Planet OpenID

Johannes Ernst: Why We Really Don’t Need an “Identity Selector”

Fri, 06 Nov 2009 16:58:26 +0000

As of this week’s Internet Identity Workshop, I’m now rather convinced that an “identity selector” is the wrong product and the wrong feature set, regardless of the exact details of a particular vendor’s implementation. Several discussions in several contexts, including how to best make a browser identity-aware, all point to the same conclusion, regardless if the context is a card context or an identifier / OpenID context. Something had always been bothering me about the identity selector concept over all these years since I saw the first CardSpace demo, and now I know what it is.

To make my point, consider the interaction of a user with a site over some period of time:

Here, the user (necessarily) is anonymous at the site when visiting for the first time. As time progresses, the user may chose to register at the site (and log in at the same time), and then continue to have an active session for some time. This session later times out and the user returns to the site after the timeout. The user authenticates again, and later logs off intentionally, after which (one hopes) the user is anonymous again for the site.

The blue sections in the diagram show the times at which an “identity selector” is useful: upon initial registration, and then again upon re-authentication. However, compare these minuscule amounts of time with the time that the user and the site have a relationship with each other centered around the user’s identity. If it takes me 20 seconds to log in, for example, but I stay at the site for an hour with the authenticated session, the “identity selector” helps me with my identity at that site only for 0.5% percent of the time.

What about the other 99.5%?

We need functionality in the browser, or at least somewhere close to the user when using a web browser, that assists the user 100% of the time their digital identity is in the picture, not 0.5% of the time. By thinking of that product as an “identity selector”, we are excluding the other 99.5% and thus are getting the product exactly wrong.

The correct product is not a “selector”. It also must be:

An identity “de-selector”, with which the user can become anonymous again (or perhaps even remove all the information from the site which was conveyed during the “identity selection” phase). The much-desired “single sign out of the web” button should logically reside there.
An identity-aware session “visualizer”, which conveys to the user that there they have open sessions with which sites, which of the user’s identities are currently used with which site, which others they have used with which site in the past, whether the session is valid (as opposed to expired), what information about them they have shared with the site and perhaps how to log out.

This is particularly important if the user has multiple active sessions, perhaps with multiple identities, occurring in parallel, such as in multiple browser tabs — increasingly a fact of life for many internet users. Keeping track which sessions are still open, and which can be easily reactivated (e.g. by an OpenID checkid_immediate check) is cognitively impossible for many people (myself included) and computer support in the browser (not on the browser page) would be really useful. Throw in the use case of somebody briefly borrowing the computer to check their e-mail or Facebook account, while the primary user still has all their windows and session open, and perfect confusion ensues with a range of scary security and privacy issues around them.

So, what we need is not an “identity selector” for 0.5% of the time we use identity in the browser. What we need is a continually active, perhaps proactive assistant that helps us create and tear down sessions, watches our sessions, keeps track of the information that flows back and forth and helps us when we need it, 100% of the time.

Now I’m not a usability guy by any stretch of the imagination, but the following strawman picture popped into my head earlier today. It could live somewhere in the sidebar:

Each active session could have a separate section (rather like the Windows task bar). It would show the name of the site, whether or not the user was currently identified there, and the user’s current identifier (or card) there.

To log out, click the “x”. To log out everywhere, click the big button. To reactivate an expired session, click on the red light and it will turn green if re-authentication was successful. Clicking on the section could bring the tab / window to the front that belongs to the site, like in Windows or OSX. Right-click would show the information that has flown between user and site so far, perhaps with a time-based log. And so forth.

An alternate version could sort by identity first and then by site (as opposed to this figure, which is sorted by site and then by identifier). That might be useful, too.

But regardless of the details of this strawman screen shot, which you may or may not link, I think the idea of covering the entire lifecycle of the user’s identity-based relationship with a site would lead to a much more useful product than a mere “selector”. Many others at IIW seemed to think so, too, but I’ll let them speak for themselves if they feel inclined to.

Yes, we don’t have the protocols and conventions for all of this. But I don’t think they are hard either, so that should not be an excuse.

Let’s mull this a bit … at least one major browser manufacturer does not seem to be too disinclined to go in this direction… with a bit of squinting, today’s identity selectors could even be re-interpreted as version 1 of the more inclusive approach…

Johannes Ernst: Kim Cameron: OpenID is the Most Widely Adopted System for Reusable Internet Identity

Tue, 03 Nov 2009 22:13:20 +0000

The list of brand-name OpenID adopters speaks for itself, with — by some counts — now more than 1 billion functional OpenIDs on the open internet, but for the internet identity movement this quote from Kim Cameron, Microsoft’s Chief Identity Architect, is rather significant:

In the last year, OpenID has without doubt become the most widely adopted system for reusable internet identity. Adoption by destination sites continues to grow dramatically: approximately 50,000 sites as of July 1, 2009. The big Internet properties like Google, Yahoo, AOL, MySpace, and Windows Live have become (or are becoming) OpenID Providers. As a result, the vast majority of the online US population has an account that can be used to log in at the growing number of destination sites.

What a little URL could do …

Chris Messina: And the monopoly goes to…

Sat, 31 Oct 2009 17:10:00 +0000

I’m not a great fan of patents, not because I’m against innovation, but because I don’t believe the patent system (especially in the United States) has kept up with, or modernized, in a way that actually encourages the widest possible public benefit at the lowest cost in the least amount of time. In other words, what we’ve learned from open source is that different types of competitive pressures in transparent markets can do as much if not more than centrally conferred monopolies over a given idea, implementation, or design.

Furthermore, the process by which the rights of a patent are exercised is costly, damaging, and net-net ends up wasting, in my estimation, much more energy that could otherwise be put into more essential or meaningful pursuits. I mean, I know lawyers need to eat too, but the outcome of a successful patent prosecution usually inhibits technological advancement more than accelerates it. Put another way: when has there been a patent dispute in which someone was prohibited from infringing on someone else’s idea that lead to an increase in innovation (and no, rewriting kernel extensions and whatnot do not count)?

Now, it occurs to me that not all government-sanctioned monopolies are altogether bad. In fact, the benefits of the exclusive capitalization of an idea seem to provide an ample marketplace incentive for companies to invest heavily in research and development. That’s a good thing. However, the current patent system, which seems to award such monopolies to a vast number of ideas which are never actually built, I believe, contravenes the original intention of the patent system — which exchanged limited-time exclusivity for longer-term transparency into the architecture of an idea, for the benefit of the public.

With so many complex patents now being applied for and granted, I think this has lead to a marketplace distortion that now benefits those who know how to play, and thus game, the system. In order to address this situation, I think more uncertainty and scarcity need be introduced to shake things up.

One approach that I’ve been noodling on lately is the shift to something more like the Academy Awards, known for giving out the prestigious Oscars given out to professionals in the film industry. Now, I’m sure the Oscars can be equally gamed, but what I’m interested in is the scarcity, honor, and publicity that come with receiving one of these awards. In some ways, the Oscar is like a year-long monopoly on notoriety or fame (sort of, but not exactly). Still, the 24 awards that are given out represent the best in the industry, and bring with them distinction that is desired, it seems, by all who work in film.

If the patent system operated in a similar way — where it was just an honor to be nominated — and 24 exclusive patents were granted on a yearly basis to the ideas of greatest merit or potential human benefit, we might see some real competition and most of all, new entrants into the marketplace. I guess this is what the Nobel prizes are all about, but don’t bring with them a state-sanctioned monopoly to commercialize an idea. If the patent system were designed to publicly highlight and honor those few ideas of merit, provided a restriction on the length of monopoly to 1-3 years (instead of the current 20), involved a kind of voting process (perhaps more transparent than the Oscar’s?), and organized some kind of annual fete to celebrate the chosen inventions — who knows — maybe the patent system would provide a very different kind of incentive structure to create and to invent.

This idea of mine is of course far from perfect, but then again, so is our patent system.

Dick Hardt: Identity, Privacy and Facebook

Thu, 29 Oct 2009 20:06:21 +0000

Any conversation about identity leads to a conversation about privacy. Identity by its nature is a very personal topic, and people are concerned about who can see what about them. In the past, the high friction in moving information provided some privacy protection. Now, as more of our identity becomes digital and the friction in moving it around has dropped dramatically, the risk of privacy issues has subsequently increased.

Facebook is an iconic example of the intersection of identity and privacy. There are internal and external applications that enable the user to easily share an unprecedented variety of information about themselves., with the brand promise that the the user is able to control who can see what information about them.

Some of you may be familiar with the privacy problem I had with Facebook last spring. (no, I’m not going to provide a link to it, since I would prefer it just went away – so please don’t go looking for it!) Although there was a basis to start a legal action, I prefer solving problems rather than complain about them. I had a productive conversation with the team on Facebook, a company that takes privacy very seriously. I provided them with feedback on how to improve some of their processes, and they asked me to review their new Privacy Policy, which was just published today.

The new policy makes it more clear what will happen when, and directs the reader to where they can make adjustments if they prefer settings other then the defaults.

Kaliya Hamlin: Internet Identity Workshop Details + Regular Registration Ends Wednesday

Sun, 25 Oct 2009 02:20:42 +0000

This is cross posted on the IIW Blog

Regular Registration ENDS NEXT WEDNESDAY – October 28th at Midnight. Prices go up $100 after that.

The Internet Identity Workshop #9 Tuesday – Thursday, November 3-5 in Mountain View, CA Computer History Museum

Please blog/tweet about the conference. The hash tag is #iiw , our twitter handle is @idworkshop

Proposed Topics List is here. We all make the agenda together beginning at 1 on Tuesday and again on Wednesday and Thursday morning. If you want to know more about how to prepare for an unconference check out this piece called “unconferencing” by Kaliya Hamlin (@identitywoman) the facilitator of the workshop.

You can see the specific times of sessions.

Tuesday Morning Opening talks will cover: * The Identity Trust Framework activities – Drummond Reed and Don Thibeau * Data Portability releasing their EULA work * Action Cards – Phil Windley and Paul Trevithick * Discovery etc. – Eran Hammer-Lahav * Activity Strea.ms etc. – * A VRM update * We might cover activity happening in the healthcare sector * We are working on having Vivek Kundra the CIO of the US join us via skype – as yet this is unconfirmed.

They won’t cover – OpenID 101, Information Cards 101 or SAML 101 If you are unfamiliar with these topics we recommend reading these papers/watching these videos. There is a lot of information online covering these topics on the foundations/organizations respective websites.

OpenID – http://openid.net/ OpenID video about it – http://www.youtube.com/

Information Cards – http://informationcard.net/ Video – http://informationcard.net/watch-the-video

SAML – http://en.wikipedia.org/wiki/SecurityAssertionMarkup_Language Video – Ping Identity on SAML 101

All together now – the Venn of Identity The paper – by Drummond and Eve the update – The Zen of Venn

Demo Hour: We still have Demonstration slots available you must sign up ahead of time to Demo. It is Wednesday after lunch short 5min demos will be happening throughout the hour – throughout the room. Please e-mail Kaliya[at]mac.com to get a table and more information about how it will work.

Food: I forgot to ask if there were any special dietary requirements. Please let me know if you have any – this is what we have in store for you.

Tuesday – Burrito Bar, Tied House Wednesday – Indian, Italian Thursday – BBQ Boys

Thank you to our Sponsors:

Without their contributions this conference would not be possible. (we still have sponsorship opportunities available)

About the Notes Taking Procedures: In our effort to document the whole confernece and give all attendees access to all the happenings in sessions we have a notes taking procedure:

If you convene a session it is your responsibility to get a note taker for your session.

The note taker needs to use the NOTE TAKING FORM – found here in digital form (the paper version will be avaliable in each break out space too). When notes are complete, the note taking form must be e-mailed to iiwnotes@gmail.com OR transfered to a USB key at Documentation Center OR if paper notes are taken transcribed by the notes taker on computers provided in Documentation Center

We will also be collecting a more immediate list of results from each session on 11×17 sheets.

We are looking forward to seeing you next Tuesday!

let us know if you have any other questions,

-Kaliya, Phil and Doc

OpenID.net: Revised IPR Process Document Poll Notification

Thu, 15 Oct 2009 19:51:35 +0000

On October 7, 2009 the Board of Directors voted to revise the OIDF IPR
Process document. The revisions are primarily being made to help
streamline the formation of work groups. A vote of the full membership
is required to formally adopt the revised process. Voting will begin on November 6, 2009. Marked and clean versions of the revised process document are viewable here:

Clean

Marked

OpenID.net: OpenID Outreach and the Government Opportunity

Thu, 08 Oct 2009 22:55:35 +0000

Executive Directors Summary
Now that we’ve had time to observe the reactions and resulting coverage from the Open Identity for Open Government Initiative, I want to discuss what we’ve gained and where we are headed. Overall, the announcement, the foundations’ presence in Washington – at both The White House and the Gov 2.0 Summit, and the media outreach, was a big boost to OpenID adoption and the open identity community. For so long, the media and online influencers have taken a “looks promising but wait and see” approach to open identity technology. This announcement advanced the discussion.

The government’s effort underway is a pilot; a very deliberate beta test of OpenID technology with new integration and interoperability tasks etc. We don’t know when we will finish but we do know we will make mistakes and wrestle with usability and security issues.

We are at the beginning of a shakedown cruise on two tracks -the open source identity technologies and the open trust frameworks. Both are parts of the GSA ICAM schema and both on the agenda of the OpenID Foundation and Identity (IDF and ICF) boards to consider. Just as we begin technical testing with government pilots; we are also finalizing the certification or trust framework process a critical element in government adoption and seen by some industry leaders as applicable for high value commercial applications. The US government is still finalizing requirements for credible, independent and industry standards-based identity certification. Many international governments as well as US state and local governments are studying the US ICAM “schema” of technology protocols combined with industry self certification models. Identity provider certification or Open Trust Framework models have gained momentum after recent meetings with the Center for Democracy in Technology and feedback from various government agencies including the GSA ICAM leadership, NIST, NIH and the National Security Staff in the White House.

Given all the players involved it’s hard to say what will be completed when. The most valuable new dynamic is how many people and organizations are coalescing around a practical and far reaching solution set for the challenges of identity from a user perspective. This goes beyond the tired truisms that often characterize privacy versus security debates. There is today, a real hunger for real solutions in identity authentication. Whether you frame discussions as open government, open source or open identity; there are powerful political, public and commercial drivers at work involving identity on the web. New legal and policy discussions around open identity trust frameworks are a leading edge indication that practical solutions are in play and pragmatic (private and public sectors) organizations are involved

That being said, while the announcement resulted in approximately 30 stories, many of them were replays of the press release. I believe that speaks to two issues. The first is we announced a pilot. That means that once again, media can “wait” for the NIH implementation to go live and “see” what the results are. Second, this is a complicated story and requires more than a release to understand. The most comprehensive articles were the ones where the reporters were briefed in person. The joint briefings by me, Drummond Reed, and the evangelism from Chris Messina, David Recordon and Kaliya, paid off in outlets like Federal News Radio, Tech Target, ReadWriteWeb, Wired and Fast Company.

Community and Collaboration
The other major take away was how well the OpenID and Information Card foundations and community leaders worked together on the initiative. The level of enthusiasm, cooperation and collaboration allowed us to accomplish much in a short period of time with limited resources. The announcement and conference served as a rallying event for the community and industry. The government adoption of OpenID remained front and center in venues like the Tao of Attributes and the OASIS Meetings in Washington DC. See http://middleware.internet2.edu/tao-of-attributes/agenda.html and http://events.oasis-open.org/home/forum/2009

Emerging from these events is the term “OpenID” as a category catchall for the industry. This is most likely due to OpenID having strong recognition and society’s reliance on quick, sound bite, catchphrases, and the fact that OpenID has some very well-connected, well-recognized brands working on its behalf (Google, PayPal, etc) The industry, community and the two foundations will discuss how best to manage that moving forward at IIW, the OpenID Summit and boards meetings.

Outreach and Opportunity
Public relations, adoption and outreach, are processes not events. Open identity has gained momentum and is in a strong position to grow. Not only have we peaked interest with our pilot programs, but since the conference, there continues to be stories in the blogosphere, mainstream and tech media about the administration’s open government efforts.

