Thursday, January 07, 2010

(3) comments

Google, OpenID and Chris Messina

Today's announcement that Chris Messina is joining Google is certainly good for Chris, probably good for Google - but what about the openID Foundation?

As of today, Google has 3 members of the Board of Directors, their corporate rep (Eric Sachs), and "community" reps Messina and Joseph Smarr. That's 3 out of the 19 board members.

I should note that Yahoo has two members, a corporate one (Raj Mata) and a community one (Allen Tom), as does Microsoft (Mike Jones and Dick Hardt).

I do think that any corporate member should be prohibited from also having employees hold community seats. Not that I have any indications that messrs. Messina, Smarr, Hardt or Tom would vote against their own principles, but people's principles are influenced by those of the culture in which the perform their daily employment tasks.

Over and above that consideration, though, should be the desire to avoid even the appearance of a conflict of interest.

Maybe it's time the Foundation adopted a rule prohibiting such perceived conflict.

Labels: , , ,

Tuesday, October 06, 2009

(0) comments

Is there a future for OpenID?

Johannes Ernst, one of the founders of OpenID (and the OpenID Foundation) has just posted a thought provoking piece about the present state - and the future - of that protocol ("Is OpenID Still User-Centric?")

I've pointed out before the problems between the OpenID evangelists (typically folks who do their own implementations, support open source projects and bemoan corporate or commercial involvement) and the major web organizations (Google, Yahoo!, Microsoft, Facebook, et al) who have adapted OpenID to their own purposes.

This is the often unspoken but nevertheless almost inevitable path that any successful open source project follows.

Perhaps it's time to truly fork the project. Let the "big boys" continue on with their "NASCAR billboards", PKI and whatever other baggage they want to heap on top of the simple protocol. Let the open source evangelists take the simplicity that was OpenID 1.1 and re-style it to it's original purpose - locking in the development stream so that the aggrandizement can't happen again. It's not too late, and the upcoming IIW would be a good place to talk about it.

Labels: , ,

Thursday, July 02, 2009

(0) comments

Snoopy Sears

World +dog seems to be cock-a-hoop over the new authentication that Sears has enabled, claiming OpenID is now accepted. Well, it is, but you'll only see it if you know it's there and go looking for it. First you'll be presented with a NASCAR box showing badges for Facebook, Yahoo, Google, Twitter, AOL and MySpace. Clicking on the [more] link gets you a choice of OpenID or Windows Live. But it isn't just authentication that Sears wants.

Click on the Facebook link, for example, and you see "Allowing access will let it pull your profile information, photos, your friends' info, and other content that it requires to work."

Click on the Twitter link and get: "The application by Sears would like the ability to access and update your data on Twitter."

Do I really want Sears to know who my friends are (and how to contact them)? Do I really want Sears to be able to update my Twitter data (whatever that is)?

Decidely and emphatically, NO!

Some may think this is a step forward for OpenID, but it's not. It's a step back for privacy.

Labels: , ,

Thursday, June 04, 2009

(0) comments

Pre-selecting (is that like pre-boarding?)

Paul Trevithick has a good post today taking a look at the experience of a user who doesn't have an identity card selector installed (or, perhaps, has a selector - e.g., with IE - but no cards). Faced with a choice of the openID NASCAR billboard and tthe tiny purple Infocard logo the user is more than likely to opt for a familiar logo in the openID display - if they even notice the tiny .

He goes on to suggest various behaviors for a mouseover event which would, at least, let the user know what the icon represented. He then offers a popover showing the logos of up to four "trusted" (by the RP, presumably) card issuers with the user able to click on one and be carried through the process of creating a card, downloading a selector (if needed) and then re-directed to the original site to complete the infocard authentication process.

Besides taking an inordinate amount of time (something internet users appear to not want to do), it places infocard relying parties on the slippery slope of favoring some card issuers over others leading to abusive behavior (charging for placement/positioning, blackballing, etc.).

Perhaps the ICF (Information Card Foundation) should consider issuing it's own "super logo" which would present, on a rotating basis, all card issuers...

