it turns out to work, it will be at least 10 years after his vision, more likely 15.

Stuff for thought. Being the first in the market is for suckers.

In case you didn’t hear, OneWebDay is coming up next week on Tuesday, September 22.

The event is modeled after Earth Day and was started three years ago by Susan Crawford, a technology policy advisor to President Obama.

Mozilla is doing their part with their own poster/photo contestand a specific call to action:

1. Print and share an ‘I love the web poster’. Create a global wave that shows the web is a precious public resource.
2. Conduct an Internet Health Check. Find computers with Internet Explorer 6, and upgrade them to a more secure browser.
3. Donate to OneWebDay. Every time you donate, Mozilla will too.

I like the connection to Earth Day and the idea of highlighting the web as a “precious public resource“; it is true that if we don’t nurture and protect it, it could, for all we know, “go away” (whatever that might mean). And yes, in case you were wondering, that would be terrible.

Clearly many of us take the web for granted — and many more of us can barely remember a time before what is rapidly becoming a more people-centric web. Thus, I hope you’ll join me next Tuesday on OneWebDay to take a moment out to reflect on and celebrate this vast human-created wellspring of innovation, creativity, knowledge, and opportunity.

Ticka’s nose by Jimmy

Did you know that a beagle’s nose has 300 million receptor sites? Humans, in contrast, have about six million. And that changes everything in a dog’s perception of the world. It also explains why they sniff and snort as much as they do and have such a preoccupation with other dogs’ pee.

I discovered this and other fascinating doggie facts reading Cathleen Schine’s book review of Alexandra Horowitz’s “Inside of a Dog: What Dogs See, Smell, and Know“, published in the New York Times.

When Marshall Kirkpatrick called me today to discuss his upcoming ReadWrite Real-Time Web Summit and report, I used some of these tidbits to help explain the changes I see coming with the emergence of the real-time web.

Specifically, in the document-centric era of the web, humans largely adapted their behavior to fit the speed of the network, and chunked their thoughts into discreet, long-lived static blog posts and documents. But, as we’re seeing, Gutenberg’s reach into the web can only extend so far: the mores of physical media shall eventually give way to the seeping tendencies of data in the networked age.

If the speed of thinking — and the shape of our thoughts — have previously been confined to 93.5 square inches (the area of an eight and half by eleven sheet of paper), then our perception of reality must adjust to the scale of the web — to draw a comparison, as though we expanded our olfactory centers from 6 to 300 million.

Consider one consequence of “the mechanics of the canine snout”:

People have to exhale before we can inhale new air. Dogs do not. They breath in, then their nostrils quiver and pull the air deeper into the nose as well as out through side slits. Specialized photography reveals that the breeze generated by dog exhalation helps to pull more new scent in. In this way, dogs not only hold more scent in at once than we can, but also continuously refresh what they smell, without interruption, the way humans can keep “shifting their gaze to get another look.”

Imagine that we were able to interpret information at the scale and rapidity that dogs parse scent. That’s where we need to go.

To put this into perspective, consider how long it takes you to read one page of text; three minutes? Five? If we had the equivalent of a dog’s sense of smell for our ability to consume information, we’d be able to consume FIFTY pages of information in the same amount of time that it takes us to currently consume ONE. (For shits and giggles, if you printed the Internet, it would take up around 700 square miles of US letter-sized pages).

The dog’s nose, therefore, is perfectly adapted to consume vast quantities of information by scent. In order to cope with the real-time era of the web, we must imagine a similar augmentation of our own knowledge processing abilities if we’re to cope with the deluge.

In the real-time era, information is no longer restricted to an arbitrary number of words that fit on a page — let alone the kind of structures that were given to such proportions. Now, it is our capacity to consume and process information efficiently and effectively that limits us — partly explaining why we’re struggling to cope with all these “distractions”. Our brains are just doing what they were designed to do: process an intermittent flow of incomplete information and make rough cost-benefit calculations of possible decisions, while mitigating risk.

Lest we be overcome with information, we crave resolution and action. The crisis of the real-time web is how we confront an unending stream of undifferentiated information that all seems equally important and immediate, paralyzing us. In these cases, failing our own intrinsic resources, we look to surrogates (parents or other authority figures — celebrities suffice) to help us discard irrelevant information and get to the good stuff. We look to their reassurance to help us make a decision.

And this is why filters — natural, artificial, or social — will be so important in the real-time web.

As advanced as we think we are, our animal brains are just not adapted for this kind of environment. And we’re going to need help — as well as new thinking.

To reinforce this point, let’s return to our canine friends.

Contrary to what “dog whisperer” Cesar Millan claims, dogs are not pack animals — at least not in the way that wolves are. Schine writes:

[...] Countering the currently fashionable alpha dog “pack theories” of dog training, Horowitz notes that “in the wild, wolf packs consist almost entirely of related or mated animals. They are families, not groups of peers vying for the top spot. . . . Behaviors seen as ‘dominant’ or ’submissive’ are used not in a scramble for power; they are used to maintain social unity.”