I see several opportunities in front of us. The most obvious of course, is to continue to update the media on our progress: new pilots, new IdP’s, results from the NIH program etc. The other opportunity is a more proactive approach to communication. The open government story is in the news now. The foundations need to draft Op-Ed pieces and offer spokespeople from the community and companies to the media for commentary on the issues. We should continue to leverage our member company resources and our community talent pool as experts. We know the media finds this story to be complicated. Let’s continue to brief them so that the next time we make a big announcement, they are ready with background information and we are ready with an open source, user centric perspective.

Johannes Ernst: Too many messaging clients on my desktop

Thu, 08 Oct 2009 20:16:03 +0000

There is:

e-mail (Mail.app)
VoIP (Skype)
RSS (NetNewsWire, and Mail.app)
Twitter (Tweetie)
sometimes IM (iChat, others)
sometimes IRC (Colloquy)

That’s in addition to websites that also act as messaging clients, like Facebook,

I’m sorry, how many feeds am I supposed to monitor in how many pieces of software?

What about somebody develop a real nice piece of software that brings all of them (and whatever they invent next week) into a user experience that actually makes sense? An Über-multiprotocol messaging client that does all of this?

Johannes Ernst: Is OpenID Still User-Centric?

Tue, 06 Oct 2009 17:30:18 +0000

I’m beginning to have second thoughts.

Plenty of people (myself included) got involved in internet identity because of its promise to put all of us as individuals at the center of our interactions on-line. To empower individuals to define and offer and enforce their own terms in their interactions with others. To not merely be somebody’s user or consumer, but to be a first-class citizen of the net. To not be at the mercy of any government or organization.

And from a merry band of similar-minded individuals, the movement was born. The assumptions were:

Anybody could set up their “digital home” anywhere on the web at any URL of their choosing. The address of that home would be their LID or OpenID URL.
When visiting somebody else’s site, they would use that URL-to-home to create a relationship from your site to my site, from your on-line home to my on-line home. It wasn’t thought of single-sign-on, but the equivalent of leaving one’s card at someone else’s place with the invitation to visit and establish a relationship. Technologically similar, but very different in intent.
This relationship between your site and my site would enable two-directional information flow for a variety of interesting purposes that could be switched off by either participant at any time.

While OpenID, the technology, still can support all of this, the thrust of the thinking of many of its larger supporters today goes into a different direction:

There is a belief that URLs are too complicated to use by the average individual, which has encouraged what’s called the OpenID “NASCAR GUI“. However, because that GUI can only show a few icons, it clearly encourages me to use a big-company-provided identity instead of my own.
Directed identity and identifier select hides the identity URL and downplays the “let’s create a relationship by exchanging pointers to home” to the extent that few people new to OpenID can even comprehend they are getting mere single-sign-on, not relationships.
The primary focus of OpenID-based profile exchange is to convey the user’s e-mail address to the visited site (usually a vendor), so that vendors can send e-mail to the user. Note that because it is e-mail, the the user cannot turn it off. It didn’t have to be that way.
Certification has entered the picture. While many details are still unclear, all certification schemes that I’ve ever heard of require substantial effort and perhaps money to get certified. In all likelihood, that will make it all but impossible or impractical for individuals to play on a level playing field with mere users of large company’s products. This is particularly ironic when applied to the relationship between citizen and government, which suddenly will have to be mediated by substantial commercial entities. Among other things, they get to see which citizen interacts with which part of the government when and how often.

I know the argument that “if the user can see which attributes go over the wire, it’s user-centric.” Well, yes, perhaps, but in my view that’s user-centric in the same way a calorie-free chocolate cake is sweet. I ordered a real chocolate cake, though, please, where did it go?

Don’t get me wrong, there are good things about all of this, the most important of which is that the state of the art has driven substantially more adoption than it likely would have been in the less organized, decentralized, you-be-in-charge-of-your-own-destiny world.

But is the price of more adoption less user-centricity? Or is that just a phase we are going through?

I hope to discuss this and other big questions at the upcoming Internet Identity Workshop. Hope to see you there.

Drummond Reed: Bob Blakley Gets Privacy Right

Tue, 06 Oct 2009 05:10:04 +0000

I don’t know why — maybe it’s just the fall weather — but the privacy temperature is changing. We’re in a period of global warming towards privacy as a key component of Internet identity infrastructure. Part of it is my work at the Information Card Foundation on the Open Trust Framework (read this white paper if you haven’t seen it yet). I’ll be blogging more about that soon.

But another sign is this superb post by Bob Blakley on what’s at the heart of privacy and privacy protection. As one of the technologists that’s spent a decade working on technological solutions to privacy, I can’t endorse Bob’s conclusions strongly enough. It’s a social problem, one that technology can only help create the social cues and custodianship to help with.

But read Bob’s post to see how well he frames the problem and what technologists can and can’t do to help.

Johannes Ernst: We’re Saved Thanks to the ITU … Not!

Mon, 05 Oct 2009 20:04:02 +0000

ComputerWeekly reports somewhat breathlessly:

Multiple passwords to access computer networks and services may soon be a thing of the past.

ITU-T X.1250 provides the ability to enhance data exchange and trust in the identities used worldwide by users, network access devices and service providers using a certificate-based public key infrastructure (PKI) system. This is similar to how e-passports are verified.

I figured something was missing in identity land. I’m sure everybody’s immediately going to throw away OpenID, and information cards, and SAML, and what have you, now that the ITU has discovered PKI and solved the problem for us Clearly all of our work was always doomed to failure because we did not make it work the same way that e-passports work. (Or should I put the last “work” in quotes?)

Kaliya Hamlin: Identity Dispute on Twitter

Sat, 03 Oct 2009 02:47:57 +0000

From Slashdot

SpuriousLogic spotted this story on the BBC, from which he excerpts:

“The High Court has given permission for an injunction to be served via social-networking site Twitter. The order is to be served against an unknown Twitter user who anonymously posts to the site using the same name as a right-wing political blogger. The order demands the anonymous Twitter user reveal their identity and stop posing as Donal Blaney, who blogs at a site called Blaney’s Blarney. The order says the Twitter user is breaching the copyright of Mr. Blaney. He told BBC News that the content being posted to Twitter in his name was ‘mildly objectionable.’ Mr. Blaney turned to Twitter to serve the injunction rather than go through the potentially lengthy process of contacting Twitter headquarters in California and asking it to deal with the matter. UK law states that an injunction does not have to be served in person and can be delivered by several different means including fax or e-mail.”

Chris Messina: On brand consistency and BHAGs

Fri, 02 Oct 2009 16:37:03 +0000

Ryan Stewart — a platform evangelist for Adobe — wrote a post resentful of Google Wave’s hype — and lamented the lack of similar interest and enthuasism for rich internet applications (RIAs), writing that Adobe, just [doesn’t] seem to encourage the visionary demos, the ones that make people rethink how they’ll communicate and interact.

The resulting discussion was worth a read, especially comments by Brian Lesser. While one of the arguments was over whether Wave could be built with Adobe technologies, that’s the least interesting part of the conversation. As Ryan points out, people don’t get excited about standards — they get exited about vision.

And that’s where I think there’s something to be realized.

Google is a company that values big thinking and puts resources into big ideas — what I’ve heard referred to as “BHAGs“, or “big hairy audacious goals”. I mean, their mission statement is to index and make available all the world’s information. That kind of brand promise has benefits beyond just Google, and I think that sets them apart.

The promise of Google Wave is to transform how people communicate and collaborate — and Google can credibly take on a challenge like that, because they’ve done a pretty good job of doing transforming search, and then — almost accidently — maps (even though, again, you could argue that draggable maps could have been done in Flash at the same time, but you’d be missing the point).

What Google seems to do well is focus on some obvious and widespread problem that regular people have and apply a determined, quantitive approach to solving the problem. Wave is probably their most risky bet yet because of the complexity of their solution, but I think anyone who deals with a large amount of information — in real-time or asynchronously — has to admit that our current tools just aren’t cutting it. And it’s only going to get worse unless something better is created.

But the benefits of such a technological solution will be missed unless it rapidly achieves scale through widespread and ubiquitous adoption — which requires an open, royalty-free standards-based approach. Just read Hal Varian’s book on the subject, and you’ll realize that the reason that Google Wave is exciting is that it represents a multifaceted solution with a little something for everyone: the interface and user experience is controversial and novel providing designers a hook; the technology stack pleases and challenges open source hackers and the tech press equally; the collaboration and communication aspects excite businesses, managers, and any frustrated by email; and sceptics are held at bay by the cleverness of the economics of Google Wave — from the outset, Wave servers are designed to be run by other actors besides Google. That is, if you don’t want Google to own the space, you’ve now got to decide if you’re going to create a competing platform (and more importantly, “open standard”), or join the fray. Given Google Wave’s first-mover advantage, I think any competitor wishing to offer a competing open standard will be hard pressed to argue why they didn’t just “adopt the Wave Protocol”.

To put this argument another way, this is a product firing on all cylindars, and that’s what we’ve come to expect from Google.

If Adobe had launched Wave — the identical product that Google launched — I don’t think that anyone would take them seriously. As Scott Koon pointed out, Adobe is a toolmaker — they’re not known for big ideas that confront a basic human problem — least of all one related to information on the open web. Instead, Adobe tends to make graphics tools, and products that help organizations lock down information — not share it freely and openly. Wave is just a product that Adobe couldn’t make, because it’s not in Adobe’s DNA to tackle such problems.

It isn’t that Adobe doesn’t have its own BHAGs — it does — but I believe that history and behavior show that most Adobe products end up supporting existing control structures rather than breaking them down — same with Microsoft’s. Google’s products are inspirational because they enable us to imagine — and achieve — a different and perhaps freer tomorrow.

Chris Messina: Video of my talk: “Identity is the Platform”

Fri, 02 Oct 2009 07:12:59 +0000

I’ve posted the video that Brynn shot of my talk. Slides are available here.

Of course, it’s purely coincidental that I used Pownce to illustrate my story of the “death of a web app”, since it was relaunched yesterday at TypePad Motion — without any of the relationships that were lost when the service shut down.

Chris Messina: Identity is the platform

Thu, 01 Oct 2009 13:37:32 +0000

These are the slides from my talk at the Mindtrek conference in Tampere, Finland today.

I admit that there are some controversial things in this talk, but if I don’t say it, I don’t know who will. So, for the purpose of understanding this talk, it’s worth keeping in mind that I mean “OpenID” in a much more expansive way — not limited to the purview of the features of the protocol today, but as an effective, comprehensive competitor to Facebook Connect.

As well, I’m working out what I really mean by “Identity as the Platform”, but my five touchpoints are currently:

Me at the center
Smarter user agents
Dynamic personal expression
Universal user experience
Data is money

I’ll be posting a video of my talk later, which should I expand on what these elements actually mean, but I’m happy for feedback in the meanwhile!

Also, I’m embedding this slideshow using Scribd as Slideshare wasn’t able to convert my slides. Let me know what you think.

Scott Kveton: The Funniest Thing on the Internet

Tue, 29 Sep 2009 21:59:59 +0000

If you’re looking for the funniest thing on the Internet, move along. Just like you, I couldn’t find it either.

I used Google to try and find it. Guess what happened? I got a bunch of crap.

I don’t blame Google. I love Google. But not when I want to find something subjective like the “funniest thing on the Internet” or “the most awesome burrito in Portland” or “the best membership management software for a non-profit”. Nope. I’m using Twitter for that now.

Blah, blah, blah. This isn’t another one of those ra-ra-ra stories about Twitter. Twitter’s got issues. I’m pretty sure we all know that. But it works. In the immortal words of Biz Stone, its not about a business model, its about creating value.

* mostly instantaneous
* need lots of “followers” to work
* twitter now has “real” celebrities joining the club
* dave morin and garyvee are at $160k followers … err … 160k followers
viagra anxiety Can Viagra Causes Legs To Ache taking viagra woman?
cheap gerneric viagra Lowest Price Viagra generic viagra levitra and cialis pills
can i take viagra, Viagra Use viagra how it works;
herbal viagra forums Viagra From Canada snorting viagra health
viagra patent levitra Viagra Australia viagra anxiety
taking viagra woman? Viagra Ads cheap gerneric viagra
generic viagra levitra and cialis pills Viagra Uk can i take viagra,
viagra how it works; Purchase Viagra Online herbal viagra forums
snorting viagra health Buy Viagra Per Pill viagra patent levitra
viagra anxiety Edinburgh Uk News Viagra Site Search taking viagra woman?
cheap gerneric viagra Topic 3642 Viagra generic viagra levitra and cialis pills
can i take viagra, Viagra Stories viagra how it works;
herbal viagra forums Viagra Viva snorting viagra health
viagra patent levitra Funny Picture Viagra viagra anxiety
taking viagra woman? Serotonin Viagra Sale cheap gerneric viagra
generic viagra levitra and cialis pills Womans Viagra can i take viagra,
viagra how it works; Cialis Versus Viagra herbal viagra forums
snorting viagra health Viagra Rrp Australia viagra patent levitra
viagra anxiety Acheter Du Viagra taking viagra woman?
cheap gerneric viagra Viagra Prescription generic viagra levitra and cialis pills
can i take viagra, Viagra Liver Damage viagra how it works;
herbal viagra forums Viagra Sideffects snorting viagra health
viagra patent levitra Mexico Viagra viagra anxiety
taking viagra woman? Will Viagra Make You Larger cheap gerneric viagra
generic viagra levitra and cialis pills What Does Viagra Do To Females can i take viagra,
viagra how it works; Levitra Vs Viagra herbal viagra forums
snorting viagra health User Reports On Super Viagra viagra patent levitra
viagra anxiety Viagra Over The Counter taking viagra woman?
cheap gerneric viagra Generic Viagra Overnight generic viagra levitra and cialis pills
can i take viagra, Pharmacy Viagra viagra how it works;
herbal viagra forums Viagra Contraindications snorting viagra health
viagra patent levitra Viagra Commercial Canyon Filmed viagra anxiety
taking viagra woman? Purchase Viagra cheap gerneric viagra
generic viagra levitra and cialis pills Viagra Cost can i take viagra,
viagra how it works; Viagra And Alcohol herbal viagra forums
snorting viagra health Mexican Viagra viagra patent levitra
viagra anxiety Viagra Overdose taking viagra woman?
cheap gerneric viagra Where To Buy Viagra generic viagra levitra and cialis pills
can i take viagra, Long Term Side Effects Of Viagra viagra how it works;
herbal viagra forums Get Viagra Drug Online snorting viagra health
viagra patent levitra Death By Viagra viagra anxiety
taking viagra woman? Buying Viagra Online In Britain cheap gerneric viagra
generic viagra levitra and cialis pills Mature Viagra can i take viagra,

Will Norris: OpenID and WordPress Core

Tue, 29 Sep 2009 20:17:19 +0000

This was actually a comment I left on my last post about the v3.3 release of the OpenID plugin. It is a topic that comes up relatively often, and one in which most people are surprised when they hear my stance on it. It’s worthy of a separate discussion for those that are interested, so I’ve pulled it out into a separate post.

I’ve talked with core team about this numerous times… in fact, I spoke at WordCamp Portland and Seattle these last two weeks and talked with Matt about it. For the most part, I actually agree with him that OpenID doesn’t necessarily belong in core, at least not yet.

There’s a lot of thought being given to how WordPress can serve as your “digital hub” on the web. Right now, Automattic is playing in that space in the form of BuddyPress. Now right now, BP allows you to create another social network silo. BP installations don’t talk to each other, and there’s no way to use your account on one BP network to login to a different BP network. I talked with Mark Jaquith this weekend about my desire to see this outward facing functionality. For that, I think OpenID becomes painfully obvious.