Labels: , , ,

Monday, May 18, 2009

(0) comments

The Diamond Framework

Paul Trevithick has done us all a great service: he's provided a matrix of terms from the major authentication/identity systems making up what's loosely called "user-centric" identity and equated the varying terms (each identified with a letter) to facilitate conversations about the varying protocols, systems and technologies. A wonderful effort coming, as it does, on the opening day of the spring Internet Identity Workshop.

Would that, in this best of all possible worlds, the various evangelists for these systems could adopt Paul's terminology.

Labels: , , , ,

Sunday, September 21, 2008

(0) comments

Makes me look nice...

The Register's Ted Dziuba makes me look like a group-hugging flower-child with his latest story ("OpenSocial, OpenID, and Google Gears: Three technologies for history's dustbin"):

"What about OpenID, the best damned federated authentication scheme the world has ever seen, but nobody in the world can figure out how to use?"
"This situation gets really dangerous when you start to involve people from San Francisco. Every person who lives in San Francisco has the intention of starting a nonprofit organization of some sort. Therefore, if you collect a bunch of Web 2.0 engineers in San Francisco, the inevitable outcome is the OpenSocial Foundation: a nonprofit organization that only exists to support an API for programming social network applications."
Peace and love, children.

Labels: , ,

Wednesday, August 13, 2008

(2) comments

Cringe-inducing conversation UPDATE

In a story in Ars Technica Six Apart's Anil Dash is quoted as saying "...democratized identity management systems like Six Apart's own OpenID..."

What the heck is that??? Do all the 'citizens' get to vote on your identity, or on their own identity, or ???????

And who in their right mind could call OpenID an "identity management system"? It's, at best, an authentication system or, even better, a signon system. But there's little management of the identities involved.

And what's with the proprietorial phrase "Six Apart's own OpenID"?

It's possible (but not bloody likely) that Ars Technica got it wrong. Still, I'm waiting for Six Apart to issue a correction/clarification.

UPDATE: Anil is saying that Ars Technica got it wrong. That what he said was "decentralized" identity management. I'd still quibble about OpenID being called an ID Mgmt System, but at least that other wierdness appears to be cleared up.

Labels: , , ,

Sunday, August 10, 2008

(0) comments

"We have met the enemy..."

OpenID's leading lights appear to be down on the technology, it seems. After last week's note about Dick Hardt's seemingly wistful look at OpenID (" wonders if the identity opportunities of OpenID have passed.") comes today's note from Scott Kveton (chair of the OpenID Foundation board). Reacting to a Randy Stross' New York Times piece highly critical of OpenID, Kveton says: "The OpenID community has identified two key issues it needs to address in 2008 that Randy mentioned in his column; security and usability."

If usability is bad (and the discussions on the OpenID email discussion lists support that notion), and security is a problem - what, exactly, does it have going for it?

Is it, perhaps, time for the leading lights to move on to a user-centered technology which does show promise of being an identity provider that is very usable and also quite secure? As Mr. McGuire might have said to Ben in The Graduate:
Mr. McGuire: I just want to say one word to you - just one word.
Ben: Yes sir.
Mr. McGuire: Are you listening?
Ben: Yes I am.
Mr. McGuire: 'Zermatt.'
Ben: Exactly how do you mean?
Mr. McGuire: There's a great future in Zermatt.
Think about it.
Will you think about it?
Ben: Yes I will.
Mr. McGuire:> Shh! Enough said. That's a deal.

Or, as Eddie said to Saffie: Just put me through to Zermatt!

Labels: , , , , , ,

Thursday, July 31, 2008

(1) comments

OpenID - the denoument?

There's been much agitation for Facebook to join the likes of MySpace and Yahoo! in the OpenID community. But when Facebook recently announced it's "Connect" service (a service to port ID information among various web sites), without a link to OpenID, much angst was experienced in that vocal group of supporters of the open source identity protocol. In particular, Sxip's Dick Hardt - one of the co-founders of the OpenID Foundation - mused about the future of so-called "user-centric" identity. Earlier (in "Facebook Connect - fatal blow for OpenID?") Hadt said: "Given the momentum and immediate value of a Facebook identity system and the lack of OpenID RP deployment, one wonders if the identity opportunities of OpenID have passed."