The idea that a dog owner must become the dominant member by using jerks or harsh words or other kinds of punishment, she writes, “is farther from what we know of the reality of wolf packs and closer to the timeworn fiction of the animal kingdom with humans at the pinnacle, exerting dominion over the rest. Wolves seem to learn from each other not by punishing each other but by observing each other.”

So just as we must shake such ingrained, patriarchic theories in animal biology, we must also reconsider the models we have for thinking about, understand, and relate to information in the flow of activity streams.

Dogs are able to consume vast quantities of information by scent — and that means that their perception of reality is fundamentally different from ours. Will we ever know what it’s like to smell a rose with 50 times more receptors? No, probably not — nor is it clear that we’ll be able to augment our native cognitive abilities to consume information 50 times faster than we do today. And yet the real-time web relentlessly marches forth, promising a massive shift in both our access and ability to cope with such huge amounts of data.

Presuming that we keep the brains we have, this has huge ramifications for interaction and user experience design. We cannot simply apply document-based interfaces to this new, more rapid and fluid space. Instead, we need to take inspiration from the field of game design (Halo would suck if it operated at anything less than real-time); we need to think about how social search fits in and can augment our ability to filter information and make better decisions; we need to consider how one can effectively project intentions onto the web to receive better, faster, automatic service, as Doc Searls’ Project VRM proposes; we need to take advantage of the always-on human network, as Amazon’s Mechanical Turk and Q & A service Aardvark do; and we should embrace the natural and native speed that comes with a more conversational and people-centric web.

If this review got me to realize anything, it’s that we should be careful about applying familiar and comfortable rubrics to the nature of information flows on the real-time web. Our brains are powerful and incredibly plastic, but the quantities of information available on the real-time web may bring us to the limit of our current cognitive abilities. Our challenge as designers, developers, and innovators, is therefore either to modify the environment around us, or build new tools and methods that make will us 50 times more capable of confronting this emerging reality.

The ReadWrite Real-Time Web Summit announcement is live. I am working on this with them as the facilitator. The event is modeled on the format we use at the Internet Identity Workshop to get a lot done and have real discussions about emerging topics in industry.

ReadWriteWeb has offered high quality coverage of this area for a long time and they seem like a natural convener of real conversation. Of course Identity is key to this industry but so are many other things.

Learn more here

Register here.

Related posts:

1. IIW Monday is FREE & program announced
2. Internet Identity Workshop is announced May 1-3 in Mountainview
3. Why now with the Data Sharing Workshop/Summit?

Earlier today, Rob Dolin announced the launch of additional sources of activities for Windows Live users — including MySpace, Hulu, Skyrock, and SlideShare.

Writing on the Windows Live Services blog, he outlines the premise behind the Activity Streams effort (emphasis original):

With today’s latest partner integrations on Windows Live, we’ll have over fifty web activities that Windows Live customers can add into their Windows Live experience. (To learn more about all the Windows Live partners, check out our Windows Live Team blog). Nearly all of the web activities employ a polling model where a customer enters some basic information about their presence on a website and then Windows Live periodically polls an XML feed of the customer’s activity on that site. In the past, this feed has been in RSS 2.0 or Atom and then for each partner, we have a custom XSLT that maps the elements from the customer’s feed to the data attributes in Windows Live’s system.

Challenges with Web Activities

There are two big challenges with this basic polling model of RSS 2.0 or Atom:

1. We need to develop a custom mapping for each partner
2. Each partner needs to have only one activity type or they need a way to communicate what type of activity each RSS 2.0 <item> or Atom <entry> is.

The emerging Activity Streams open standard comes in to help solve both of these problems.

How Activity Streams Help

Activity Streams help to address both of the above issues. First, instead of having to do a custom mapping for practically every Web Activities partner, with an open standard like Activity Streams, we can build a single mapping that can be used by multiple partners.

Second, Activity Streams includes <activity:verb> and <activity:object-type> elements so we can identify that one is a status update and another is a blog entry. Thus, services that have multiple activity types (like MySpace) can have a single feed that includes photos, status, blogs, music, and more.

This maps directly to my motivation in starting this effort, back in June of 2008:

The basic premise is this: lifestreams, alternatively known as “activity streams”, are great for discovering and exploring social media, as well as keeping up to date with friends (witness the main feature of Facebook and the rise of FriendFeed). I suggest that, with a little effort on the publishing side, activity streams could become much more valuable by being easier for web services to consume, interpret and to provide better filtering and weighting of shared activities to make it easier for people to get access to relevant information from people that they care about, as it happens.

By marking up social activities and social objects, delivered in standard feeds [...], we enable anyone to run a FriendFeed-like service that innovates and offers value based on how well it understands what’s going on and what’s relevant, rather than on its compatibility with any and every service.