I would also like to see this OpenID plugin deployed on WordPress.com to replace the existing plugin. Currently, all WP.com blogs are OpenIDs, but you can’t login or leave comments using an external OpenID. And currently, almost no one uses the existing OpenID provider. Of course, I would argue that this is because they haven’t done a good job of promoting it or adding any new features like SReg or AX. Using my OpenID plugin would greatly enhance the OpenID provider functionality on WP.com, and it would allow people to use OpenID when leaving comments. Some of the changes that are included in 3.3 are actually steps toward cleaning up the plugin so that it is more suitable for deploying on WordPress.com. There’s still more work to be done on this front, but it’s something I intend to continue pursuing.

As for inclusion in WordPress core, I just don’t think we’re there yet. The OpenID plugin is pretty popular, but it is far from having the critical mass that would justify inclusion in core. I am a firm believer that WordPress should by no means try and include every cool feature under the sun in core. It would quickly grow out of control. I do believe, however, that the appropriate hooks should be provided in core to allow any cool feature under the sun to be added as a plugin. The core dev team agrees with me on this, and they’ve been very good about making whatever changes were necessary to allow plugins to provide that functionality. In fact, I overhauled how the authentication system is extended in WordPress 2.8 simply to make things like OpenID and OAuth much easier to implement.

A few other things I’d want to see fixed before considering inclusion in core… the OpenID plugin weighs in at what? almost 900K? Remove the screenshots and readme.txt and you’ve got 700K left. Over 500K of that is the JanRain OpenID library. So size is an issue. Also, the biggest problem that people have with getting the plugin to work is related to their environment. WordPress is known for having a very minimal set of requirements to get it running. I’d really want to track down and fix a lot of these weird environment issues that continue to plague the plugin. Finally, we need a really solid UI, both comment form integration and the admin side. I’m pretty happy with the new comment form integration, but the current admin screens need work. More than anything, there is just a lot of functionality in the plugin and it’s hard to boil it down. Especially when you consider both the OpenID consumer and provider options, both site-wide and per-user.

Johannes Ernst: The “Lack Of User Demand” for Internet Identity

Mon, 28 Sep 2009 22:01:19 +0000

Alexander van Elsas left a comment on my post “On Identity Business Models or Lack Thereof” that I feel I have to respond to. It is not the first time I have heard a comment along these lines, so this is more a response to “everybody”, not specifically just to him. He writes:

…The underlying issue (imo) is that there isn’t a user demand. Users either don’t know or care, and it is therefore hard to get them to use a standalone hosted identity provider and pay for it.

…The technology is not the biggest bottleneck right now, it’s the naiveness of the user.

Pardon me, but this very much sounds like the old “our software is great, if it wasn’t for those darned users”. To which the equally old, and always-correct answer is: “No, the user is never the problem. As vendors, we either solve a problem for our users, in which case they pay us, or we don’t. If users don’t use our ’solution’, we either don’t solve an actual problem, or we don’t explain well enough how we solve the problem, or our solution is simply not good enough for the user.”

At this point, it is very clear that consumer identity providers do not solve a problem for users that is commensurate with paying money. (I would go further and say that the product category “consumer identity provider” is most likely never going to be able to get many users paying for it.)

To quote Pip Coburn: “People are only willing to change when the pain of their current situation outweighs the perceived pain of trying something new.” We are not there yet in identity land, even if we’d all like to be there.

Will Norris: WordPress OpenID v3.3

Mon, 28 Sep 2009 20:04:15 +0000

I’ve finally gone ahead and released version 3.3 of the WordPress OpenID plugin. This release includes three major sets of changes. First, it drops support for older versions of WordPress… the minimum required version is now 2.8. Trying to maintain backwards compatibility requires a non-trivial amount of effort, and I’d rather spend that time working on new features. It also cleans up the code a fair bit, which I always like. It also drops support for two experimental OpenID extensions known as EAUT and IDIB. EAUT is effectively being replaced by WebFinger, and IDIB never got too much traction. Either could still be added pretty simply by another plugin if people still want them.

Second, this release features a new user interface for the integrating OpenID into the WordPress comment form. Instead of simply advertising OpenID support on the “Website” field, and always attempting OpenID authentication, the plugin now detects OpenID support for a URL, and gives the user the option to authenticate the comment. This provides a cleaner, less obtrusive interface that should work on most all themes. It also gives the user the option to not authentication that particular comment if they don’t want (particularly useful if you’re on a mobile device or in a hurry and don’t want to mess with OpenID). Feel free to try it out on this post if want. You really don’t even have to submit the comment to see it in action… just enter a valid OpenID URL for the website field, and move focus somewhere else (ie, click in the comment box like you’re going to type a comment). There is currently no option to revert to the old style of comment form integration, so hopefully folks will like this new UI. If you really don’t like it, you always have the option of turning off comment form integration and modifying your theme to your heart’s content.

Finally, this release includes a lot of minor bug fixes that people have been complaining about (sorry it took so long). I’m sure I didn’t get to all of them, so please let me know what I missed, and I’ll try to do more regular minor releases with these smaller fixes.

I’ll additionally note that working on WordPress plugins is no longer part of my day job, so I currently work on them rather sporadically as I have time. The changes in this release have been developed a few hours at a time over the last couple of months. I’ve been running trunk here on my site for quite some time and haven’t had problems, but you never know. Please use the DiSo issue tracker to report any new bugs, or to remind me of existing tickets that are still not fixed in this release.

Simon Willison: OpenID: Now more powerful and easier to use!

Fri, 25 Sep 2009 21:08:21 +0000

OpenID: Now more powerful and easier to use!. The OpenID+OAuth hybrid protocol (where a user can sign in with OpenID and grant an application access to their OAuth protected resources such as a contact list at the same time) is now supported by Google, Yahoo! and MySpace—this feels like OpenID finally coming of age.

OpenID.net: OpenID: Now more powerful and easier to use!

Fri, 25 Sep 2009 18:51:46 +0000

Google, Yahoo!, and MySpace have launched support for the OpenID OAuth Hybrid Protocol, which combines OpenID authentication (sign in) with OAuth authorization (access control) into a single interface. Websites that accept OpenID can now let the hundreds of millions of users who already have either a MySpace, Google, or Yahoo! account sign in and enable two-way data sharing of their profile, contacts, and activities, without having to register a new site-specific account or to share their password.

Plaxo is one of the earliest adopters of OpenID, allowing their users to sign into Plaxo using an OpenID enabled account with just a couple mouse clicks. Instead of requiring first-time Plaxo users to manually verify their email address by sending a verification email, Plaxo uses OpenID Attribute Exchange to verify Yahoo! and GMail email addresses without forcing users to wait at their mailbox for the verification email to arrive. Building on their successful experience with OpenID, Plaxo is experimenting with the Hybrid Protocol: A portion of new users who sign up for Plaxo using either a GMail or Yahoo account can now sign into Plaxo with their OpenID and authorize two-way data sharing of their Contacts and Activities via the Hybrid Protocol. You can read more about how this works on the Plaxo blog.

“OpenID+OAuth hybrid onboarding is the state-of-the-art for connecting users and sites across the emerging Social Web,” says Joseph Smarr, CTO of Plaxo and Board Member of the OpenID Foundation. “Google, Yahoo!, and MySpace all have massive userbases and expertise in consumer-friendly design, along with a rich set of APIs. So this is a major milestone in making the Social Web more open and interoperable.”

Another trailblazer in the OpenID space is JanRain, whose RPX service powers the l
ogin and registration flows for their customers, including Qype and MySears. Using the OpenID protocol, users can sign into RPX-enabled websites with an account that they already have. Now that RPX supports the Hybrid Protocol, sites integrating with RPX can now let users sign in with one of their existing accounts and share their Profile. In addition, these sites can also receive massive referral traffic by syndicating their user activities back to their OpenID Provider to be viewed by their friends and contacts at Yahoo!, Google, or MySpace.

Not only are we making OpenID more powerful, we’ve been taking steps to make OpenID easier and less confusing to use. The traditional OpenID “redirect” user experience has been criticized for taking a user away from the site during the login process. The OpenID User Interface Working Group has been chartered to make OpenID more user friendly, and we’re glad to announce that Yahoo!, Google, and MySpace now support the Popup UI as defined in the OpenID User Interface Extension. Sites that want to preserve their context and keep the user on their site can open a small popup window to complete the OpenID authentication flow. In order to help prevent phishing, the User Interface extension requires that the popup be displayed in an independent browser window with the address bar clearly displayed.

OpenID gives users control over their data and makes it possible for sites to build a single interface that can reach virtually all potential users. Because OpenID is an interoperable open standard, sites that accept OpenID can reuse the same interface and code to accept identities from a wide variety of OpenID Providers, including Google, AOL, MySpace, and Yahoo!. This makes it possible for virtually anyone to sign in to a site using an account that they already have.

It’s been an exciting month for OpenID, with recent news about our involvement in the Open Government Initiative, and now with support for Hybrid and the Popup UI. Stay tuned for more exciting news as we continue to improve OpenID!

P.S. If you’d like to meet the folks working on OpenID, OAuth, and the Open Stack, please join us at the Internet Identity Workshop in Mountain View, CA this November.

Allen Tom
Architect, Yahoo! Membership
OIDF Community Board Member

Johannes Ernst: Five Bears in One Day!

Wed, 23 Sep 2009 21:04:24 +0000

We went to Yosemite this past weekend. In the past, we’ve seen deers, coyotes of course, an occasional rattle snake, a bobcat once, and every few years, a bear.

And this Sunday morning, in two encounters, a total of five bears, right from Tioga Road without even getting out of the car! Here are two of them. Of the five, three were youngsters and two adults.

Amazing.

Johannes Ernst: Nico Popp Outlines Government OpenID Adoption

Wed, 23 Sep 2009 18:42:05 +0000

Nico Popp, over at VeriSign, has an interesting post outlining how he thinks the US federal government will adopt OpenID:

… there is a clear view that the deployment of low level assurance identities is only a critical first step, not an end in itself. With the initial OpenID pilot, the administration is seeking to teach Internet users how to conveniently and confidently re-use their identities across multiple sites. Federation is a new behavior and as such, it requires training. Federal and State web sites will provide an important training ground of relying parties. … once consumers are comfortable using distributed identities, it becomes possible to alter the login experience by introducing stronger security and identity assurance. This is the ultimate end game since high assurance identity services are pre-conditions to new strategic initiatives.

He reports that there is broad understanding that identity management along the lines of OpenID is critical for many other initiatives, including health care:

To counter balance the $900B expense that the new Obama plan calls for, electronic health records must come to reality. However, eHealth requires access control across a large and complex ecosystem. Users must be able to register, login and access private data across physicians, hospital, pharmacies, labs, insurance, and employers Web sites.

And, I may add, it is clear that having separate usernames and passwords for each one of them is a non-starter. The fact that both Google and Microsoft are OpenID supporters and offer electronic health record-like software as a service could act as a very useful jolt to the health technology vendor cabal, too.

Interesting to see how this will shake out …

Chris Messina: Umair Haque’s Awesomeness Manifesto

Mon, 21 Sep 2009 19:35:55 +0000

I don’t always agree with Umair Haque, a Harvard economist, though many of his ideas resonate with my own experience on the web. And I can imagine that much of his message comes across as rather radical to his audience, so I’ll cut him some slack if he has a tendency to wax revolutionary when he talks about the social web.

Still, I find his “Awesomeness Manifesto” actually useful, if only because it’s an argument against innovation as we commonly think of it.

His point echos a common refrain among many of the web’s independent progeny of late (consider Tim O’Reilly’s “work on stuff that matters” first principles, including the invocation to “create more value than you capture”, and 37 Signals’ recent rants on the “VC-induced cancer that’s infecting our industry and killing off the next generation“). As it happens, innovation for the sake of itself can really be rather damaging if we never arrive at a point of stability and equilibrium — enabling us to benefit from — or at least consider in a broader context — the advances we’ve made.

In other words, innovation at all costs is just that: at all costs.

To counter this myopic obsession with the superficially novel, Haque describes four pillars of awesomeness (which I won’t detail here — read his post):

Ethical production.
Insanely great stuff.
Love.
Thick value.

These are much more squishy, feminine qualities. These traits show up where diversity and balance are valued. But, contrary to Haque’s implicit suggestion, I don’t believe that we should just pendulum in this direction. Instead, like kneading bread or stirring a risotto (can you tell Brynn and I’ve been cooking lately?), I believe that we need to constantly pay attention to and work at this mix. It’s not one or the other — we’re post-zero sum economics even if our definitions of success haven’t caught up yet.

Haque closes thusly:

Let’s summarize. What is awesomeness? Awesomeness happens when thick — real, meaningful — value is created by people who love what they do, added to insanely great stuff, and multiplied by communities who are delighted and inspired because they are authentically better off. That’s a better kind of innovation, built for 21st century economics.

I’ve talked to many boardrooms about awesomeness. Beancounters feel challenged and threatened by it, because it feels fuzzy and imprecise. Yet, it’s anything but. Gen M knows “awesomeness” when we see it — that’s why its part of our vernacular. It’s a precise concept, with meaning, depth, and resonance.

What makes some stuff awesome and other stuff merely (yawn) innovative? I’ve outlined my answers, but they’re far from the best, or even the only ones — so add your own thoughts in the comments.

You might be innovative — but are you awesome? For most, the answer is: no. Game over: in the 21st century, if you’re merely innovative, prepare to be disrupted by awesomeness.

Does Haque’s manifesto resonate with you? If so, how? If not, why not?

Johannes Ernst: Is OpenID/Open Stack What Grand Central Tried to Do?

Fri, 18 Sep 2009 16:28:53 +0000

Remember high-profile Grand Central Networks, which was one of the very few high-flying tech startups after the collapse of the dot-com bubble? (Not to be confused with what became Google Voice, they only reuse the domain name.)

Grand Central was founded by Halsey Minor, with the vision of electronically connecting companies and ASPs via standard protocols, so information could flow across companies along a supply chain, for example.

His envisioned architecture was modeled along the lines of a phone company: give everybody a simple plug to plug into, and do a lot of complicated routing and switching in a centralized manner as a service. Perhaps later connect to other phone companies.

That model failed, of course. Part of the reason may have been that the whole web services movement with all of its complexity and its associated high software prices took the vision sideways. He might simply have been too early in the market. And the phone company architecture may also have been the wrong one.

But I’m getting the impression that the identity community is attempting to do the same thing, whether we know it or not. Interestingly:

we started with identifying users and proving to other entities who they are. (The URL as globally unique identifier, and single-sign-on, via LID and OpenID)
then we added the movement of some related data (profile exchange, PAPE)
the ability to authorize others to access information (OAuth)
more complex related information (Portable Contacts)
now we are getting into moving larger amounts of data (artifact binding)

It’s a very gradual and slow process, but if we keep going down that path, where will we end up? I think it includes right where Halsey Minor wanted to be. And there is a chance that this approach will work: consumer/open internet-driven adoption works better for this, “free” works better, a decentralized/federated/multi-party approach works better as it aggregates a lot more business cases, a pluggable systems approach works better and so forth.

If it turns out to work, it will be at least 10 years after his vision, more likely 15.

Stuff for thought. Being the first in the market is for suckers.

Chris Messina: Celebrate the open web on OneWebDay!

Thu, 17 Sep 2009 21:24:11 +0000

In case you didn’t hear, OneWebDay is coming up next week on Tuesday, September 22.

The event is modeled after Earth Day and was started three years ago by Susan Crawford, a technology policy advisor to President Obama.

Mozilla is doing their part with their own poster/photo contestand a specific call to action:

Print and share an ‘I love the web poster’. Create a global wave that shows the web is a precious public resource.
Conduct an Internet Health Check. Find computers with Internet Explorer 6, and upgrade them to a more secure browser.
Donate to OneWebDay. Every time you donate, Mozilla will too.

I like the connection to Earth Day and the idea of highlighting the web as a “precious public resource“; it is true that if we don’t nurture and protect it, it could, for all we know, “go away” (whatever that might mean). And yes, in case you were wondering, that would be terrible.

Clearly many of us take the web for granted — and many more of us can barely remember a time before what is rapidly becoming a more people-centric web. Thus, I hope you’ll join me next Tuesday on OneWebDay to take a moment out to reflect on and celebrate this vast human-created wellspring of innovation, creativity, knowledge, and opportunity.

