As promised, here’s the riveting second installment of my sort-of recap from WebVisions last week.
On Friday last week, I went to the OpenID panel discussion, hosted by Marshall Kirkpatrick of ReadWriteWeb and starring Scott Kveton, vice-chair of the OpenID foundation board of directors and bacon enthusiast, Chris Messina, community advocate for OpenID, OAuth, and open web in general, and my pal Rick Turoczy, local OpenID wonk.
Dave Recordan, who was scheduled to be on the panel, had to bail early, so Rick stepped in to take his place, a fact I teased him about mercilessly at lunch before the panel.
Rick is no OpenID slouch though. He has covered OpenID and open web for several years, and not just as they relate to the Pacific Northwest. Still, it was fun to tease him.
Not surprisingly, the panel was sparsely attended, although people did filter in during the session. One guy came in to look for an outlet for his laptop, and not finding one, left none the smarter despite the OpenID luminaries in the room.
News flash: OpenID comes off as super geeky.
This was a hot topic for the panel. In its current version, as URL that you provide as your credentials to a relying party, OpenID is tough for the average user to get. They compared it to RSS as a failure of technology, but it’s a bit early to declare failure
Facebook’s support for OpenID as a relying party should help. Too bad it’s not working, at least not for me (I’m not alone).
Scott compared the problem to saying you’re SMTP’ing someone rather than saying you’re emailing them. He went on to compare OpenID to Bluetooth and wi-fi as technologies that create a market, whereas OpenID by definition has no market.
Chris disagreed with the market analogy, but all the panelists agreed that OpenID needs to be easier, more like an underlying (and unmarketed) technology that just works for sites.
Part of the hurdle comes from the unintuitive use of a URL to authenticate via OpenID.
All the panelists saw the future of OpenID being at the browser level, not at the individual site level, i.e. you login to your browser, which handles the authentication to each site you visit seamlessly.
Mozilla Labs seems to agree. They are already prototyping how browser-managed authentication could work. Chris agreed with my initial impression that they are on a weird path, but at least, someone is thinking about it.
Eventually, the panel moved on to the interesting stuff, i.e. the OpenID payload possibilities. Beyond the convenience of a single sign-on experience, OpenID could grow to be the single source for information about you–your profile, tags, friends, your online activities, pretty much anything.
Once there’s a single source for this stuff, reputation can be established in a single place (vs. distributed over a whole mess of places), which leads to a goldmine of cool stuff.
Overall, the panel banter was lively (partly because these guys all know each other well) and the content, interesting. OpenID has tons of possibilities. I hope it doesn’t go the way of RSS.
Chris dropped an interesting factoid about Twitter that resonated with me. He said 80% of Twitter’s development effort is spent on private accounts, which were added begrudgingly after the initial launch. Private accounts comprise a mere 10% of Twitter’s users though.
I’ve not done a scientific study of Connect, but that disbursement seems about right to me. Privacy on the ‘tubes is a myth, a unicorn. Please get used to it so we can build cooler stuff.
One final note. Chris Messina and David Haimes have to be twins separated at birth. See for yourself.
Separated at birth
Those are my highlights from WebVisions 09. Overall, I enjoyed it, and I hope next year’s iteration will feature more design sessions.
Social media’s a fad anyway 🙂
Find the comments.
I don't want a single source! Google's bad enough, what with screwing up my name in different places at random times when they slipstream in changes that break other broken fixes.
But to really see my point of view, imagine you are using IE and it asks to remember your password. Well, maybe I'm weird, but that makes me just recoil and hit NO! Of course, that's due to my dislike of MS, but is there really any difference between them and any other mysterious standards body? Gawrsh, what if Network Solutions ran the world? Icannt even imagine…
It's a fact of social network life that different areas are going to have different views of your online persona. If you are going to have an open ID kind of tagged global login, it needs to be able to handle this simple basic observation. Even the oddly misnamed Oracle SSO recognizes this, think of the difference between OTN and metalink.
Also think about single points of failure – haven't we all seen google results with the first link something nasty? Poisoning reputation is bound to be trivial.
A few things here.
1. The majority of people use the same password (or two) all over the place, making it dead simple to harvest their information. Bad. They also frequently use the browser to save site passwords, also bad practice.
2. There is a difference between the standards used by MSFT and commercial bodies. OpenID is open source. There is no commercial gain to be had, and decisions are made by the community. Very different process.
3. When you use OpenID to authenticate, the provider tells you what the requesting site wants to know about you. So, you know before you agree.
4. I agree about failure points, but the alternative is even messier, i.e. multiple sites, multiple logins, shady terms of use, misuse of API data (think Twitter credential harvesting), etc.
I think your ideal viewpoint is one that doesn't use all these sites at all, which means no password remembering issues 🙂 Nothing wrong with that, and I lean toward that side myself, which is why I want more support for OpenID.
OpenID attempts to safeguard people who are not as cautious as we are.
1. Agree.
2. Assumption that community decision is good. Yesterday was the anniversary of the first witch-burning in New England. I'm still creeped out by the scene in The Illustrated Man (movie) where they killed all the children. And of course, Zardoz was ultimately a story of fixing a bad community decision that seemed like a good idea at the time. The process may be different, but that doesn't mean better.
3. Disagree, for reason 1. Familiarity breeds ignore. Read any adhesion contracts lately?
4. This all goes away with a strong non-repudiation mechanism, down to the hardware level. But that won't happen for a long, long time. Probably after some very high profile screwups.
Sorry to be such a negative Nellie, but I'm just not convinced the problem statement is done well. This just seems to be a lot of effort that will fall by the wayside. Of course, I may just not get it.
1. Let's agree to agree.
2. Wow, there's no pleasing you 🙂 Community = bad, decisions by corporation = bad. I give up, what = good? Would you settle for better, at least in this case?
3. Again, not a blanket good vs. evil, but a this is better than that argument. I don't think you're saying using the same credentials on dozens of sites is better than OpenID.
4. Hardware level repudiation? Provided by a single vendor? Sounds like a monopoly in the making, where do I get on that train 🙂
No worries. OpenID isn't necessarily for everyone, and it's not meant to be. Some people (probably you) take credential management as seriously as it should be taken. Unfortunately (fortunately if you're into evil), you are in the minority. Thus, I don't think the OpenID community is worried about wasting effort.
I think you get it, well enough to recognize it's not for you.
There is a similarity I agree. I actually have a pair of glasses the same as Chris is wearing in that photo, but does he have a great big cup of tea?
And on the topic of twins and IDs – A friend was telling me they wrote initials on the feet of their identical twins with a magic marker when they were babies to tell them apart. Now that's what I call an Open ID.
Awesome, when they start walking though, they'll need to have armbands or something. I suppose that would help with self-awareness too. Just check the bottom of your foot if you can't remember your credentials.