We’ve come a long way since then — and the acquisition of FriendFeed only helps to reinforce the timeliness of this work.

It’s also been incredibly gratifying to see people like Rob and Monica Keller devote so much energy (see MySpace’s activity streams docs) to helping this effort get off the ground. Maintaining the momentum of this project has been challenging at times — considering that Mart Atkins (author of the Activity Streams specs) has a full time job at Six Apart and David Recordon (my other cohort) just left there to go work at Facebook (where Jerry Cain has been key in getting Facebook to adopt activity streams).

Seeing large players adopt the activity streams format is good for the open web ecosystem. It’s good for individual choice and for enabling market-based mechanisms that encourage competition and good behavior. It enables the decentralization of reading and publishing, and provides individuals with a record of both what their friends are doing as well as what they themselves have done. And these things are all good for the development of the people-centric social web.

This post is a collaborative essay written by Jyri Engström and myself, edited by Brynn Evans and originally posted to the ArcticStartup blog on September 11, 2009. Thanks to Brad Fitzpatrick for his comments on the draft.

·   ·   ·

Around 2003, things began to change.

Technology was then the black sheep, having left overnight millionaires destitute and without change to afford their $4 lattes. Even the posers had left San Francisco and gone back to suburbia to be office managers at Walmart.

It was a sad time for everyone — that is, except the die-hards and the hackers. The web for them had never been about making money, but about reshaping culture and toppling the old order. 2003, therefore, was the perfect time for a resurgence: the people who kept pushing on in the Valley and elsewhere were a concentrated motley crew of innovators and builders. They cared about technology for technology’s sake and about developing and advancing web culture.

What they didn’t realize, however, was that the services and technologies that they were destined to build would need to be cobbled and sewn together using a system that would fight them every step of the way — not out of spite — but because of its architecture. By definition the network available was decidedly anti-human: in 2003, there was only the document-centric web.

The document-centric web

We’ll spare you the history lesson of the origin story of the internet, but suffice it to say, the web we have today is because a bunch of scientists, academics, and government folks needed a way to share static documents — not set up identities or have a dynamic conversation in public. The net was decidedly antisocial and anti-serendipity, from the beginning.

Keep that in mind when you consider what happened around 2003: masses of people started blogging, publicly. Services like Blogger and TypePad surged; LiveJournal and WordPress started to grow stubble and Drupal emerged from a college dorm. In the absence of innovation since the bubble burst, people started to realize that the web could be a place for personal expression and public conversation — and blogging became the “it” thing to do.

The problem was that tools were built around the document model of publishing. Many people maintained collections of blogs that they kept handy as bookmarks — and visited regularly, sometimes several times a day (depending on the prolificness of a given blogger). The more savvy audiences discovered desktop feed readers that fetched new content automatically. But conversation was fragmented and inconvenient: to comment, you had to visit the publisher’s blog and create a single-purpose account there; to post an original response, you had to have your own blog and know how to send a trackback to the post you were responding to.

The pace was slow and cumbersome, but most early bloggers didn’t mind. Their new medium was exciting, expansive, and controversial. And for the time, it fit the write-print/publish model many people had become familiar with thanks to Microsoft Word and other text editors — and which was in turn rewarded by Google’s link-based approach to search.

But two things were lacking in the first generation of Web 2.0 tools: personhood and aggregated conversation streams. The document-web hadn’t made room for people-friendly affordances like “faces,” and didn’t conform to our restless animal brain, which is well suited to working with a flow of short snippets of information.

Proprietary, real-time platforms

Enter: the real-time web. If 2003–2006 could be defined as the emergence of social media on infrastructure still dominated by the document-web, 2007 through the present will be defined as the transition to the “real-time” web, even if through a proprietary side-road.

We’ve had chat, SMS, and other forms of asynchronous (near) real-time data streams for some time. But, just as blogging did to email, every new generation is about pushing down the walls that cage one-to-one and one-to-few interactions, turning the same private publishing tools into many-to-many-to-many-more public publishing platforms. Emphasis on the noun: from tools to platforms.

The catch? This real-time web is not mature yet, since the platforms that sequester all of our activities today are proprietary ones like Facebook and Twitter. These are convenient, to be sure, but of limited utility to users with cross-site ambitions, who require interoperability.

While “brand-mediated” profiles and relationships may not seem completely odious on the surface, there are four major drawbacks to keep in mind:

• Tying one’s identity and communications to a single silo means relying on a single point of failure, degrading the overall reliability and stability of the system. (Remember the failwhale and efforts to keep Twitter from going offline during the Iran uprising, for example).
• Handing over management of one’s identity to a company means being dependent on their decisions and priorities. (Consider the 5,000 friend limit on Facebook; Twitter’s arbitrary suggested users list; and examples of users being ousted from various services for controversial reasons).
• A web built on top of a few proprietary platforms means less diversity and ultimately smaller scale than a web built on non-proprietary protocols and standards (consider how useful email, the web, and the internet itself became once open standards for interoperability were adopted, and the power of “small pieces loosely joined“).
• And finally, on an ethical and emotional level — it just doesn’t feel right.