Chris Messina: What can dogs tell us about the real-time web?

Thu, 17 Sep 2009 03:56:31 +0000

Ticka’s nose by Jimmy

Did you know that a beagle’s nose has 300 million receptor sites? Humans, in contrast, have about six million. And that changes everything in a dog’s perception of the world. It also explains why they sniff and snort as much as they do and have such a preoccupation with other dogs’ pee.

I discovered this and other fascinating doggie facts reading Cathleen Schine’s book review of Alexandra Horowitz’s “Inside of a Dog: What Dogs See, Smell, and Know“, published in the New York Times.

When Marshall Kirkpatrick called me today to discuss his upcoming ReadWrite Real-Time Web Summit and report, I used some of these tidbits to help explain the changes I see coming with the emergence of the real-time web.

Specifically, in the document-centric era of the web, humans largely adapted their behavior to fit the speed of the network, and chunked their thoughts into discreet, long-lived static blog posts and documents. But, as we’re seeing, Gutenberg’s reach into the web can only extend so far: the mores of physical media shall eventually give way to the seeping tendencies of data in the networked age.

If the speed of thinking — and the shape of our thoughts — have previously been confined to 93.5 square inches (the area of an eight and half by eleven sheet of paper), then our perception of reality must adjust to the scale of the web — to draw a comparison, as though we expanded our olfactory centers from 6 to 300 million.

Consider one consequence of “the mechanics of the canine snout”:

People have to exhale before we can inhale new air. Dogs do not. They breath in, then their nostrils quiver and pull the air deeper into the nose as well as out through side slits. Specialized photography reveals that the breeze generated by dog exhalation helps to pull more new scent in. In this way, dogs not only hold more scent in at once than we can, but also continuously refresh what they smell, without interruption, the way humans can keep “shifting their gaze to get another look.”

Imagine that we were able to interpret information at the scale and rapidity that dogs parse scent. That’s where we need to go.

To put this into perspective, consider how long it takes you to read one page of text; three minutes? Five? If we had the equivalent of a dog’s sense of smell for our ability to consume information, we’d be able to consume FIFTY pages of information in the same amount of time that it takes us to currently consume ONE. (For shits and giggles, if you printed the Internet, it would take up around 700 square miles of US letter-sized pages).

The dog’s nose, therefore, is perfectly adapted to consume vast quantities of information by scent. In order to cope with the real-time era of the web, we must imagine a similar augmentation of our own knowledge processing abilities if we’re to cope with the deluge.

In the real-time era, information is no longer restricted to an arbitrary number of words that fit on a page — let alone the kind of structures that were given to such proportions. Now, it is our capacity to consume and process information efficiently and effectively that limits us — partly explaining why we’re struggling to cope with all these “distractions”. Our brains are just doing what they were designed to do: process an intermittent flow of incomplete information and make rough cost-benefit calculations of possible decisions, while mitigating risk.

Lest we be overcome with information, we crave resolution and action. The crisis of the real-time web is how we confront an unending stream of undifferentiated information that all seems equally important and immediate, paralyzing us. In these cases, failing our own intrinsic resources, we look to surrogates (parents or other authority figures — celebrities suffice) to help us discard irrelevant information and get to the good stuff. We look to their reassurance to help us make a decision.

And this is why filters — natural, artificial, or social — will be so important in the real-time web.

As advanced as we think we are, our animal brains are just not adapted for this kind of environment. And we’re going to need help — as well as new thinking.

To reinforce this point, let’s return to our canine friends.

Contrary to what “dog whisperer” Cesar Millan claims, dogs are not pack animals — at least not in the way that wolves are. Schine writes:

[...] Countering the currently fashionable alpha dog “pack theories” of dog training, Horowitz notes that “in the wild, wolf packs consist almost entirely of related or mated animals. They are families, not groups of peers vying for the top spot. . . . Behaviors seen as ‘dominant’ or ’submissive’ are used not in a scramble for power; they are used to maintain social unity.”

The idea that a dog owner must become the dominant member by using jerks or harsh words or other kinds of punishment, she writes, “is farther from what we know of the reality of wolf packs and closer to the timeworn fiction of the animal kingdom with humans at the pinnacle, exerting dominion over the rest. Wolves seem to learn from each other not by punishing each other but by observing each other.”

So just as we must shake such ingrained, patriarchic theories in animal biology, we must also reconsider the models we have for thinking about, understand, and relate to information in the flow of activity streams.

Dogs are able to consume vast quantities of information by scent — and that means that their perception of reality is fundamentally different from ours. Will we ever know what it’s like to smell a rose with 50 times more receptors? No, probably not — nor is it clear that we’ll be able to augment our native cognitive abilities to consume information 50 times faster than we do today. And yet the real-time web relentlessly marches forth, promising a massive shift in both our access and ability to cope with such huge amounts of data.

Presuming that we keep the brains we have, this has huge ramifications for interaction and user experience design. We cannot simply apply document-based interfaces to this new, more rapid and fluid space. Instead, we need to take inspiration from the field of game design (Halo would suck if it operated at anything less than real-time); we need to think about how social search fits in and can augment our ability to filter information and make better decisions; we need to consider how one can effectively project intentions onto the web to receive better, faster, automatic service, as Doc Searls’ Project VRM proposes; we need to take advantage of the always-on human network, as Amazon’s Mechanical Turk and Q & A service Aardvark do; and we should embrace the natural and native speed that comes with a more conversational and people-centric web.

If this review got me to realize anything, it’s that we should be careful about applying familiar and comfortable rubrics to the nature of information flows on the real-time web. Our brains are powerful and incredibly plastic, but the quantities of information available on the real-time web may bring us to the limit of our current cognitive abilities. Our challenge as designers, developers, and innovators, is therefore either to modify the environment around us, or build new tools and methods that make will us 50 times more capable of confronting this emerging reality.

Kaliya Hamlin: ReadWrite Real-Time Web Summit Announced

Tue, 15 Sep 2009 15:38:48 +0000

The ReadWrite Real-Time Web Summit announcement is live. I am working on this with them as the facilitator. The event is modeled on the format we use at the Internet Identity Workshop to get a lot done and have real discussions about emerging topics in industry.

ReadWriteWeb has offered high quality coverage of this area for a long time and they seem like a natural convener of real conversation. Of course Identity is key to this industry but so are many other things.

Learn more here

Chris Messina: Windows Live and MySpace ship support for activity streams

Tue, 15 Sep 2009 02:24:23 +0000

Earlier today, Rob Dolin announced the launch of additional sources of activities for Windows Live users — including MySpace, Hulu, Skyrock, and SlideShare.

Writing on the Windows Live Services blog, he outlines the premise behind the Activity Streams effort (emphasis original):

With today’s latest partner integrations on Windows Live, we’ll have over fifty web activities that Windows Live customers can add into their Windows Live experience. (To learn more about all the Windows Live partners, check out our Windows Live Team blog). Nearly all of the web activities employ a polling model where a customer enters some basic information about their presence on a website and then Windows Live periodically polls an XML feed of the customer’s activity on that site. In the past, this feed has been in RSS 2.0 or Atom and then for each partner, we have a custom XSLT that maps the elements from the customer’s feed to the data attributes in Windows Live’s system.

Challenges with Web Activities

There are two big challenges with this basic polling model of RSS 2.0 or Atom:

We need to develop a custom mapping for each partner

Each partner needs to have only one activity type or they need a way to communicate what type of activity each RSS 2.0 <item> or Atom <entry> is.

The emerging Activity Streams open standard comes in to help solve both of these problems.

How Activity Streams Help

Activity Streams help to address both of the above issues. First, instead of having to do a custom mapping for practically every Web Activities partner, with an open standard like Activity Streams, we can build a single mapping that can be used by multiple partners.

Second, Activity Streams includes <activity:verb> and <activity:object-type> elements so we can identify that one is a status update and another is a blog entry. Thus, services that have multiple activity types (like MySpace) can have a single feed that includes photos, status, blogs, music, and more.

This maps directly to my motivation in starting this effort, back in June of 2008:

The basic premise is this: lifestreams, alternatively known as “activity streams”, are great for discovering and exploring social media, as well as keeping up to date with friends (witness the main feature of Facebook and the rise of FriendFeed). I suggest that, with a little effort on the publishing side, activity streams could become much more valuable by being easier for web services to consume, interpret and to provide better filtering and weighting of shared activities to make it easier for people to get access to relevant information from people that they care about, as it happens.

By marking up social activities and social objects, delivered in standard feeds [...], we enable anyone to run a FriendFeed-like service that innovates and offers value based on how well it understands what’s going on and what’s relevant, rather than on its compatibility with any and every service.

We’ve come a long way since then — and the acquisition of FriendFeed only helps to reinforce the timeliness of this work.

It’s also been incredibly gratifying to see people like Rob and Monica Keller devote so much energy (see MySpace’s activity streams docs) to helping this effort get off the ground. Maintaining the momentum of this project has been challenging at times — considering that Mart Atkins (author of the Activity Streams specs) has a full time job at Six Apart and David Recordon (my other cohort) just left there to go work at Facebook (where Jerry Cain has been key in getting Facebook to adopt activity streams).

Seeing large players adopt the activity streams format is good for the open web ecosystem. It’s good for individual choice and for enabling market-based mechanisms that encourage competition and good behavior. It enables the decentralization of reading and publishing, and provides individuals with a record of both what their friends are doing as well as what they themselves have done. And these things are all good for the development of the people-centric social web.

Chris Messina: The Web at a New Crossroads

Mon, 14 Sep 2009 18:12:39 +0000

This post is a collaborative essay written by Jyri Engström and myself, edited by Brynn Evans and originally posted to the ArcticStartup blog on September 11, 2009. Thanks to Brad Fitzpatrick for his comments on the draft.

· · ·

Around 2003, things began to change.

Technology was then the black sheep, having left overnight millionaires destitute and without change to afford their $4 lattes. Even the posers had left San Francisco and gone back to suburbia to be office managers at Walmart.

It was a sad time for everyone — that is, except the die-hards and the hackers. The web for them had never been about making money, but about reshaping culture and toppling the old order. 2003, therefore, was the perfect time for a resurgence: the people who kept pushing on in the Valley and elsewhere were a concentrated motley crew of innovators and builders. They cared about technology for technology’s sake and about developing and advancing web culture.

What they didn’t realize, however, was that the services and technologies that they were destined to build would need to be cobbled and sewn together using a system that would fight them every step of the way — not out of spite — but because of its architecture. By definition the network available was decidedly anti-human: in 2003, there was only the document-centric web.

The document-centric web

We’ll spare you the history lesson of the origin story of the internet, but suffice it to say, the web we have today is because a bunch of scientists, academics, and government folks needed a way to share static documents — not set up identities or have a dynamic conversation in public. The net was decidedly antisocial and anti-serendipity, from the beginning.

Keep that in mind when you consider what happened around 2003: masses of people started blogging, publicly. Services like Blogger and TypePad surged; LiveJournal and WordPress started to grow stubble and Drupal emerged from a college dorm. In the absence of innovation since the bubble burst, people started to realize that the web could be a place for personal expression and public conversation — and blogging became the “it” thing to do.

The problem was that tools were built around the document model of publishing. Many people maintained collections of blogs that they kept handy as bookmarks — and visited regularly, sometimes several times a day (depending on the prolificness of a given blogger). The more savvy audiences discovered desktop feed readers that fetched new content automatically. But conversation was fragmented and inconvenient: to comment, you had to visit the publisher’s blog and create a single-purpose account there; to post an original response, you had to have your own blog and know how to send a trackback to the post you were responding to.

The pace was slow and cumbersome, but most early bloggers didn’t mind. Their new medium was exciting, expansive, and controversial. And for the time, it fit the write-print/publish model many people had become familiar with thanks to Microsoft Word and other text editors — and which was in turn rewarded by Google’s link-based approach to search.

But two things were lacking in the first generation of Web 2.0 tools: personhood and aggregated conversation streams. The document-web hadn’t made room for people-friendly affordances like “faces,” and didn’t conform to our restless animal brain, which is well suited to working with a flow of short snippets of information.

Proprietary, real-time platforms

Enter: the real-time web. If 2003–2006 could be defined as the emergence of social media on infrastructure still dominated by the document-web, 2007 through the present will be defined as the transition to the “real-time” web, even if through a proprietary side-road.

We’ve had chat, SMS, and other forms of asynchronous (near) real-time data streams for some time. But, just as blogging did to email, every new generation is about pushing down the walls that cage one-to-one and one-to-few interactions, turning the same private publishing tools into many-to-many-to-many-more public publishing platforms. Emphasis on the noun: from tools to platforms.

The catch? This real-time web is not mature yet, since the platforms that sequester all of our activities today are proprietary ones like Facebook and Twitter. These are convenient, to be sure, but of limited utility to users with cross-site ambitions, who require interoperability.

While “brand-mediated” profiles and relationships may not seem completely odious on the surface, there are four major drawbacks to keep in mind:

Tying one’s identity and communications to a single silo means relying on a single point of failure, degrading the overall reliability and stability of the system. (Remember the failwhale and efforts to keep Twitter from going offline during the Iran uprising, for example).
Handing over management of one’s identity to a company means being dependent on their decisions and priorities. (Consider the 5,000 friend limit on Facebook; Twitter’s arbitrary suggested users list; and examples of users being ousted from various services for controversial reasons).
A web built on top of a few proprietary platforms means less diversity and ultimately smaller scale than a web built on non-proprietary protocols and standards (consider how useful email, the web, and the internet itself became once open standards for interoperability were adopted, and the power of “small pieces loosely joined“).
And finally, on an ethical and emotional level — it just doesn’t feel right.

Fortunately, there are a number of initiatives that are gaining in popularity and finding pockets of adoption throughout industry, leading us to a juncture, where in one direction is the status quo and in the other is what we call “the people-centric (real-time) web”.

The people-centric (real-time) web

If the document-centric web was dominated by static pages, then the people-centric web is about placing you at the center (as Time Magazine did famously in 2006). We’re seeing the rise of dynamic, portable friend lists and non-brand-mediated identities that can be used across a range of standards-compliant websites. People are beginning to move freely between silos. Individuals are increasingly able to bring their data with them and substitute one service or service provider with another, as one can switch between Outlook and Thunderbird for email, or Photoshop and Pixelmator for image editing on the desktop. Relevant information and friends’ activities are starting to come to users via distributed push publishing. (Thomas Vander Wal has called this the “come to me” web).

Let us briefly describe the key enablers of this emerging new phase:

Portable profiles means that instead of creating an account on each service you join, you can now host your identity in one place and bring your profile and friends with you to other sites as you surf the social web. Webfinger, OpenID, Portable Contacts, and OAuth all make this possible (and for bootstrapping profiles from the legacy document-web, we have Google’s Social Graph API).

Distributed push publishing means there is no longer a need to rely on proprietary platforms. The emerging standards here are PubSubHubbub (PuSH) and rssCloud (see comparisons on TheNextWeb and TechCrunch).

Synchronized conversation threads means that users can participate on the same conversation thread across multiple interfaces and services (we are still waiting for a standard, for which various geeks are actively devising a plan).

Much work remains to make cloud services fully interoperable, but the foundations are in place to turn the web into a truly people-centric place. This call to action goes out to developers, corporations, and individuals alike. Best of all, it’s not that hard to start supporting these efforts:

Let people use existing accounts to sign in and sign up for your service. First, the signup ritual offers the least amount of value to users so get it out of the way as fast as possible! Plus, it’s an automatic barrier to entry — you’ll see an increase in successful signups by reducing the friction in logging in up front (as Plaxo did). Second, unless it’s core to what you do, this will also save you the chore of managing profiles on your service. Third, people have so many profiles these days, they can’t keep track of them and they certainly don’t want to be creating yet another. Instead, figure out a way to subscribe to someone’s existing profile — and keep a reference of it up to date on your site.