Other co-founders (Johannes Ernst, David Recordon) tried (with smoke, mirrors and whistling in the dark) to refute Hardt but, in my opinion, failed miserably. OpenID is a victim of its own early success. Too many people, with too many conflicting agendas signed on in the hope of designing OpenID in their image. From the early fights over iNames through the querulous (and tedious) fights about Attribute Exchange, security and other aspects of a mature identity protocol there was resistance from the majority of the developer base who really only wanted an easy way to login to blogs. Nothing wrong with that. A simple, somewhat reliable way to ease the authentication process for blog comments while fending off robots and spammers is a worthy goal.

Perhaps this is the time for the visionaries within the OpenID community, those who have the vision of what a full-fledged open-source identity protocol should be, to bow out of that movement and form another one. Or, perhaps put their time and energy behind an existing movement such as the Bandit Project's DigitalME initiative. They could even create an STS (Security Token Service) to bridge OpenID and the InfoCard system so that they could be "true to their roots."

OpenID, it seems, is never going to be a secure, robust, full-featured identity system so let's stop pretending that it can be. Let it be what it is and let's move on.

Labels: , , , ,

Friday, March 28, 2008

(0) comments

Cardspace context UPDATE

Good post today ("No User Context Decisions in your Enterprise?") from Pam Dingle summarizing her panel at Brainshare (which I'm now sorry I missed). Cardspace and other user-centric ID schemes have a definite place in the enterprise, if only for the context-switching that Pamela outlines.

UPDATE: A video of the session ( with Pam Dingle, Patrick Harding, Kim Cameron and Dale Olds) has now been posted at the Bandit Project site.

We'll be exploring this same topic at the European Identity Conference when I host a panel of Dale olds (Bandit Project), Johannes Ernst (OpenID) and Robin Wilton (Liberty Alliance) called "Putting Context in Identity: User-Centric Context." It's an area that will heat up in the near future...

Labels: , , , , ,

Friday, February 15, 2008

(0) comments

Off Course-On Target

Wayne Hodgins blog is called "Off Course-On Target" and subtitled "Where unexpected paths lead to great discoveries." Today he took a look at digital identity and fretted over the lack of uniform standards. But it's the analogy and stories Wayne tells - especially about how the shape of screw threads could have lost World War II for the allies - that make it such fascinating reading.

And the moral - perhaps best stated as "the perfect is the enemy of the good" - is something the entire IdM community should take to heart. Consensus and compromise should be our watchwords.

Labels: , , , ,

Tuesday, October 30, 2007

(0) comments

The Peter Principle of Protocols

A good Post today from Eve Maler reminding us that it's not just people, and it's especially not just on-line people, that have identity issues.

"I realize that the description I’m after is more like 'human-centric identity'. It comes with both online and offline scenarios and still needs to allow for (real-time or not) informed consent and attribute exchange."
This might be a good time to, once again, plump for "persona" as the term for what many call "on-line identity" so that we can keep straight what a real identity is.

She also alludes to the fact that not all identity protocols need to be able to do everything.
There's still room for lightweight, on-line digital person identity systems (vide OpenID) to be used within limited situations. It's not a criticism of OpenID to suggest that it only be used in low-value transactions. What is wrong is to apply a sort of "Peter Principle of Protocols" to OpenID, extending the original Peter Principle (formulated by Laurence J. Peter almost 40 years ago) thru the "Generalized Peter Principle" promulgated by Dr. William R. Corcoran: "anything that works will be used in progressively more challenging applications until it causes a disaster." Let's keep, and improve, OpenID for the things it does best. Let's not try to teach that pig to sing.

Labels: , , , ,

Wednesday, September 05, 2007

(1) comments

Sanity check for OpenID

Bob Blakley offers a wisp of sanity for the, often cantankerous, debate over the formats, uses, security and usefulness of OpenID. As it puts it, there are all sorts of answers flying about - but it might be best to first form the appropriate question! In his own words:

"What I’d really like to see, as a security guy, is a problem statement and a risk analysis. Specifically, before we start arguing about whether OpenID 2.0 is the answer, I’d like to know the following things about the question..."