Fortunately, there are a number of initiatives that are gaining in popularity and finding pockets of adoption throughout industry, leading us to a juncture, where in one direction is the status quo and in the other is what we call “the people-centric (real-time) web”.

The people-centric (real-time) web

If the document-centric web was dominated by static pages, then the people-centric web is about placing you at the center (as Time Magazine did famously in 2006). We’re seeing the rise of dynamic, portable friend lists and non-brand-mediated identities that can be used across a range of standards-compliant websites. People are beginning to move freely between silos. Individuals are increasingly able to bring their data with them and substitute one service or service provider with another, as one can switch between Outlook and Thunderbird for email, or Photoshop and Pixelmator for image editing on the desktop. Relevant information and friends’ activities are starting to come to users via distributed push publishing. (Thomas Vander Wal has called this the “come to me” web).

Let us briefly describe the key enablers of this emerging new phase:

Portable profiles means that instead of creating an account on each service you join, you can now host your identity in one place and bring your profile and friends with you to other sites as you surf the social web. Webfinger, OpenID, Portable Contacts, and OAuth all make this possible (and for bootstrapping profiles from the legacy document-web, we have Google’s Social Graph API).

Distributed push publishing means there is no longer a need to rely on proprietary platforms. The emerging standards here are PubSubHubbub (PuSH) and rssCloud (see comparisons on TheNextWeb and TechCrunch).

Synchronized conversation threads means that users can participate on the same conversation thread across multiple interfaces and services (we are still waiting for a standard, for which various geeks are actively devising a plan).

Much work remains to make cloud services fully interoperable, but the foundations are in place to turn the web into a truly people-centric place. This call to action goes out to developers, corporations, and individuals alike. Best of all, it’s not that hard to start supporting these efforts:

Let people use existing accounts to sign in and sign up for your service. First, the signup ritual offers the least amount of value to users so get it out of the way as fast as possible! Plus, it’s an automatic barrier to entry — you’ll see an increase in successful signups by reducing the friction in logging in up front (as Plaxo did). Second, unless it’s core to what you do, this will also save you the chore of managing profiles on your service. Third, people have so many profiles these days, they can’t keep track of them and they certainly don’t want to be creating yet another. Instead, figure out a way to subscribe to someone’s existing profile — and keep a reference of it up to date on your site.

Sharing information and activities from your site is how other people will discover you. Stickiness as a business practice was a byproduct of the document era of the web; on the people-centric web, portability is critical. Data, identities, relationships, and activities need to flow between sites in order to expose insights, spread knowledge, and engender meaningful social interactivity. This sounds complicated but is relatively straightforward. To begin, your site can make available atomic units of data, exported as streams of activity that indicate who acted in which way upon what object. It’s easier than it sounds and formats are available to support this modular approach (see: Activity Streams)

As a user, consider how much control and security you really want over your online identity. How do you feel about leasing an identity from a web brand? Unsure about the benefits of owning your own? Some providers (Google, Yahoo, Flickr, MySpace, AOL) let you use their accounts as OpenIDs — a great step towards portability, and beneficial to everyone. The catch with any leased identity is that your identity will be under the provider’s brand, profile constrained by their design decisions, and personal data subjected to their terms of service. As an alternative, acquiring your own domain and setting up your own profile with an independent is becoming much easier with free services like Chi.mp and hi.im. More innovation is needed in this area to make independent identities for people and organizations first class citizens on the social web, and their setup and management simpler, accessible, and secure!

What’s yet to come

It’s 2009, going on 2010. For the past three years, the web has been morphing into a real-time and people-centric place. We’ve seen this trend among individual users — through their actions and demands for better social experiences — but also increasingly among companies and developers. We want a web that’s more “like us” than the old model was. We want a web where people are as important to the architecture of the system as documents.

And with this new model come new opportunities for innovation and personalization. It is possible to build applications for participating in decentralized conversations around various ideas and trends. This presents a new opportunity for identity management apps, community sites, social dashboards, real-time search, messaging hubs… and even browser makers, hardware manufacturers, and ad networks. Mobile platforms are also growing, as people connect over non-desktop devices. These small handheld technologies further underscore the importance of portable identity, microcontent, decentralization, and (near) real-time delivery. A document-centric approach just doesn’t make sense in a mobile world, and with new ground being broken in fields like augmented reality, demand for increasingly rich social experiences powered by open standards instead of proprietary platforms will continue to grow.