Sharing information and activities from your site is how other people will discover you. Stickiness as a business practice was a byproduct of the document era of the web; on the people-centric web, portability is critical. Data, identities, relationships, and activities need to flow between sites in order to expose insights, spread knowledge, and engender meaningful social interactivity. This sounds complicated but is relatively straightforward. To begin, your site can make available atomic units of data, exported as streams of activity that indicate who acted in which way upon what object. It’s easier than it sounds and formats are available to support this modular approach (see: Activity Streams)

As a user, consider how much control and security you really want over your online identity. How do you feel about leasing an identity from a web brand? Unsure about the benefits of owning your own? Some providers (Google, Yahoo, Flickr, MySpace, AOL) let you use their accounts as OpenIDs — a great step towards portability, and beneficial to everyone. The catch with any leased identity is that your identity will be under the provider’s brand, profile constrained by their design decisions, and personal data subjected to their terms of service. As an alternative, acquiring your own domain and setting up your own profile with an independent is becoming much easier with free services like Chi.mp and hi.im. More innovation is needed in this area to make independent identities for people and organizations first class citizens on the social web, and their setup and management simpler, accessible, and secure!

What’s yet to come

It’s 2009, going on 2010. For the past three years, the web has been morphing into a real-time and people-centric place. We’ve seen this trend among individual users — through their actions and demands for better social experiences — but also increasingly among companies and developers. We want a web that’s more “like us” than the old model was. We want a web where people are as important to the architecture of the system as documents.

And with this new model come new opportunities for innovation and personalization. It is possible to build applications for participating in decentralized conversations around various ideas and trends. This presents a new opportunity for identity management apps, community sites, social dashboards, real-time search, messaging hubs… and even browser makers, hardware manufacturers, and ad networks. Mobile platforms are also growing, as people connect over non-desktop devices. These small handheld technologies further underscore the importance of portable identity, microcontent, decentralization, and (near) real-time delivery. A document-centric approach just doesn’t make sense in a mobile world, and with new ground being broken in fields like augmented reality, demand for increasingly rich social experiences powered by open standards instead of proprietary platforms will continue to grow.

But consider the future: the benefits of a people-centric model are still evolving and remain to be fully realized. It’s critical to not be complacent with the platforms we’ve grown so accustomed to. If you wear the developer’s hat, now’s the time to get on board, read the specs, and implement support for OpenID, Activity Streams, OAuth, PubSubHubbub/rssCloud, or the other mentioned open standards that are relevant to your users. If you are a user, don’t be afraid to be vocal and ask the services you love to show they love you back, by giving you the rights to your data and the tools to take it with you elsewhere. If you’re a business, realize that the distributed potential of the social web has barely been tapped, and that you have a choice between (as Robert Scoble calls it) gifting your branding power to someone else, or leveraging these standards to turn your own site from an island to a node in a network of social activity as wide as the web itself. In the end, the internet as a whole will be better off if we stay in control of our own destinies.

· · ·

Jyri and I will be presenting a workshop on this material during our MindTrek pre-conference tutorial on September 30th in Helsinki. Early bird tickets are still available at a discounted rate; register today!

Also, don’t forget you can still register for MindTrek, the Nordic conference on social media (Oct. 1st–2nd) in Tampere, Finland.

Kaliya Hamlin: FastCo Post on Governemnt Experiments with Identity Technologies

Sat, 12 Sep 2009 15:54:56 +0000

This is cross posted on Fast Company.

The Obama administration open government memorandum called for transparency participation, collaboration and federal agencies have begun to embrace Web 2.0 technologies like blogs, surveys, social networks, and video casts. Today there are over 500 government Web sites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government Web sites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.

Yesterday the United States Government in collaboration with industry announced a few pilot projects using emerging open identity technologies for citizens to use when interacting with government sites. I use the word interacting very deliberately because the government doesn’t want to know “who you are” and has gone great lengths to develop their implementations to prevent citizens from revealing personally identifiable information (name, date of birth etc).

How would you use this?–well imagine you are doing an in depth search on an NIH (National Institute of Health) Web site–and you went back to the site many times over several months. Wouldn’t it be great if the site could “know” it was you and help you resume your search where you left off the last time. Not your name and where you live but just that you were there before.

The Identity Spectrum helps us to understand how it all fits together.

Anonymous Identity is on one end of the identity spectrum–basically you use an account or identifier every time go to a Web site–no persistence, no way to connect the search you did last week with the one you did this week.

Pseudonymous Identity is where over time you use the same account or identifier over and over again at a site. It usually means you don’t reveal your common/real name or other information that would make you personally identifiable. You could use the same identifier at multiple sites thus creating a correlation between actions on one site and another.

Self-Asserted Identity is what is typical on the Web today. You are asked to share your name, date of birth, city of residence, mailing address etc. You fill in forms again and again. You can give “fake” information or true information about yourself–it is up to you.

Verified Identity is when there are claims about you that you have had verified by a third party. So for example if you are an employee of a company your employer could issue a claim that you were indeed an employee. You might have your bank verify for your address. etc.

The government pilot is focused on supporting citizens being able to have pseudonymous identities that function only at one Web site–the same citizen interacting with several different government Web sites needs to use a different identifier at each one so their activities across different government agencies do not have a correlation.

It is likely that some readers of this blog know about and understand typical OpenID. Almost all readers of this blog do have an openID whether they know it or not because almost all the major Web platforms/portals provide them to account holders–MySpace, Google, Yahoo!, AOL etc.

So how does this work with OpenID?

Typically when logging in with OpenID on the consumer Web you share your URL with the site you are logging into–they redirect you to where that is hosted on the Web–you authenticate (tell them your password for that account) and they re-direct you back to the site you were logging in. (see this slide show for a detailed flow of how this works). Using OpenID this way explicitly links your activities across multiple sites. For example when you use it to comment on a blog– it is known your words come from you and are connected to your own blog.

Using the OpenID with Directed identity–de-links your the identifiers used across different sites but still lets you use the same account to login to multiple sites.

When you go to login to a site you are asked to share not “your URL” but just the name of the site where your account is–Yahoo! or Google or MySpace etc. you are re-directed to that site and from within your account a “directed identity” is created–that is a unique ID just for that Web site. Thus you get the convenience of not having to manage multiple accounts with multiple passwords and you get to store preferences that might be shared across multiple ID’s but you don’t have identifiers that correlate–that are linked across the Web.

How does this work with Information Cards?

This is a complementary open standard to OpenID that has some sophisticated features that allow it to support verified identities along with pseudonymous & self asserted identities. It involves a client-side piece of software called a selector–which selector helps you manage your different identifiers using a card based metaphor, with each digital “card” representing a different one. Citizens can create their own cards OR get them from third parties that validate things about them.

The government is creating a privacy protecting “card profile” to be used in the pilot program. It is NOT issuing identities.

Trust Framework are needed to get it all to work together.

From the press release yesterday:

“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon–it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”

The OpenID Foundation and Information Card Foundation wrote a joint white paper to describe how they are working on developing this. From the abstract:

[They] are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.

These frameworks, based on the model developed by the InCommon federation for higher education institutions, will enable government Web sites to accept identity credentials from academic, non-profit, and commercial identity providers that meet government standards. These standards are critical as they represent the government’s resolution of the challenging and often competing issues of identity, security, and privacy assurance. Open trust frameworks not only pave the way for greater citizen involvement in government, but can enable even stronger security and privacy protections than those typically available offline.

These are all exciting developments but there is much more to do.

Looking (far) ahead there may be the opportunity to do selective disclosure–combining anonymity with verified identity.

How do these go together–you can take a verified identity claim say your birth date then using cryptography strip the specifics away and just have a claim that says you are “over 21″. Then using an anonymous identifier you have selectively disclosed your age without giving away your date of birth.

You could imagine this would be handy for citizens wanting to communicate their opinions to their member of congress without revealing their actual name and address – they could “prove” using a verified claim they live in the district but not reveal who they are. This aspect of what is possible with the technology is VERY forward looking and will take many years to get there. There is enormous potential to evolve the Web with this emerging identity layer.

I would like to invite all of you interested in being involved/learning more to attend the Internet Identity Workshop in Mountain View California November 3-5. I have been facilitating this event since its inception in 2005. It is truly amazing to see how far things have progressed from when we were 75 idealistic technologist talking about big ideas. at the Hillside Club in Berkeley. It is also some what daunting to think about how much farther we have to go.

Pat Patterson: OpenSSO Tab Sweep - Sep 11 2009

Fri, 11 Sep 2009 19:19:30 +0000

Wow - it's been months since the last OpenSSO tab sweep. Anyway - here's a collection of the latest news from the world of OpenSSO:

Sun Developer Network continues to publish excellent articles on OpenSSO. Last month, Rick Palkovic of SDN and Francois Lascelles of Layer 7 Techologies collaborated on Delegating XML Gateway Runtime Authorization to OpenSSO, showing how Layer 7's SecureSpan XML Networking Gateway integrates with OpenSSO to provide edge security for SOA, Web 2.0 and cloud-based web services.
This month, Rick's written another article, this time with Qingwen Cheng and Mrudul Uchil of Sun's OpenSSO engineering team. Enabling IP/Resource/Environment Based Authentication With OpenSSO is a three-part series explaining how this functionality, new in OpenSSO Express Build 8, replaces the pre-existing Gateway servlet to provide a flexible mechanism for including contextual information in the authentication process.
My colleague, Hubert Le Van Gong has been blogging profusely over the past few weeks on the topic of OpenID 2.0 and OpenSSO. As Hubert mentions, we recently rewrote the OpenSSO OpenID extension to support OpenID 2.0. Hubert's blog entries cover a number of topics specific to the rewrite, including deployment (with an important follow up) and realm/relying party validation. C'est la Vie is definitely a blog worth watching if you're interested in the OpenID/OpenSSO intersection.
There have been a number of OpenSSO policy agent releases over the past few weeks, including agents for Apache 2.2 and IIS 7. The OpenSSO Policy Agents 3.0 Roadmap is the place to stay up to date.
The replay of Daniel's OpenSSO webinar from last month, which, by the way, set an internal record for registrations, has been posted online. Click here to catch up.
Outside Sun, 'Pairg' has released a WordPress plugin for OpenSSO authentication (thanks, Ramoonus, for the tip!). It looks to have much more functionality than the proof of concept code I released a little while ago, so, if you're into WordPress, I recommend you go take a look.

Now I can close a few Firefox tabs and relax. Have a good weekend, everyone!

Chris Messina: Bob Blakley on OpenID and the government

Fri, 11 Sep 2009 11:40:54 +0000

Bob Blakley works for the Burton Group and has been involved in identity for some time. Writing about the recently launched Open Identity initiative with the US Government, he cited a reason why the announcement is big news, with which I strongly agree (from an American perspective, YMMV in other countries):

The second reason today’s announcement is a really big deal is that, after years of government attempts to create identities and assign them to citizens (via such bad ideas as the UK National ID scheme and the US REAL-ID act), a government has finally recognized that individuals already HAVE identities, and that it’s a better idea, for most purposes, to use these identities than to establish a new government bureaucracy to create new identities – especially if they’re identities people don’t want.

If this initiative succeeds, and I hope it does, it’s almost certain to be a much cheaper route to government consumption of reliable digital identities of citizens than something like REAL-ID would be. And it will preserve consumer choice at the same time as encouraging innovation in commercial identity technology.

Kaliya Hamlin: Thomas Friedman on the lesson from Van Jones – “Watch out for the participatory panopticon”

Fri, 11 Sep 2009 03:41:31 +0000

Thomas Friedman of the NYTimes on Meet the Press today talking about several recent incidents including what happened to Van Jones.

When everyone has a cell phone, everyone is a photographer, when everyone has access to YouTube, everyone is a filmmaker, and when everyone is a blogger everyone is a newspaper.

When everyone is a photographer, a newspaper and a filmaker everyone else is a public figure. Tell your kids ok, be careful every move they make is now a digital footprint. You are on candid camera and unfortunately the real message to young people from all these incidents… (he says holding his hands closely together) is really keep yourself tight – don’t say anything controversial, don’t think anything controversial, don’t put anything in print – you know what ever you do just kind of smooth out all the edges (he says moving his hands in a streamlining motion down) and maybe you too – you know when you get nominated to be ambassador to Burkina Faso will be able to get through the hearing.

What does this capacity to document “everything” digitally mean to free thinking, and free speech? It seems that is having a quelling effect.

I have written about the participatory panopticon several times, a term coined by Jamais Cascio.

* Participatory Panopticon strikes Michael Phelps

* We Live in Public – a movie

* “sousveillance” coming to NYC and Big Brother coming to NYC

* Participatory Panopticon tracking the CIA’s Torture Taxi

* Condi Caught by Emerging Participatory Panopticon

* Accelerating Change Highlights: 1 (Jon Udell)

The first time I spent a whole day with technologists working on the identity layer of the web in 2003 I asked publicly at the end of the day – how do we forgive in these new kinds of tools in place? How do we allow for people to change over time if “everything” is documented?

I hope we can have a dialogue about these kinds of issues via the blogosphere and also face to face at the 9th Internet Identity Workshop coming up in November.

Kaliya Hamlin: Great Identity News

Fri, 11 Sep 2009 03:24:45 +0000

Yesterday the Government hosted a workshop in DC: Open Government Identity Management Solutions Privacy Workshop.

The OpenID Foundation and the Information Card Foundation are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.

Drummond Reed and Don Tibeau announced their paper Open Trust Frameworks for Open Government.

Quiet and intense work has been going on since just before the last IIW on all this, so it is great to see it begin to see the light of day.

The OpenID Foundation had a wonderful new redesign that Chris Messina announced. This page really made me smile: Get an OpenID – Surprise! You may already have an OpenID.

Axel did a Wordle of it:

Kaliya Hamlin: Open Identity for Open Government Explained

Fri, 11 Sep 2009 03:20:26 +0000

Today the United States Government with digital identity industry leaders announced the development of a pilot project with NIH and related agencies using two of the open identity technology standards OpenID and Information Cards.

This is, as a friend said to me, a “jump the shark moment” – these technologies are moving out from their technologists technology cave into mainstream adoption by government agencies. We are seeing the convergence of several trends transform the way citizens participate in and communicate with government:

Top-down support for open government
The proliferation of social media
The availability of open identity technologies

Today there are over 500 government websites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government websites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.

The challenge is that supporting this kind of citizen interaction with government via the web means that identity needs to be solved. On the one hand you can’t just ask citizens to get a new user-name and password for all the websites across dozens of agencies that they log in to. On the other you also can’t have one universal ID that the government issues to you and works across all government sites. Citizens need a way to interact with their government pseudonymously & in the future in verified ways.

So how will these technologies work?

Those already familiar with OpenID know that typically when users login with it they give their own URL – www.openIDprovider.com/username. (see this slideshare of mine if you want to see OpenID 101) There is a little known part of the OpenID protocol called directed identity – that is a user gives the name of their identity provider – Yahoo!, Google, MSN etc – but not their specific identifier. The are re-directed to their IdP and in choosing to create a directed identity they get an identifier that is unique to the site they are logging into. It will be used by them again and again for that site but is not correlatable across different websites / government agencies. The good news is it is like having a different user-name across all these sites but since the user is using the same IdP with different identifiers (unlinked publicly) but connected to the same account they just have to remember one password.

Information Cards are the new kids on the identity block in a way – this is their first major “coming out party” – I am enthusiastic bout their potential. It requires a client-side tool called a selector that stores the user’s “digital cards”. Cards can be created by the end user OR third parties like an employer, financial institution, or school can also issue them.

In essence, this initiative will help transform government websites from basic “brochureware” into interactive resources, saving individuals time and increasing their direct involvement in governmental decision making. OpenID and Information Card technologies make such interactive access simple and safe. For example, in the coming months the NIH intends to use OpenID and Information Cards to support a number of services including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, all with strong privacy protections.