In particular, Bob wants answers to these questions (and he goes on to elaborate on them):

1. What are the assets to be protected?
2. What are the services to be offered?
3. What quality of protection is claimed for these services?
4. What is the threat model?
5. What is the trust model?
Perhaps, before Digital ID World at the end of this month (and the accompanying Identity Open Space meeting), some folks will be prepared with cogent answers.

Labels: , ,

Saturday, August 25, 2007

(1) comments

Brands as medicine man

Stefan Brands recently did a hatchet job on OpenID which garnered quite a bit of comment. Now I'm not a big fan of OpenID, but somehow whenever Stefan makes that much effort to attack something I almost instinctively react to defend the thing he savages. In this case, though, his half-truths, omissions and over-simplifications are best handled by David Recordon in his response to the diatribe.

I only wish to point out Stefan's answer to Scott Kveton's posting which pointed to David's:

"OpenID to me is Web 2.0’s equivalent of green tea. I have nothing against green tea (I drink it from time to time), and in fact it is widely believed to have various positive health effects Where things get dangerous is when green tea is seen as (let alone hyped as) the cure for all kinds of serious health conditions where people _really_ should visit a doctor. While green tea might have a positive effect for, say, cardiovascular disease, it would be irresponsible if not immoral if patients were lead to believe that there is no need anymore for medication or surgery.

OpenID is currently being seen by various parties as a healthy foundation for much more serious identity and access management applications where a lot more is at stake than someone impersonating or tracking your blog comments. The recent announcement by Estonia IT folks that they are experimenting with tying OpenID into a national ID card scheme for Estonia is an example of this. Personally I find that a very worrisome trend. My colleagues and I have looked into OpenID, to see if we can combine our 'medical equipment' with your 'green tea,' but the two simply don’t mix."

The sarcasm here doesn't drip, it flows. But all it does is to paint Stefan (and his 'colleagues') as 18th century psuedo-scientific quacks railing against the "primitive" folk medicines brought back from the South American jungles, such as Quinine. Stefan firmly believes that, no matter what the question may be, the answer is PKI. That is very dangerous thinking.


Tuesday, August 21, 2007

(0) comments

Yenta, the "social graph"

Brad Fitzpatrick & David Recordon have issued a manifesto called "Thoughts on the Social Graph," where that is defined as the global mapping of everybody and how they're related (see this Wikipedia entry for more detail).

Brad & David decry the effort needed to involve your friends, family, acquaintances, etc. in the activities presented by the Next Big Thing in social networks - whether that's aggregating current thoughts, current locations, current activities, etc. As they say, not only do you have to fill in all of your personal details at each new site:
"You also have to have usernames, passwords (or hopefully you use OpenID instead), a way to invite friends, add/remove friends, and the list goes on. So generally you have to ask for email addresses too, requiring you to send out address verification emails, etc. Then lost username/password emails. etc, etc. If I had to declare the problem statement succinctly, it'd be: People are getting sick of registering and re-declaring their friends on every site."

What they're proposing is a service (open source, at that):
"...which collects, merges, and redistributes the graphs from all other social network sites into one global aggregated graph. This is then made available to other sites (or users) via both public APIs (for small/casual users) and downloadable data dumps, with an update stream / APIs, to get iterative updates to the graph (for larger users)".

But, as I've said before, I don't want to aggregate every relationship I have. I especially don't want to aggregate them where the whole world (or even just that part I'm "related" to, i.e. all the members of my 'social graph') can see all of my relationships!

There's a reason why people create different personas for different on-line communities - they really do wish to keep parts of their life seperate from other parts. Do I really want my children to know how I interact with my work-related friends? Do I want all of my clients to figure out who my other clients are? Do I really want the feds to be able to easily create a dossier of all my contacts? No. No. And, um, definitely no.

The portable relationship graph is a nice idea, but only when all parties to each relationship agree to the port.

Labels: ,

Friday, August 17, 2007

(1) comments

Same old AOL

AOL finally delivered on their promise to support OpenID for authentication when they announced (on their developer's blog) a so-called "Status Update" on Tuesday. What the announcement did mostly, though, was to re-enforce the belief that AOL hasn't changed since it's America On-Line days - it still "doesn't get" the internet, and it still believes its customers are dumber than toast.