But consider the future: the benefits of a people-centric model are still evolving and remain to be fully realized. It’s critical to not be complacent with the platforms we’ve grown so accustomed to. If you wear the developer’s hat, now’s the time to get on board, read the specs, and implement support for OpenID, Activity Streams, OAuth, PubSubHubbub/rssCloud, or the other mentioned open standards that are relevant to your users. If you are a user, don’t be afraid to be vocal and ask the services you love to show they love you back, by giving you the rights to your data and the tools to take it with you elsewhere. If you’re a business, realize that the distributed potential of the social web has barely been tapped, and that you have a choice between (as Robert Scoble calls it) gifting your branding power to someone else, or leveraging these standards to turn your own site from an island to a node in a network of social activity as wide as the web itself. In the end, the internet as a whole will be better off if we stay in control of our own destinies.

·   ·   ·

Jyri and I will be presenting a workshop on this material during our MindTrek pre-conference tutorial on September 30th in Helsinki. Early bird tickets are still available at a discounted rate; register today!

Also, don’t forget you can still register for MindTrek, the Nordic conference on social media (Oct. 1st–2nd) in Tampere, Finland.

This is cross posted on Fast Company.

The Obama administration open government memorandum called for transparency participation, collaboration and federal agencies have begun to embrace Web 2.0 technologies like blogs, surveys, social networks, and video casts. Today there are over 500 government Web sites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government Web sites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.

Yesterday the United States Government in collaboration with industry announced a few pilot projects using emerging open identity technologies for citizens to use when interacting with government sites. I use the word interacting very deliberately because the government doesn’t want to know “who you are” and has gone great lengths to develop their implementations to prevent citizens from revealing personally identifiable information (name, date of birth etc).

How would you use this?–well imagine you are doing an in depth search on an NIH (National Institute of Health) Web site–and you went back to the site many times over several months. Wouldn’t it be great if the site could “know” it was you and help you resume your search where you left off the last time. Not your name and where you live but just that you were there before.

The Identity Spectrum helps us to understand how it all fits together.

Anonymous Identity is on one end of the identity spectrum–basically you use an account or identifier every time go to a Web site–no persistence, no way to connect the search you did last week with the one you did this week.

Pseudonymous Identity is where over time you use the same account or identifier over and over again at a site. It usually means you don’t reveal your common/real name or other information that would make you personally identifiable. You could use the same identifier at multiple sites thus creating a correlation between actions on one site and another.

Self-Asserted Identity is what is typical on the Web today. You are asked to share your name, date of birth, city of residence, mailing address etc. You fill in forms again and again. You can give “fake” information or true information about yourself–it is up to you.

Verified Identity is when there are claims about you that you have had verified by a third party. So for example if you are an employee of a company your employer could issue a claim that you were indeed an employee. You might have your bank verify for your address. etc.

The government pilot is focused on supporting citizens being able to have pseudonymous identities that function only at one Web site–the same citizen interacting with several different government Web sites needs to use a different identifier at each one so their activities across different government agencies do not have a correlation.

It is likely that some readers of this blog know about and understand typical OpenID. Almost all readers of this blog do have an openID whether they know it or not because almost all the major Web platforms/portals provide them to account holders–MySpace, Google, Yahoo!, AOL etc.

So how does this work with OpenID?

Typically when logging in with OpenID on the consumer Web you share your URL with the site you are logging into–they redirect you to where that is hosted on the Web–you authenticate (tell them your password for that account) and they re-direct you back to the site you were logging in. (see this slide show for a detailed flow of how this works). Using OpenID this way explicitly links your activities across multiple sites. For example when you use it to comment on a blog– it is known your words come from you and are connected to your own blog.

Using the OpenID with Directed identity–de-links your the identifiers used across different sites but still lets you use the same account to login to multiple sites.

When you go to login to a site you are asked to share not “your URL” but just the name of the site where your account is–Yahoo! or Google or MySpace etc. you are re-directed to that site and from within your account a “directed identity” is created–that is a unique ID just for that Web site. Thus you get the convenience of not having to manage multiple accounts with multiple passwords and you get to store preferences that might be shared across multiple ID’s but you don’t have identifiers that correlate–that are linked across the Web.

How does this work with Information Cards?

This is a complementary open standard to OpenID that has some sophisticated features that allow it to support verified identities along with pseudonymous & self asserted identities. It involves a client-side piece of software called a selector–which selector helps you manage your different identifiers using a card based metaphor, with each digital “card” representing a different one. Citizens can create their own cards OR get them from third parties that validate things about them.

The government is creating a privacy protecting “card profile” to be used in the pilot program. It is NOT issuing identities.

Trust Framework are needed to get it all to work together.

From the press release yesterday:

“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon–it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”

The OpenID Foundation and Information Card Foundation wrote a joint white paper to describe how they are working on developing this. From the abstract:

[They] are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.

These frameworks, based on the model developed by the InCommon federation for higher education institutions, will enable government Web sites to accept identity credentials from academic, non-profit, and commercial identity providers that meet government standards. These standards are critical as they represent the government’s resolution of the challenging and often competing issues of identity, security, and privacy assurance. Open trust frameworks not only pave the way for greater citizen involvement in government, but can enable even stronger security and privacy protections than those typically available offline.