Dr. Jack Jones, NIH CIO and Acting Director, CIT, notes, “As a world leader in science and research, NIH is pleased to participate in this next step for promoting collaboration among Assurance Level 1 applications. Initially, the NIH Single Sign-on service will accept credentials as part of an “Open For Testing” phase, with full production expected within the next several weeks. At that time, OpenID credentials will join those currently in use from InCommon, the higher education identity management federation, as external credentials trusted by NIH.” In digital identity systems, certification programs that enable a site — such as a government agency — to trust the identity, security, and privacy assurances from an identity provider are called trust frameworks. The OIDF and ICF have worked closely with the federal government to meet the security, privacy, and reliability requirements set forth by the ICAM Trust Framework Adoption Process (TFAP), published on the IDManagement.gov website. By adopting OpenID and Information Card technologies, government agencies can cost effectively serve their constituencies in a more personalized and user friendly way.

“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon — it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”

Under the OIDF and ICF’s open trust frameworks, any organization that meets the technical and operational requirements of the framework will be able to apply for certification as an identity provider (IdP). These IdPs can then supply authentication credentials on behalf of their users. For some activities these credentials will enable the user to be completely anonymous; for others they may require personal information such as name, email address, age, gender, and so on. Open trust frameworks enable citizens to choose the identity technology, identity provider, and credential with which they are most comfortable, while enabling government websites to accept and trust these credentials. This approach leads to better innovation and lower costs for both government and citizens.

The government is looking to leverage industry based credentials that citizens already have to provide a scalable model for identity assurance across a broad range of citizen and business needs – doing this requires a trust framework to assess the trustworthiness of the electronic credentials; see Trust Framework Provider Adoption Process (TFPAP). A Trust Framework Provider is an organization that defines or adopts an online identity trust model involving one or more identity schemes, has it approved by a government or community such as ICAM, and certifies identity providers as compliant with that model. The OIDF and ICF will jointly serve as a TFP operating an Open Trust Framework as defined in their joint white paper, Open Trust Frameworks for Open Government.

Both the OpenID and Information Card Foundation have been working very hard on this for many months – last night I was fortunate to their boards at a history first ever joint dinner.

There are two women in particular though who have driven this forward: Judith Spencer of the Federal Identity, Credential, and Access Management Committee on the government side and Mary Ruddy of Meristic Inc on the industry side. Both of them will be speaking about the project at the Gov 2.0 Summit on Thursday.

Personally this announcement shows how far things have come since I facilitated the first Internet Identity Workshop in 2005 with 75 idealistic identity technologies talking about big ideas for use-centric identity. I am really looking forward to discussing these developments at the forthcoming 9th Internet Identity Workshop in November.

Ashish Jain: Open Identity for Open Government

Thu, 10 Sep 2009 23:03:16 +0000

At the Gov2.0 conference yesterday, US government announced Open identity for Open Government initiative.

PayPal is one of the participants that has joined the pilot programs for both OpenID and Information Card.

ReadWriteWeb provides a good explanation of the initiative here.

A good FAQ is available at ICF website here.

I consider this as another forcing function that provides an opportunity for several providers to work together. There is no dearth of opinions in the identity community . GSA, I believe has done a tremendous job in putting together the ICAM profiles for OpenID , Information Cards and the Trust framework .The profiles have allowed the providers to focus and converge on some of the important issues surrounding the technologies.

RE: OpenID
There has been some questions from the very start (and there is still no consensus) if the resting state should be lightweight, simple to use, distributed, low-value transactions. Or should it grow and evolve towards more security, trust, e-commerce and whatever comes with it.

If the answer is latter, then the ICAM profile is very appropriate. The mandatory use of SSL, directed Identity, support of white list, trust framework for certification, sensitvity towards PII etc. are all good steps for a robust identity framework geared towards value-transactions. One could argue that the trust frameworks would push it towards a centralized system but hopefully there will be several entities serving as trust framework providers.
Authentication is a critical function for any site and it’s understandable that a site (that has something to protect) wouldn’t outsource it without first establishing trust (implicit or explicit). This has been one of the sticky points in the community since establishing trust (via RP specific whitelist or third party providers) can potentially hinder adoption and innovation.

RE: Information Card
Even though a lot has been done in the past few years, a few issues still remain:

Platform support for information card/selector is limited.
The UI experience is too foreign and that’s get even more challenging due to the maturity level of current selectors.
Mobility/portability of cards (and hence identity) is still unresolved.
There are very limited “maintained” tool/libraries for relying parties to use.
The issues around running a managed card provider (e.g. practices around issuing/renewing/revoking cards, cert/key expiry, advising user in an intelligent and non-intrusive way on what claims should (or not) be shared with the RP etc.) haven’t yet surfaced. Hopefully the pilot will make IdPs (that includes us) think harder on some of the production issues around running a card server.

Irrespective of how far the Open Identity initiative will go, it’s definitely a step in the right direction.

No Tags

Johannes Ernst: OpenID and Government

Wed, 09 Sep 2009 18:17:23 +0000

Today’s news about major identity initiatives in the US Federal Government is indeed great news.

But it does make me think. Kick Willemse asked the key question on an OpenID mailing list:

How about a dutch (international) OP fullfilling all criteria?

What about one in Russia or China? Would the US government accept identities asserted by an entity outside of the country? What about Iran? Before the revolution?

What about a multi-national headquartered, in, say, New York? That serves some of its identities from a data center in Mexico? If it now moved headquarters to Bermuda, when then? What if it was acquired by a Chinese company with strong ties to the Chinese government?

Given that identities last much longer than the whims of foreign relations (or M&A activities), doesn’t this open up so many different cans of worms?

The only solutions to all these issues that I can think of are:

either the individual is in charge of identity provider selection
or the US government becomes its own identity provider, which in general is not an unreasonable position to take (think passports)

But neither of those is foreseen in the deployments that are planned. So I’m confused where exactly this might be going …

John Bradley: Open Identity Pilot announced for US Government

Wed, 09 Sep 2009 14:12:01 +0000

The project I have been working on for the last 6 months is no longer a secret.

Secret Government Project

Today the OpenID Foundation, Information Card Foundation, and the US General Services Administation (GSA) are announcing the pilot proram for US gov sites accepting Information Cards, openID, and SAML.

InCommon has been working with the GSA and NIH for a while now so may be less news worthy, but they are no less a participant.

We have ten Identity Providers who are announcing today there participation in the pilot, and there intention to follow through with certification by one of the "Trust Framework Providers".

GSA Pilot information
Infocard Pilot information
OpenID Pilot information

Chris Messina post

The GSA Information card profile is in the final approval process.
The GSA OpenID profile was approved and released today.

I have been working closely with the Identity providers and the initial government RPs.

Testing has been going on for a while on Test-ID where there are example endpoints for IdP to test against.

Participation for Identity Providers is not limited to the ten announced today.

The Foundations will be accepting applications from interested IdP from around the world.
For those of us who arn't American the US Government is not restricting this to only US IdP.

Government agencies colaberate internationaly. The NIH is very interested in supporting people from around the world having access to it's resources.

I expect that we will see European and other IdP joining the program shortly.

I have also had conversations with other governments from around the world who are very intrested in this model. I expect some of them to develop there own trust frameworks for access to there resources as well.

I am hoping this is a turning point for the adoption of all federated identiy technology.

John B.

Chris Messina: Open identity for the government

Wed, 09 Sep 2009 14:09:24 +0000

Cross-posted to the OpenID blog.

Today in collaboration with Vivek Kundra, the nation’s first CIO, we are announcing a pilot program intended to enable individual citizens to login to government websites with their existing accounts — without revealing their password or personally identifying information — using OpenID and InfoCard technologies.

This is an important step in the Obama administration’s commitment to open, transparent, and participatory government.

First, it acknowledges and embraces existing, open technologies, rather than inventing their own (or worse, hiring independent contractors to do the same).

Second, this comes at a critical time in the history of OpenID, of which there are now well over 500 million OpenID-capable accounts in the wild, (even if few people realize that they already have one!). Given the wide deployment of this technology, it only makes sense that the government should leverage this wide potential userbase to facilitate interaction with its citizens.

Third, it is critical for the government and government agencies to develop solutions and adopt technologies that make it easier for modern citizens to engage with them, to exist competently alongside other social networking websites.

In other words, by embracing OpenID (and InfoCard), the government is helping to further establish the value of owning one’s own identity, and of having convenient, consistent, and privacy-protecting mechanisms in place to enhance and enable participation.

To make this more real, consider booking a campground on a state park’s website: do you really want to create yet another account (that you’ll probably never use again) just to reserve a campsite? Probably not.

To make this more personal: imagine searching the National Institute of Health’s website for information for a loved one who was recently diagnosed with cancer. You’d want the technology to get out of the way and serve your goals — who’d want to register for a new account when you just want to save your search progress (say, from a library kiosk) and resume it later (i.e. from home)?

It’s cases like this that begin to tease at the value of using existing accounts for low-security government interactions (at least to start). Like email, I expect to see this start with a slow, gradual adoption, and overtime, gain momentum and relevance.

To find out more about this pilot program, read the full press release and visit our OpenID for Government page. Also check out ReadWriteWeb and TechCrunch’s coverage.

Kaliya Hamlin: Celebrating with OIDF & ICF

Wed, 09 Sep 2009 12:17:19 +0000

This evening I was fortunate enough to be invited to attend the joint OpenID and Information Card Foundation dinner. It was fun to connect with everyone and it really meant a lot to me to be there. It has been a long journey as a community since the first Internet Identity Workshop in Oct 2005.

OpenID.net: Open identity for the government

Wed, 09 Sep 2009 12:11:38 +0000

Chris Messina is a community board member of the OpenID Foundation, long time advocate for citizens of the web, and prolific blogger on all things “open”.

This is an important step in the Obama administration’s commitment to open, transparent, and participatory government.

First, it acknowledges and embraces existing, open technologies, rather than inventing their own (or worse, hiring independent contractors to do the same).
Second, this comes at a critical time in the history of OpenID, of which there are now well over 500 million OpenID-capable accounts in the wild, (even if few people realize that they already have one!). Given the wide deployment of this technology, it only makes sense that the government should leverage this wide potential userbase to facilitate interaction with its citizens.

To find out more about this pilot program, read the full press release and visit our OpenID for Government page.

OpenID.net: Yahoo!, PayPal, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo, Wave Systems Pilot Open Identity for Open Government

Wed, 09 Sep 2009 12:10:05 +0000

Gov 2.0 Conference - Washington, D.C. — September 9, 2009 — Ten industry leaders — Yahoo!, PayPal, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo and Wave Systems — announced today they will support the first pilot programs designed for the American public to engage in open government — government that is transparent, participatory, and collaborative. This open identity initiative is a key step in President Obama’s memorandum to make it easy for individuals to register and participate in government websites — without having to create new usernames and passwords. Additionally, members of the public will be able to fully control how much or how little personal information they share with the government at all times.

These companies will act as digital identity providers using OpenID and Information Card technologies. The pilot programs are being conducted by the Center for Information Technology (CIT), National Institutes of Health (NIH), U.S. Department of Health and Human Services (HHS), and related agencies. The participating companies are being certified under non-discriminatory open trust frameworks developed under collaboration between the OpenID Foundation (OIDF) and the Information Card Foundation (ICF) and reviewed by the federal government.

“We are pleased with the caliber of organizations who have signed on to be active participants in this initiative,” said Judy Spencer, Co-Chair of the Federal Identity, Credential, and Access Management Steering Committee (ICAM). “They represent some of the best thinking and innovation in the private sector. We also value the ongoing support and guidance of the OpenID Foundation and the Information Card Foundation in facilitating digital identity for open government.”

Since President Obama’s open government memorandum earlier this year, federal agencies have been embracing Web 2.0 technologies to interact with members of the public via means such as blogs, surveys, social networks, and video casts. Today’s announcement paves the way for individuals to use these new services and customize their experience on government websites without needing to reveal any personally identifiable information – including passwords. It also takes advantage of best practices from the private sector for protecting privacy and security, including making it easier for citizens to have pseudonymous interactions with government sites when desired

In essence, this initiative will help transform government websites from basic “brochureware” into interactive resources, saving individuals time and increasing their direct involvement in governmental decision making. OpenID and Information Card technologies make such interactive access simple and safe. For example, in the coming months the NIH intends to use OpenID and Information Cards to support a number of services including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, all with strong privacy protections.

Dr. Jack Jones, NIH CIO and Acting Director, CIT, notes, “As a world leader in science and research, NIH is pleased to participate in this next step for promoting collaboration among Assurance Level 1 applications. Initially, the NIH Single Sign-on service will accept credentials as part of an “Open For Testing” phase, with full production expected within the next several weeks. At that time, OpenID credentials will join those currently in use from InCommon, the higher education identity management federation, as external credentials trusted by NIH.”

In digital identity systems, certification programs that enable a site — such as a government agency — to trust the identity, security, and privacy assurances from an identity provider are called trust frameworks. The OIDF and ICF have worked closely with the federal government to meet the security, privacy, and reliability requirements set forth by the ICAM Trust Framework Adoption Process (TFAP), published on the IDManagement.gov website. By adopting OpenID and Information Card technologies, government agencies can cost effectively serve their constituencies in a more personalized and user friendly way.

“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon — it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”

Under the OIDF and ICF’s open trust frameworks, any organization that meets the technical and operational requirements of the framework will be able to apply for certification as an identity provider (IdP). These IdPs can then supply authentication credentials on behalf of their users. For some activities these credentials will enable the user to be completely anonymous; for others they may require personal information such as name, email address, age, gender, and so on. Open trust frameworks enable citizens to choose the identity technology, identity provider, and credential with which they are most comfortable, while enabling government websites to accept and trust these credentials. This approach leads to better innovation and lower costs for both government and citizens.

“Open government cannot and will not compromise either security or privacy,” said Drummond Reed, Executive Director of the Information Card Foundation. “By working with private industry, the U.S. government is harnessing the innovation and efficiencies of the open market and letting citizens choose their preferred means of engaging with government agencies.”

“This is a significant leap in participatory democracy,” said Don Thibeau, executive director of the OpenID Foundation. “Following President Obama’s directive, our government has worked with market leading companies to leverage modern, open standards to engage with its citizens. When the government adopts open identity standards and trust frameworks, the result is better service, more transparency, and greater accountability.”

· · ·

Industry Leaders Weigh in on the Open Identity for Open Government Initiative

“The joint work between the US Government, OpenID Foundation, and Information Card Foundation to enable the use of commercial identities on government web sites is groundbreaking,” said Kim Cameron, Microsoft’s Chief Identity Architect. “These pilot projects will provide invaluable insights about how these systems are actually used in practice, enabling people to build upon this seminal work both for government and private sector sites, further extending the reach of interoperable Internet identity.”

“Information Cards and OpenID technologies have the potential to improve consumer experiences online tremendously,” said Michael Barrett, Chief Information Security Officer for PayPal. “As an identity provider, we believe that this technology has enormous potential to improve the safety of Internet commerce.”

“The ability to enable individualized interaction through tools and technologies that citizens use every day represents a tremendous opportunity for federal agencies with citizen-facing missions,” said Lloyd Howell, Sr. Vice President of Booz Allen Hamilton. “Because this Trust Framework can be applied with a common experience across all federal websites, every agency can take advantage of this approach to improve operational effectiveness and reduce costs.”

“Equifax brings unmatched expertise in identity management and verification to the open trust framework initiative,” said Ron Carpinella, vice president of Identity Management, Equifax. “The opportunity to deliver our proven technology and its privacy features to the government sector is truly exciting. This pilot program is the catalyst that will enable better, more secure, and user-centric capabilities in government and industry digital services.”

“Open standards like OpenID create a better Internet for everyone. As the largest single provider of OpenID accounts, Yahoo! is eager to pave the way for further OpenID adoption. That is why Yahoo! has led the effort to make OpenID easy to use and understand for consumers around the world. And by meeting the government’s standards for security and reliability, we believe OpenID will continue to be the most convenient and trustworthy open identity standard on the Web.” said Allen Tom, Membership Architect, Yahoo!.

“VeriSign is excited to be a part of the U.S. Government’s initiative to further President Obama’s call for a more open and participatory government,” said Nicolas Popp, vice president of Innovation at VeriSign. “Based on our experience with bringing trust to the Internet, we look forward to playing a role in the development of an identity trust framework that will enable citizens to communicate with the government openly with confidence.”