Evidently we're supposed to believe that AOL is some huge, decentralized group of fiefdoms which only give the nod to each other. Or, as the announcement put it: "We did finish the infrastructure work on the AOL login side, required to support 3rd party OpenID users to login into AOL, but being a pretty big company, we are struggling to get our Product teams to support it." Maybe, like any good ID management project, you should have gotten executive buy-in from the beginning! That's the best way to be sure priorities are set properly.

OpenID is intended to be ubiquitous, also. Just prove you control a URL and it becomes your identifier. Doesn't matter what the URL actually is. Unless you're AOL, of course. They will only accept OpenID's from a "white list" of 10 providers. But, officially, "OpenID allows anyone who can run a web server to run an identity server. Your identity server is separate from your identity, so you are free to use any identity server that has some ability to validate your identity and you can change between them at will." There are over 100 listed at Evidently AOL just doesn't get it.

But evidently AOL does feel it's customer base will only use an OpenID provider that gets its seal of approval by being included in the white list.

Ping Identity's Ashish Jain brought up the very real problem of scalability for white lists: "Given the distributed nature of the protocol, it doesn’t seem right for IdP/OPs and RPs to individually contact each other to maintain this list." He goes on to suggest that a reputation service would be a much better idea. It certainly deserves some further discussion.

On balance, I'd guess that AOL supporting at least some form of OpenID in at least a limited context is better than nothing, as long as it doesn't end there.

Labels: ,

Wednesday, March 07, 2007

(2) comments


The Burton Group's Mike Neuenschwander has posted a mild rant touched off by trying to bag memorable, unique - but recognizable as his - OpenID's on various sites. He tells a good story before getting to his point, which he summarizes as: "There are no identifiers, only attributes."

Mike falls into the trap of the absolutist generalization (there's a lot of that going around, isn't there?). But he concentrates on your given name as an "identity":

"Names are slippery. Most people have many more than one legal name, none of which are unique. They also have several dozen nicknames. There’s no practical way to get any of these every-day-use names onto a global namespace. And what’s a name after all but a synthetic attribute—a foreign key that we hope the receiving party stores somewhere so we can remember them later? "

An "identifier" does need to be unique within a particular namespace. In a family, this is done thru a combination of given names and nicknames. e.g., while my son was at home growing up, I was known as "Dave" and he was called "David". Outside of our immediate family, of course, ambiguity quickly cropped up. There's my nephew (his cousin) David Kearns , for example.

But we are all familiar with unique identifiers within the digital world. Your email address - every single one of them - is a unique identifier within the entire world of the internet. There's also your ip address, but in a DHCP world, that can change without warning. It would still be unique, but tying it solely to you would be a more difficult task.

OpenIDs are unique. A little judicious shopping for an OpenID provider (OP) should get you one who has available an identifier that associates well with you, and that you wouldn't be ashamed to share with others.

Labels: , ,

Thursday, January 04, 2007

(0) comments

Someone else wants a personal directory!

RedMonk posts about a service he'd like to see: "We could imagine that in Theory-land ... everyone’s identity and data is federated and queryable in a secure fashion." He goes on to mention two (of many) things he'd like to be able to do:
"1. I want to stop entering the same profile information over-and-over again. I probably create a user account 2-3 times a week (this morning it was, adding in the same email, username, picture, and “about me” info.
2. I’m sick of entering in my “friends” into every damn site I create a profile on. For social networking sites, this second item is one of those counter-intutive differentiators that most (all?) sites are missing out on."

He even thinks that OpenID might provide the answer: "OpenID has been a promising bundle of technology and standards over the past year as well. I’ve been delighted to see sites of like LiveJournal and claimID adopting OpenID and I’m waiting to see the attribute (or “profile sharing”) parts evolve and get more use by other sites."

It could, but I'm not holding my breathe. For that matter, Liberty Alliance Attribute Provider (An attribute provider (AP) provides Identity Personal Profile (ID-PP) information. Sometimes referred to as an ID-PP provider) would also fill the bill. But I'm not holding my breathe there, either.

Maybe it's time to revisit the universal, self-published, loosely-coupled Personal Directory (Part 1, 2, 3, and 4) - the time is ripe!

Labels: , ,

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]