These are all exciting developments but there is much more to do.

Looking (far) ahead there may be the opportunity to do selective disclosure–combining anonymity with verified identity.

How do these go together–you can take a verified identity claim say your birth date then using cryptography strip the specifics away and just have a claim that says you are “over 21″. Then using an anonymous identifier you have selectively disclosed your age without giving away your date of birth.

You could imagine this would be handy for citizens wanting to communicate their opinions to their member of congress without revealing their actual name and address – they could “prove” using a verified claim they live in the district but not reveal who they are. This aspect of what is possible with the technology is VERY forward looking and will take many years to get there. There is enormous potential to evolve the Web with this emerging identity layer.

I would like to invite all of you interested in being involved/learning more to attend the Internet Identity Workshop in Mountain View California November 3-5. I have been facilitating this event since its inception in 2005. It is truly amazing to see how far things have progressed from when we were 75 idealistic technologist talking about big ideas. at the Hillside Club in Berkeley. It is also some what daunting to think about how much farther we have to go.

Related posts:

1. Great Identity News
2. Yes there is Post-Post Modernism
3. Open Identity for Open Government Explained

Wow - it's been months since the last OpenSSO tab sweep. Anyway - here's a collection of the latest news from the world of OpenSSO:

• Sun Developer Network continues to publish excellent articles on OpenSSO. Last month, Rick Palkovic of SDN and Francois Lascelles of Layer 7 Techologies collaborated on Delegating XML Gateway Runtime Authorization to OpenSSO, showing how Layer 7's SecureSpan XML Networking Gateway integrates with OpenSSO to provide edge security for SOA, Web 2.0 and cloud-based web services.
• This month, Rick's written another article, this time with Qingwen Cheng and Mrudul Uchil of Sun's OpenSSO engineering team. Enabling IP/Resource/Environment Based Authentication With OpenSSO is a three-part series explaining how this functionality, new in OpenSSO Express Build 8, replaces the pre-existing Gateway servlet to provide a flexible mechanism for including contextual information in the authentication process.
• My colleague, Hubert Le Van Gong has been blogging profusely over the past few weeks on the topic of OpenID 2.0 and OpenSSO. As Hubert mentions, we recently rewrote the OpenSSO OpenID extension to support OpenID 2.0. Hubert's blog entries cover a number of topics specific to the rewrite, including deployment (with an important follow up) and realm/relying party validation. C'est la Vie is definitely a blog worth watching if you're interested in the OpenID/OpenSSO intersection.
• There have been a number of OpenSSO policy agent releases over the past few weeks, including agents for Apache 2.2 and IIS 7. The OpenSSO Policy Agents 3.0 Roadmap is the place to stay up to date.
• The replay of Daniel's OpenSSO webinar from last month, which, by the way, set an internal record for registrations, has been posted online. Click here to catch up.
• Outside Sun, 'Pairg' has released a WordPress plugin for OpenSSO authentication (thanks, Ramoonus, for the tip!). It looks to have much more functionality than the proof of concept code I released a little while ago, so, if you're into WordPress, I recommend you go take a look.

Now I can close a few Firefox tabs and relax. Have a good weekend, everyone!

Bob Blakley works for the Burton Group and has been involved in identity for some time. Writing about the recently launched Open Identity initiative with the US Government, he cited a reason why the announcement is big news, with which I strongly agree (from an American perspective, YMMV in other countries):

The second reason today’s announcement is a really big deal is that, after years of government attempts to create identities and assign them to citizens (via such bad ideas as the UK National ID scheme and the US REAL-ID act), a government has finally recognized that individuals already HAVE identities, and that it’s a better idea, for most purposes, to use these identities than to establish a new government bureaucracy to create new identities – especially if they’re identities people don’t want.

If this initiative succeeds, and I hope it does, it’s almost certain to be a much cheaper route to government consumption of reliable digital identities of citizens than something like REAL-ID would be. And it will preserve consumer choice at the same time as encouraging innovation in commercial identity technology.

Thomas Friedman of the NYTimes on Meet the Press today talking about several recent incidents including what happened to Van Jones.

When everyone has a cell phone, everyone is a photographer, when everyone has access to YouTube, everyone is a filmmaker, and when everyone is a blogger everyone is a newspaper.

When everyone is a photographer, a newspaper and a filmaker everyone else is a public figure. Tell your kids ok,  be careful every move they make is now a digital footprint. You are on candid camera and unfortunately the real message to young people from all these incidents… (he says holding his hands closely together) is really keep yourself tight – don’t say anything controversial, don’t think anything controversial, don’t put anything in print – you know what ever you do just kind of smooth out all the edges (he says moving his hands in a streamlining motion down) and maybe you too – you know when you get nominated to be ambassador to Burkina Faso will be able to get through the hearing.

What does this capacity to document “everything” digitally mean to free thinking, and free speech? It seems that is having a quelling effect.