“AOL has always focused on helping consumers get safe and easy access to the content and services they want online. That’s why we’re proud to be part of the government’s pilot program to allow citizens to access government websites using identities they already own. As an early supporter of OpenID, we recognize the tremendous value this service can offer consumers and applaud the government for its vision,” says George Fletcher, Chief Architect for Identity Services at AOL.

“As a champion of consumer privacy and a long-time provider of identity management, we at Acxiom are privileged to provide identity technologies to this effort,” said Tim Christin, senior vice president of Acxiom’s Identity Solutions group. “U.S. citizens can now be assured an easier and safer Internet experience with the government. ”

“It’s exciting to see the United States government embracing innovative web-based technologies to serve its citizens in a more convenient, secure, and personalized way,” said Brian Kissel, CEO of JanRain and Chairman of the OpenID Foundation. “This further validates the broad range of applications and market segments where OpenID is having a positive impact on users’ web experiences.”

“The open identity initiative illustrates how identity technologies have moved beyond theory to solve real-world challenges and highlights the potential for opportunities in the private, as well as the public sector,” noted Jeff Carter, CEO of Azigo. “Hosted Information Cards let web sites issue Information Cards quickly and easily — a key step forward for the future of digital identities.”

“Open Government represents a significant step forward in modernizing our nation’s democratic system.” said Patrick Harding, CTO of Ping Identity and ICF board member. “We are thrilled to be involved in establishing the Internet identity security and privacy standards necessary to ensuring the long term success of using 2.0 innovations to improve governmental transparency and encourage citizen involvement.”

“Citi is a huge proponent of driving alignment within the public sector to collaborate in the development of accepted standards that promote interoperability for common processes.” says Hilary L. Ward, Director, Identity Business Manger, Citi. “We are excited to be a part of this initiative and being able to bring our innovation and expertise to this program. This is a tremendous first step in creating a broader identity and trust framework that can work across applications, communities and borders to the benefit of citizens everywhere.”

“Privo is pleased to be an identity provider under the open trust frameworks to support access by any citizen who desires to interact with participating government sites, while still protecting their identity,” said Denise Tayloe, Founder, President and Chief Executive Officer of Privo. “We see tremendous parallels between the work we do with children and parents to verify and protect their identities using our existing, and available, Identity Card technology and the work the government is doing to interact with its citizens in a safe online environment.”

“Opening the U.S. government to direct citizen involvement using OpenID and Information Card identities is a major step for the trust fabric of the Internet”, said Steven Sprague, President and CEO, Wave Systems Corp. “Wave is innovating ways for both these technologies to take advantage of trusted computing infrastructure so OpenID and Information Card users can enjoy unparalleled access and interaction with government websites with maximum security and privacy.”

“Interoperable and trusted identities are foundations to building a smarter planet that includes the systems that run, the way we live and work as a society. In order to build such a smarter planet, it is important for governments, communities and industries to work together in building a smarter planet.” said Nataraj Nagaratnam, IBM’s Chief Identity Architect. “This initiative around pilot projects that bring these three groups together is a significant milestone in the journey of identity metasystem, and in the evolution of open, interoperable identities”

“The US Government taking real steps to adopt open technologies has the potential to enhance and simplify citizen engagement,” said Chris Messina, an advocate of open technologies and CEO of Citizen Agency, LLC. “This effort sets in motion a shift in how individuals can interact with the public sector and makes progress on the Obama administration’s promise for a more open, transparent, and participatory government.”

“Information Card technology and OpenID specifications have co-evolved at the Internet Identity Workshop since 2005. The launch of this open trust framework is an exciting major development in the evolution of an open identity layer for the Web,” said Kaliya Hamlin of Identitywoman.net and co-producer and facilitator of the Internet Identity Workshop.

“The synchronicity between the U.S. and Japanese government is quite interesting,” said Nat Sakimura, Senior Researcher at Nomura Research Institute, Ltd. “The Japanese government is going forward with DigitalCivil Life Project that also embraces open identity systems and trust frameworks. We believe they are showing the changing tide towards more open and citizen centric government throughout the world. Today’s announcement by the U.S. government is an important step towards it.”

Media Contact:
Liz O’Donnell
617-365-7172
Liz3point0@aol.com

Chris Messina: Words and actions

Mon, 07 Sep 2009 17:24:47 +0000

Original by Jessica Hagy (@jessicahagy). She has a whole book of these called Indexed.

Johannes Ernst: Don Hinchcliffe Thinks The Plumbing Is Called the “Web OS”

Mon, 07 Sep 2009 05:25:43 +0000

Don Hinchcliffe has an interesting graphic in a recent post on ZDNet:

Some people have commented that it’s all buzzwords, and of course it is. But there is value in just collecting all the buzzwords that are relevant at the current time, and attempt to integrate them into something we can all get our arms around.

Most of these buzzwords are what I called plumbing, and he identifies a bunch more, plus some non-technical components that also could go into the soup. He calls the soup the “Web OS”.

Stuff for thought, at least for me. Because all of this together is definitely closer to a “house” (that mere mortals might want to buy) than “plumbing” (which is for plumbers/techies only).

Johannes Ernst: RSS Has Just Become Plumbing, It’s Not Dead

Fri, 04 Sep 2009 22:33:50 +0000

Some arguments in the blogosphere whether “RSS is Dead” or not. Fred Wilson, as usual, makes the correct observation that:

But RSS is way more than the readers it spawned. It is a fundamental part of the Internet architecture and is used for all sorts of things. It’s the subscribe system of the internet and a ‘default function’ in the Internet operating system…

Quoting Kid Mercury, he continues:

i think the problem stems from the fact that the geeks embraced RSS and thought it would be a consumer technology. but alas, it was not meant to be.

Which is exactly my argument about plumbing from a couple of weeks ago. It’s interesting that Fred seems to think the ultimate product containing all that plumbing is the “Internet operating system”.

It’s close to the concept of a “web operating system” that Chris Messina and I were discussing recently, which was the conversation that prompted me to write about plumbing in the first place.

Carsten Potter: OpenID Logins Take too Long

Wed, 02 Sep 2009 13:37:03 +0000

Sometimes it’s difficult to sell OpenID to new users. When people ask about it, I usually praise one aspect of the protocol: the ease of login to websites with an identifier people know and use regularly, e.g. their blog URL. This is an obvious benefit which people are able to understand. Also it’s a fast way to log in to websites. At least, that’s what I thought so far. Though I’m not sure anymore.

When German service Yiid implemented JanRain’s RPX a couple of weeks ago, I fiddled about with it a little while, especially with the various ways of login to Yiid. For those who don’t know, RPX manages logins and authentication for Relying Parties. Users can easily click on the button of a familiar identity provider (Google, Yahoo!, Twitter, Facebook,…) to log in to websites. OpenID is another available option.

So apart from the usual username and password Yiid offers a couple more options to log in now. The login screen looks like this:

On the left side you see the RPX logins, on the right side the username/password login box. As you can also see, the latter login box is pre-filled with my username and password already. I saved these details in Safari before. Also I associated the various available options of RPX with Yiid before and logged in to those services.

Now what’s the fastest way to log in to Yiid?

Username and password: 1 click
Google: 1 click
Twitter: 1 click
Live ID: 1 click
Facebook: 1 click
MySpace: 2 clicks

For MySpace there is another click required (see below). I don’t know why, though.

So what’s up with my OpenID, my blog URL? Well, I have to click the OpenID button, then I have to type in the URL of my blog and click the Anmelden (=Sign in) button.

Oops, that definitely takes some time. It’s the slowest one of all options available.

Of course, things looked a little bit different if I were not logged in to the various identity services before. Then I had to log in to them during authentication. But the same applied to OpenID.

The fastest way to log in is username and password if the credentials are saved either in the browser or in a password manager like 1Password. Oddly, the username/password side of Yiid also loads way faster than the RPX one. I would have clicked login with username and password long before RPX is even loaded.
If people don’t use those features or apps described above login takes longer, of course. But OpenID was still the slowest option (typing in the URL, clicking sign in button, logging in to OpenID Provider, clicking button).

So my “selling” point of fast logins with my own URL is none anymore. There are still other benefits of OpenID, of course, like signing up to new services, being in control of the URL and many more which have to be considered when choosing the right option for oneself.
Also I have to mention that OpenID is also the technology used for the Google and MySpace logins. But still.

Is there a way that the OpenID login boxes can be pre-filled with the correct URL? Can it be saved by browsers or password managers? Would be great!

Johannes Ernst: OpenID Built In Google Chrome OS?

Wed, 02 Sep 2009 04:49:50 +0000

ReadWriteWeb speculates that “Google Chrome OS [will] Feature Single Sign-On for Chrome Browser”. They cite some evidence in the source code. Some excerpts of the post:

In the code, a line references something being called the “Chrome OS login manager.” Essentially, this login manager will function as a single sign-on (SSO) cookie which will simultaneously log you into all Google services including things like Gmail, Calendar, Docs, Reader, etc…

That’s as much as we know for sure, but what is not clear is exactly how this SSO option will be presented to the user. We wouldn’t be a bit surprised to see you logging into your computer with your Google account the way you log into your Mac or Windows PC using a set of credentials you create during the setup process. However, in Google’s case, it’s easy to imagine a more web service like prompt on the login screen. For example: “Create a Google account” / “Already have a Google account? Sign in here.” Perhaps there will even be a “Remember Me” option so you don’t have to log in again, you just flip the netbook’s lid open. Of course that’s all speculation, but it seems logical.

Well, if this turned out to be true, this would be a major, major win for OpenID and the entire internet identity movement. Because guess what all the other browser manufacturers will do? Feature parity. It always works that way. And if implemented well, most criticisms of OpenID will have a chance to fall by the way side.

Even if Google’s browser implemented a clear preference towards Google as identity provider, as ReadWriteWeb thinks, at least some of the other browsers won’t, for competitive reasons, and feature parity works the other way, too.

Some years down the future in the best case, however. Unfortuately.

Martin Atkins: First Draft of Atom Cross-posting Extension

Mon, 31 Aug 2009 04:14:53 +0000

I wrote up a first draft of an Atom extension for declaring cross-posting duplicates. It defines both a way for the primary version to declare the duplicates and a way for the duplicates to declare the primary version.

In practice it's very unlikely that the duplicates will declare the primary version, because most of the time they don't know they're duplicates and even if they did they probably wouldn't want to admit to being "just a copy". But I hope that publishers that create cross-post duplicates will see the benefit in declaring these in the feed to improve the usability of the feed when it's consumed into a multi-feed aggregator such as FriendFeed or MT Action Streams.

Martin Atkins: An Atom extension for declaring cross-post dupes

Sun, 30 Aug 2009 07:06:56 +0000

It's becoming increasingly common for content-publishing applications to include a feature where they'll duplicate (in some sense) the content a user creates on other services such as Twitter or Facebook.

Unfortunately, this has the unfortunate side-effect that multi-feed aggregators cannot easily detect this and often end up showing the same content more than once.

However, I think we can go some way towards a technical solution to this problem without trying to boil the ocean and stop people cross-posting: have the publisher that's creating the duplicate content declare that it has done so in its feeds.

What does this look like? It feels like this just takes one very simple extension element with the same attributes as the in-reply-to element introduced by Atom Threading Extensions: a ref attribute giving the id of the duplicate entry, and a type,href pair linking to a representation of the duplicate entry. For example:

<crosspost:dupe
    ref="http://twitter.com/apparentlymart/statuses/3641424947"
    href="http://twitter.com/apparentlymart/statuses/3641424947"
    type="text/html"
/>

This alone isn't enough to do the de-duping, since we can't trust publishers not to lie about what's a duplicate, but in an application such as FriendFeed or MT Action Streams where a user has configured a list of feeds to import it is easier to assume that all of the referenced feeds are trustworthy in the context of that user: if I've got both my notes blog and Twitter both added to MT Action Streams and the notes blog declares a Twitter entry from my account as a duplicate it's fair to assume that it is indeed a duplicate.

This is not a complete solution, since it is possible that I've cross-posted to both Twitter and Facebook and you consume those two feeds but not the "origin" feed; however, I think this is a step in the right direction and solves the immediate problem at hand. It would be nice if the services that tend to receive these duplicates would extend their APIs such that publishers can declare that they're posting a dupe and so the receiving service can create a reverse-dupe element, but that's not something we can bootstrap so easily today.

I'm interested to see if any providers who offer the functionality to duplicate their content on Twitter and/or Facebook would be willing to work on this. It ought to be a reasonably easy, tightly-scoped specification and should not be a burden for implementers as long as they know how to form an Atom id (or RSS equivalent) for the services they publish to based on a service-local id returned from the API.

Johannes Ernst: If the Open Stack Is Mere Plumbing: The Plumbing Of What?

Fri, 28 Aug 2009 17:40:08 +0000

People don’t buy plumbing, they buy a nice house that happens to include plumbing (otherwise it wouldn’t be a nice house).

So if OpenID and all the other members of the “Open Stack” are mere plumbing, as I have come to believe, they are the plumbing of what? What is the equivalent of the house here, i.e. the thing that people buy or want?

It could be the plumbing of the internet. Like HTTP, TCP/IP, DNS and so forth. But I think that misses the picture: stovepipe sites work just fine on the internet without these new technologies.

It could be the plumbing of what some people now call the “social web”. Perhaps, but I have to admit I have a hard time believing that anybody will go out and want to acquire “the social web” like they would acquire a house. It’s even easier to say “I’m going to get an OpenID today” than it is to say “I’m going to get the social web today”.

I think that “what” is the big elephant that has been in the room since the very first identity discussion that I participated in so many years ago.

That is what we need to figure out, as a budding industry, more than anything. Plumbers have no business, and plumbing supply stores have no customers, unless there are houses and people want to buy them.

I do have some opinions … some other day.

Kaliya Hamlin: IIW IX is open for business

Thu, 27 Aug 2009 23:09:43 +0000

Internet Identity Workshop number 9 is coming up in about 10 weeks. November 3-5 (Tuesday to Thursday) in Mountain View California at the Computer History Museum.

We are excited about all the developments in the industry with protocol evolution in the social web space AND larger and larger scale deployments of open identity technologies including OpenID and Information Cards.

There will be much to talk about at this fall’s event.

Early REGISTRATION is Open! UNTIL SEPTEMBER 16 then prices go up by $50-75

Early Bird Prices are….

$274 regular tickets
$148 for independents
$ 50 for students

We need to get 75 people registered by September 16 to make a final confirmation for our conference space at the Computer History Museum.

Special this year we have the “BIG” ticket for those can expense $998 (but can’t convince marketing to sponsor). This is a GREAT way to support IIW!

IIW is a completely community driven event – we don’t pay anyone for marketing – the community is our marketing.

Please put our LOGO ON our blog our WEBSITE.

Follow IIW on Twitter – @idworkshop

SPONSORSHIP OPPORTUNITIES ARE STILL AVAILABLE!!! Please contact Phil if you are interested in learning more phil@windley.org

JOIN THE COMMUNITY MAILING LIST

THE INVITATION TO IIW!

The Internet Identity Workshop focuses on “user-centric identity” and netizen empowerment on the social web trying to solve the technical challenge of how people can manage their own identity and social activity across the range of websites, services, companies and organizations that they belong to, purchase from and participate with.

This is where everyone from a diverse range of projects doing the real-work of making this vision happen gather and work intensively for three days. It is the best place to meet and participate with all the key people and projects. This is a comprehensive list of the technology communities that are covered.

The event does not have a pre-set agenda instead as people register they are asked what they would like to present about, learn and discuss with peers/industry experts. These are all collected here . The first morning of the conference will be introductory orientation about key projects and technologies in the community. After that the community creates the agenda itself using the Open Space Method. Dinner both Tuesday and Wednesday are a big part of the conference.

Here are links to notes that cover most of the sessions from the last two conferences IIW #8 spring of 2009 IIW #7 fall of 2008

These documents are great resources for convincing your boss of the value of this event.

The heart of the workshop is a practical idealism in working towards the shared vision of a decentralized, user-oriented identity layer for the Internet.

Because the web was built around “pages”, no tools or standards were created to control how the information about you was collected or used. At the Internet Identity Workshop we bring the people creating these tools and standards so people can safely manage their online identity and control their personal data.

It is not about any one technology – rather it is a place to discuss multiple interoperating (and possible competing) projects, standards, and networks for identity, data sharing, and reputation.

As part of Identity Commons, the Internet Identity Workshop creates opportunities for both innovators and competitors. We provide an open forum for both the big guys and the small fry to come together in a safe and balanced space.

There are a wide range of projects in the community:

Open conceptual, community, and governance models.
Open standards and protocols.
Open source projects.
Commercial projects.
Projects to address social and legal implications of these technologies.
Efforts to rethink the business models and opportunities available with these new technologies.

User-centric identity is the ability:

To use one’s identifier(s) on more than one site
To control who sees what information about you
To selectively share presence and profile information
To maintain multiple identities and personas in the contexts you wish
To aggregate attention, navigation, and purchase history from the sites and communities you frequent
To move and share your personal data, relationships, documents, and other publications as you wish

All of the following are active topic areas at each IIW:

Improving Existing Legal Constructs Privacy Policies Terms of Service
Creating New Legal Constructs – Limited Liability Personas, Identity Rights Agreements
Creating New Business Models – Identity Oracle, I-Brokers
New Citizenship Perspectives – Activism Community, Event Coordination, Community Identity and Data Sharing

The Internet Identity Workshop (IIW) was founded in the fall of 2005 by Phil Windley, Doc Searls and Kaliya Hamlin. IIW is a working group of Identity Commons The event has been a leading space of innovation and collaboration amongst the diverse community working on user-centric identity.

Johannes Ernst: Internet Identity Workshop November 3-5, 2009

Thu, 27 Aug 2009 16:44:40 +0000

This time, they moved the second IIW of the year forward to November. As usually, it will probably be worth it.

I’m registered.

Time: Tuesday, November 03, 2009 at 9:00 AM - Thursday, November 05, 2009 at 5:00 PM
Location: Computer History Museum, Mountain View, CA

Chris Messina: Losing my religion

Thu, 27 Aug 2009 04:22:23 +0000

Last January, writing on the problem of open source design, I said:

I’ve probably said it before, and will say it again, and I’m also sure that I’m not the first, or the last to make this point, but I have yet to see an example of an open source design process that has worked.

Indeed, I’d go so far as to wager that “open source design” is an oxymoron. Design is far too personal, and too subjective, to be given over to the whims and outrageous fancies of anyone with eyeballs in their head.

Lately, I’m feeling the acute reality of this sentiment.

In 2005, I wrote about how I wanted to take an “open source” approach to the design of Flock by posting my mockups to Flickr and soliciting feedback. But that’s more about transparency than “open source”. And I think there’s a big difference between the two that’s often missed, forgotten or ignored altogether: one refers to process, the other refers to governance.

Design can be executed using secretive or transparent processes; it really can’t be “open” because it can’t be evaluated in same way “open source” projects evaluate contributions, where solutions compete on the basis of meritocratic and objective measures. Design is sublime, primal, and intuitive and needs consistency to succeed. Open source code, in contrast, can have many authors and be improved incrementally. Design — visual, interactive or conceptual — requires unity; piecemeal solutions feel disjointed, uncomfortable and obvious when end up in shipping product.

Luke Wroblewski is an interaction designer. He recently made an observation about “openness” that really resonated with me:

I read this quote last week and realized it is symptomatic of a common assertion that in technology (and especially the Web) “completely open” is better than “controlled”.

“But we’ll all know exactly where Apple stands – jealously guarding control of their users [...] And that’s not what Apple should be about.” -TechCrunch

Sorry but Apple makes their entire living by tightly controlling the experience of their customers. It’s why everyone praises their designs. From top to bottom, hardware to software -you get an integrated experience. Without this control, Apple could not be what it is today.

He followed up with a post on Facebook’s design process today that I also found exceedingly compelling.

I worry about Mozilla in this respect — and all open source projects that cater to the visible and vocal, ignoring the silent or unengaged majority.

I worry about OpenID similarly — an initiative that will be essential for the future of the social web and yet is hampered by user experience issues because of an attachment to fleeting principles like “freedom” and “individual choice”. Sigh.

I’m not alone in these concerns.

When it comes to open source and design, design — and human factors, more generally — cannot play second fiddle to engineering. But far too often it seems that that’s the case.

And it shouldn’t be.

More often there should be a design dictator that enters into a situation, takes stock of the set of problems that people (read: end users) are facing, and then addresses them through observation, skill, intuition, and drive. You can evaluate their output with surveys, heuristics, and user studies, but without their vision, execution, and insane devotion to see through making it happen, you’ll never see shit get done right.

As Luke says, Most people out there prefer a great experience over complete openness.

I concur. And I think it’s critical that “open source” advocates (myself included) keep that at top of mind.

. . .

I will say this: I’m an advocate for open source and open standards because I believe that open ecosystems — i.e. those with low barriers to entry (low startup costs; low friction to launch; public infrastructure for sustaining productivity) — are essential for competition at the level of user experience.

It may seem paradoxical, but open systems in which secretive design processes are used can result in better solutions, overall.

Thus when I talk about openness, I really mean openness from an economic/competitive perspective.

. . .

Early today I needed access to a client’s internal wiki. Having gone without access for a week, I decided to toss up a project on Basecamp to get things started.

When I presented my solution to the team, I was told that we needed to use something open source that could be hosted on their servers. Somewhat taken aback, I suggested Basecamp was the best tool for the job given our approaching deadline..

“No, no, that won’t do,” was the message I got. “Has to be open source. Self-hosted.”

I asked them for alternatives. “PHProjekt“. Double Choco Latte. I proposed Open Atrium.

Once again, as seems all too common lately, more time was devoted to picking a tool rather than producing solutions. More meta than meat. Worst of all, religion was in the driver’s seat, rather than reality. Where was that open source pragmatism I’d heard so much about?

Anyway, not how I want to begin a design process.

Ultimately, I got the access I needed — to MediaWiki. So, warts and all, we’ll be using that to collaborate. On a closed intranet.

In the back of my head, I can’t help but fear that the tools used for design collaboration bleed into the output. To my eyes, MediaWiki isn’t a flavor that I want stirred into the pot. And it begs the question once and for all: what good can “open source” bring to design if the only result is the product of committee dictate?

Johannes Ernst: The Open Stack or Mere Plumbing?

Thu, 27 Aug 2009 00:41:58 +0000

So what exactly are we all building here?

OpenID?

OpenID plus OAuth plus Yadis/XRD(S) plus Portable Contacts plus OpenSocial plus activity streams? That’s a handful, so some have been calling it the “Open Stack“. Is that what we are building?

But what about RSS (and syndication in general), iCal feeds, widgets, mash-ups and so forth? They go beyond the “Open Stack” but clearly relate somehow.

Today’s insight: they are all internet plumbing and that’s why they all don’t matter in the end.

None of them matters to the end user, just like nobody cares about the plumbing for a faucet vs. one for a sink. Except for the plumbers, of course, who cannot understand why the world doesn’t passionately want the latest and coolest pipe fitting underneath their sink.

Ever been at the receiving end of a pitch by a plumbing supply salesman? Being plumbing supply salesmen is exactly what we are doing when we are out there pitching all these acronyms.

So instead of calling them Open Stack or any other fancy kind of name, let’s call them all what they are: plumbing. Necessary, but fundamentally boring to almost everybody.

The question becomes this: a lot of plumbing supply companies are rather successful businesses, and high-priced plumbing supplies do indeed sell. What is it that these guys know that we OpenID / Open Stack guys don’t?

Chris Messina: Joe Hewitt on the App Store

Tue, 25 Aug 2009 17:22:58 +0000

Echoing some of my own sentiments about the App Store compared to the web as distribution channels, Joe Hewitt — developer of Firebug (Firefox before that), the Facebook iPhone app and countless developer essentials — writes:

I’d like to add my voice to the stream of complaints about the iPhone App Store, but before I say anything critical, I have to promise one thing. No matter how annoyed I get, I will not stop developing for Apple’s platforms or using Apple’s products as long as they continue to produce the best stuff on the market. I never forget how deeply Apple cares about making their users happy, and that counts more than how they treat their developers. Besides, when I have a problem with a friend, I don’t threaten to boycott our friendship until they change, so I’m not going to do that to Apple either.

Having said that, I have only one major complaint with the App Store, and I can state it quite simply: the review process needs to be eliminated completely.

Does that sound scary to you, imagining a world in which any developer can just publish an app to your little touch screen computer without Apple’s saintly reviewers scrubbing it of all evil first? Well, it shouldn’t, because there is this thing called the World Wide Web which already works that way, and it has served millions and millions of people quite well for a long time now.

He goes on to discuss the gargantuan task of having to effectively evaluate the thousands of apps that are submitted each week to the App Store — pointing out that the app developers themselves would be more effective at diagnosing and remedying bugs than the Apple reviewers. He suggests that the review process is really in place to ensure agreement with Apple’s terms of service, rather than to benefit the end user, a point he makes in series of tweets (best read bottom to top):

He concludes his post thus:

If you think that all apps should be held prisoner by Apple until proven safe, you should also be able to convince yourself that this is how the web should work. Perhaps I am just spoiled by my many years of web development. The next time I create a web app I will probably feel a little guilty when I upload the files to my web server, knowing that I didn’t have to ask the web police to review the app first to make sure I wasn’t evil.

Given that Joe works at Facebook and Facebook just hired David Recordon, it’s interesting to watch how Facebook itself wrestles with the yin-yang of the open versus closed models of innovation and design, at times at polar opposite ends of the same spectrum. Facebook has assembled a tream of really smart people to lead their platform efforts — many of whom have worked on open source projects in the past (Joe, Mike Schroepfer and Blake Ross all worked on Firefox, to name a few). Meanwhile, my good friend and Facebook platform manager, Dave Morin, hails from Apple — and the Jobsonian influence runs deep in him.

You can see the push-and-pull of these influences throughout Facebook platform its products.

On the one hand, Facebook talks about itself as though it were an “open source” company — bringing light to the dark realm of social software. On the other, Facebook Connect prioritizes a singular user experience that eliminates choice in order to achieve user acceptance and familiarity.

That kind of challenge — balancing openness, freedom, and choice with convenience, accessibility and visionary design — is a tension that I think leads to great products. Tipping the balance too far in any particular direction can lead to distortions, especially when caused by priorities that are not intrinsically aimed at enhancing the user experience but instead stem from a fear of openness or, as I like to say, embracing the chaos.

Apple is in the center of an increasingly volatile vortex. They have built an incredibly valuable platform and everyone wants a piece, but in putting themselves in between developers and their customers, Apple is taking on a role it is simply ill-equipped for, and one that increasingly makes it look like a bad guy, in spite of the love that most people otherwise feel for the company.

It’s one thing for AT&T to be hated — it’s practically a given. But for Apple to become the butt end of developer complaints is an awkward and unfortunate position that it can’t enjoy. I think Joe Hewitt’s right, and I think it’s time Apple seriously considered the damage being caused by a process that was likely instituted to prevent a different kind of damage — one that, in comparison, seems somewhat irrelevant given Facebook’s experiment — and ongoing success — at implementing a resilient trust-first platform.

Chris Messina: David Recordon joins Facebook

Tue, 25 Aug 2009 04:53:52 +0000

Cats outta the bag now (thanks to @joshelman), but my collaborator and friend David Recordon has left Six Apart (for the second time — after leaving VeriSign almost exactly two years ago) and has joined Facebook.

Facebook is on a tear lately, hiring a number of smart, energetic and most of all — hungry — folks.

Recordon is only the latest in a series of hires, and in the mix, I expect that he’ll continue doing the good work he’s been doing during his time at Six Apart.

Dave and I have helped put on an occasionally-neglected show for the past year called TheSocialWeb.tv with Joseph Smarr and John McCrea. Notably we started the show in July 2008 with an episode on Facebook’s refusal to share the contact information of Robert Scoble’s friends (so-called “Scoblegate”). It seems fitting that after much work opening up Facebook over the past year (Zuckerberg has said that 2009 is an important strategic year for Facebook Connect and Platform) that Dave would join as their Senior Open Programs Manager.

Then again, maybe Facebook felt particularly fond of his statement in March on O’Reilly Radar that Facebook will become the most open social network on the social web.

I tend to agree — though that reality will only come true if Facebook manages to continue to churn the soil of a generation more open than any that has come before. Of course, given that Recordon was born in 1986, I think he’s on the cusp of the generation BF and AF: Before Facebook and After Facebook.

Here’s looking to good things — and maybe some sexier slides the next time we put on a workshop together.

David Recordon: Status Update: David is...

Tue, 25 Aug 2009 00:22:14 +0000

So yeah, it's true. Next week I'm excited to join Facebook's engineering team as the Senior Open Programs Manager and will continue focusing on open source and open standards. I haven't started yet, so I'll keep it light on the details until I've really started to dig in.

Two years ago when I re-joined Six Apart, I did so out of an interest in evolving social networking technologies along with brad and we – along with many others – have made an amazing amount of progress. This was my second time working at Six Apart and I'm sad to leave; they're a great bunch of people with some awesome stuff coming.

This past year as I've worked closer with teams at Facebook, I've been impressed by their products, smart people, and innovation. I hope to continue building on my past experience in working on making the web more open and useful for everyone along with the great team at Facebook!

Chris Messina: “From the Trenches: The Social Web Workshop” coming to Europe in September

Sat, 22 Aug 2009 22:30:38 +0000

Late this September I’ll be traveling with Brynn to speak at a conference in Helsinki called MindTrek. I’m looking forward to this trip for several reasons, and one of them is that I’ll be putting on an independent workshop called “FROM THE TRENCHES: THE SOCIAL WEB WORKSHOP”.

The workshop will start with a synthesis of several of my past talks on the social web.

It’ll cover an abbreviated history of social networking as background for what’s happening now — and lead into a framework for understanding what’s about to happen on the web as it becomes more social based on identity, relationships, and activity streams.

From digital identity to social objects, I’ll dig deeper into emerging technologies like OpenID, OAuth, Portable Contacts, Activity Streams and microformats, and take a look at bleeding edge protocols like WebFinger and PubSubHubBub. I’ll also spend time with the OpenSocial and Facebook platforms.

And though the specific technologies are important, I do want to make sure that attendees leave with an integrated, holistic view of how the open social web operates, is changing, and how it can be used to reach a wider audience and enhance community engagement. I expect that that’s one of the things that will set this workshop apart — providing a more accessible approach to ideas that can sometimes seem obtuse or obscured by jargon or technical terms. Given my background in user experience design and various marketing projects, I’m quite confident that I’ll be able to offer a unique and accessible perspective backed up with real world experience.

The workshop will be held on September 30, from 9am to 4pm. Basic refreshments — coffee and snacks — will be provided. The exact location is still being worked out, but it will be somewhere convenient in Central Helsinki (the MindTrek conference is actually two hours away in Tempere).

I’m open to bringing the workshop elsewhere or taking it to private companies who are looking for a more intimate, personalized experience while I’m in Europe. If you’re interested or want to learn more, do contact me.

Johannes Ernst: Burton Group: Evaluate Identity Services Now

Wed, 19 Aug 2009 18:05:55 +0000

Bob Blakley at the Burton Group just published a report on “The Business of Identity Services”. He focuses on services at the identity provider side and outlines possible identity services businesses on the identity provider side in some detail.

It seems he is more optimistic about new identity services business opportunities than I am at this time.

He concludes:

Business opportunities for identity services providers are being created by the expansion of the
universe of identity requirements and by severe cost pressures arising from the recession that began in 2008. Identity services businesses have emerged in response to these opportunities, and more such businesses will continue to emerge in the coming few years. The time to start evaluating these services and judging their cost reduction potential and business risks is now.

Perhaps we don’t really disagree. After all, there is a big timing difference between enterprises starting to evaluate something (which is what he recommends at this time), and the time something actually is deployed (which is when there might actually be a business, which was the focus of my post).