I have written about the participatory panopticon several times, a term coined by Jamais Cascio.

* Participatory Panopticon strikes Michael Phelps

* We Live in Public – a movie

* “sousveillance” coming to NYC and Big Brother coming to NYC

* Participatory Panopticon tracking the CIA’s Torture Taxi

* Condi Caught by Emerging Participatory Panopticon

* Accelerating Change Highlights: 1 (Jon Udell)

The first time I spent a whole day with technologists working on the identity layer of the web in 2003 I asked publicly at the end of the day – how do we forgive in these new kinds of tools in place? How do we allow for people to change over time if “everything” is documented?

I hope we can have a dialogue about these kinds of issues via the blogosphere and also face to face at the 9th Internet Identity Workshop coming up in November.

Related posts:

1. Participatory Panopticon tracking the CIA’s Torture Taxi
2. Participatory Panopticon strikes Michael Phelps
3. Condi Caught by Emerging Participatory Panopticon

Yesterday the Government hosted a workshop in DC: Open Government Identity Management Solutions Privacy Workshop.

The OpenID Foundation and the Information Card Foundation are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.

Drummond Reed and Don Tibeau announced their paper Open Trust Frameworks for Open Government.

Quiet and intense work has been going on since just before the last IIW on all this, so it is great to see it begin to see the light of day.

The OpenID Foundation had a wonderful new redesign that Chris Messina announced. This page really made me smile: Get an OpenID – Surprise! You may already have an OpenID.

Axel did a Wordle of it:

Related posts:

1. FastCo Post on Governemnt Experiments with Identity Technologies
2. Great Workshop
3. Open Identity for Open Government Explained

Today the United States Government with digital identity industry leaders announced the development of a pilot project with NIH and related agencies using two of the open identity technology standards OpenID and Information Cards.

This is, as a friend said to me, a “jump the shark moment” – these technologies are moving out from their technologists technology cave into mainstream adoption by government agencies. We are seeing the convergence of several trends transform the way citizens participate in and communicate with government:

• Top-down support for open government
• The proliferation of social media
• The availability of open identity technologies

The Obama administration open government memorandum called for transparency participation, collaboration and federal agencies have begun to embrace Web 2.0 technologies like blogs, surveys, social networks, and videocasts.

Today there are over 500 government websites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government websites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.

The challenge is that supporting this kind of citizen interaction with government via the web means that identity needs to be solved. On the one hand you can’t just ask citizens to get a new user-name and password for all the websites across dozens of agencies that they log in to. On the other you also can’t have one universal ID that the government issues to you and works across all government sites. Citizens need a way to interact with their government pseudonymously & in the future in verified ways.

So how will these technologies work?

Those already familiar with OpenID know that typically when users login with it they give their own URL – www.openIDprovider.com/username. (see this slideshare of mine if you want to see OpenID 101) There is a little known part of the OpenID protocol called directed identity – that is a user gives the name of their identity provider – Yahoo!, Google, MSN etc – but not their specific identifier. The are re-directed to their IdP and in choosing to create a directed identity they get an identifier that is unique to the site they are logging into. It will be used by them again and again for that site but is not correlatable across different websites / government agencies. The good news is it is like having a different user-name across all these sites but since the user is using the same IdP with different identifiers (unlinked publicly) but connected to the same account they just have to remember one password.

Information Cards are the new kids on the identity block in a way – this is their first major “coming out party” – I am enthusiastic bout their potential. It requires a client-side tool called a selector that stores the user’s “digital cards”. Cards can be created by the end user OR third parties like an employer, financial institution, or school can also issue them.

In essence, this initiative will help transform government websites from basic “brochureware” into interactive resources, saving individuals time and increasing their direct involvement in governmental decision making. OpenID and Information Card technologies make such interactive access simple and safe. For example, in the coming months the NIH intends to use OpenID and Information Cards to support a number of services including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, all with strong privacy protections.

Dr. Jack Jones, NIH CIO and Acting Director, CIT, notes, “As a world leader in science and research, NIH is pleased to participate in this next step for promoting collaboration among Assurance Level 1 applications. Initially, the NIH Single Sign-on service will accept credentials as part of an “Open For Testing” phase, with full production expected within the next several weeks. At that time, OpenID credentials will join those currently in use from InCommon, the higher education identity management federation, as external credentials trusted by NIH.” In digital identity systems, certification programs that enable a site — such as a government agency — to trust the identity, security, and privacy assurances from an identity provider are called trust frameworks. The OIDF and ICF have worked closely with the federal government to meet the security, privacy, and reliability requirements set forth by the ICAM Trust Framework Adoption Process (TFAP), published on the IDManagement.gov website. By adopting OpenID and Information Card technologies, government agencies can cost effectively serve their constituencies in a more personalized and user friendly way.

“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon — it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”

Under the OIDF and ICF’s open trust frameworks, any organization that meets the technical and operational requirements of the framework will be able to apply for certification as an identity provider (IdP). These IdPs can then supply authentication credentials on behalf of their users. For some activities these credentials will enable the user to be completely anonymous; for others they may require personal information such as name, email address, age, gender, and so on. Open trust frameworks enable citizens to choose the identity technology, identity provider, and credential with which they are most comfortable, while enabling government websites to accept and trust these credentials. This approach leads to better innovation and lower costs for both government and citizens.

The government is looking to leverage industry based credentials that citizens already have to provide a scalable model for identity assurance across a broad range of citizen and business needs – doing this requires a trust framework to assess the trustworthiness of the electronic credentials; see Trust Framework Provider Adoption Process (TFPAP).   A Trust Framework Provider is an organization that defines or adopts an online identity trust model involving one or more identity schemes, has it approved by a government or community such as ICAM, and certifies identity providers as compliant with that model. The OIDF and ICF will jointly serve as a TFP operating an Open Trust Framework as defined in their joint white paper, Open Trust Frameworks for Open Government.

Both the OpenID and Information Card Foundation have been working very hard on this for many months – last night I was fortunate to their boards at a history first ever joint dinner.

There are two women in particular though who have driven this forward: Judith Spencer of the Federal Identity, Credential, and Access Management Committee on the government side and Mary Ruddy of Meristic Inc on the industry side. Both of them will be speaking about the project at the Gov 2.0 Summit on Thursday.

Personally this announcement shows how far things have come since I facilitated the first Internet Identity Workshop in 2005 with 75 idealistic identity technologies talking about big ideas for use-centric identity. I am really looking forward to discussing these developments at the forthcoming 9th Internet Identity Workshop in November.

Related posts:

1. Great Identity News
2. FastCo Post on Governemnt Experiments with Identity Technologies
3. Catalyst: Government Adoption of Federated Identity

At the Gov2.0 conference yesterday, US government announced Open identity for Open Government initiative.

PayPal is one of the participants that has joined the pilot programs for both OpenID and Information Card.

ReadWriteWeb provides a good explanation of the initiative here.

A good FAQ is available at ICF website here.

I consider this as another forcing function that provides an opportunity for several providers to work together. There is no dearth of opinions in the identity community . GSA, I believe has done a tremendous job in putting together the ICAM profiles for OpenID , Information Cards and the Trust framework .The profiles have allowed the providers to focus and converge on some of the important issues surrounding the technologies.

RE: OpenID
There has been some questions from the very start (and there is still no consensus) if the resting state should be lightweight, simple to use, distributed, low-value transactions. Or should it grow and evolve towards more security, trust, e-commerce and whatever comes with it.

If the answer is latter, then the ICAM profile is very appropriate. The mandatory use of SSL, directed Identity, support of white list, trust framework for certification, sensitvity towards PII etc. are all good steps for a robust identity framework geared towards value-transactions. One could argue that the trust frameworks would push it towards a centralized system but hopefully there will be several entities serving as trust framework providers.
Authentication is a critical function for any site and it’s understandable that a site (that has something to protect) wouldn’t outsource it without first establishing trust (implicit or explicit). This has been one of the sticky points in the community since establishing trust (via RP specific whitelist or third party providers) can potentially hinder adoption and innovation.

RE: Information Card
Even though a lot has been done in the past few years, a few issues still remain:

• Platform support for information card/selector is limited.
• The UI experience is too foreign and that’s get even more challenging due to the maturity level of current selectors.
• Mobility/portability of cards (and hence identity) is still unresolved.
• There are very limited “maintained” tool/libraries for relying parties to use.
• The issues around running a managed card provider (e.g. practices around issuing/renewing/revoking cards, cert/key expiry, advising user in an intelligent and non-intrusive way on what claims should (or not) be shared with the RP etc.) haven’t yet surfaced. Hopefully the pilot will make IdPs (that includes us) think harder on some of the production issues around running a card server.

Irrespective of how far the Open Identity initiative will go, it’s definitely a step in the right direction.

No Tags

Today’s news about major identity initiatives in the US Federal Government is indeed great news.

But it does make me think. Kick Willemse asked the key question on an OpenID mailing list:

How about a dutch (international) OP fullfilling all criteria?

What about one in Russia or China? Would the US government accept identities asserted by an entity outside of the country? What about Iran? Before the revolution?

What about a multi-national headquartered, in, say, New York? That serves some of its identities from a data center in Mexico? If it now moved headquarters to Bermuda, when then? What if it was acquired by a Chinese company with strong ties to the Chinese government?

Given that identities last much longer than the whims of foreign relations (or M&A activities), doesn’t this open up so many different cans of worms?

The only solutions to all these issues that I can think of are:

• either the individual is in charge of identity provider selection
• or the US government becomes its own identity provider, which in general is not an unreasonable position to take (think passports)

But neither of those is foreseen in the deployments that are planned. So I’m confused where exactly this might be going …