User loginNavigation |
FactoryCity
 This can all be made better. Ready? Begin.
Updated: 1 hour 29 min ago Perception and reality in the land of OpenIDA couple related posts caught my attention recently about OpenID. As I’m now a board member of the OpenID Foundation, I feel some responsibility for helping to inform folks about OpenID: what it is, how it’s used, why I believe that it has so much potential — and at same time, address what it isn’t, won’t or can’t be, and what the scope of the OpenID solution stack is. The first is a post by Nick O’Neill from the Social Times blog: “OpenID Organizes the Organizers While Facebook and Google Start Letting Users Login“. It was posted on December 29th. He begins his criticism with a slight error: Over the weekend the OpenID Foundation announced that they are having its first election of community board members. In fact, over that particular weekend, the OIDF announced the results of its election, not the kick off. But his broader sentiment deserves a response: [...while] Facebook and Google have launched their own identity services that enable users to instantly log in to any site with third-party accounts[, ... the] group seems to still be in the process of organizing though. … I think the group is over planning and under executing. Josh Catone from SitePoint picked up his point, suggesting that “OpenID Needs to Start Getting Real“. He writes: What the OpenID Foundation needs to do is start “getting real.” Getting real is a business philosophy from 37signals, a successful web application software company based in Chicago. Though there’s a lot more to their idea, one of the main themes essentially boils down to this: stop screwing around with all the stuff that doesn’t matter and just wastes time (like politics and meetings), and start doing the stuff that needs to get done (like building your app). Don’t worry about the details until people are already using what you’re selling. I agree with O’Neill that so far the OpenID Foundation seems to be spending too much time on organizational stuff, and not enough time on actually doing what needs to get done. In a chapter of their book “Getting Real,” 37signals talks about how meetings can kill productivity. “Every minute you avoid spending in a meeting is a minute you can get real work done instead,” they write. From my admittedly outsider’s vantage point, it appears that the people behind OpenID are getting too caught up in the organizational stuff, getting too lost in the details, and not spending enough time on execution. My perspective, of course, is that of an outsider. I’m not privy to what’s going on behind closed doors, so to speak. So my perception of what’s really going on could be off. But at this point in the game, public perception is what it’s all about. And therein lies the heart of the problem. Perception is reality in the land of OpenID and will shape the thinking of developers, users and those who make up the OpenID and user-centered identity communities unless we initiate a campaign to earnestly counter those perceptions. Nevermind that for OpenID to succeed, it must be developed with the involvement of many different groups, each with slightly different ideas, objectives and release cycles. Unlike Facebook Connect, OpenID is essentially consensus technology. To advance, it must secure and maintain the buy-in and adoption of many parties on every forward step. But let’s ignore that for a moment, because that’s an issue for us to overcome. Jim Louderback (veteran of PC Mag) recounted his miserable experience trying to sign in to Disqus with his OpenID in a post titled “I can haz OpenID?“. Apparently, he can not, since he abandoned his comment and resorted to posting it to Twitter instead. The problem apparently had to do with Clickpass, but that’s besides the point, as the experience left a serious impression (emphasis mine): And that gets me back to OpenID. I love the idea of having one set of identification credentials that I can use around the web. If it all works right, it’ll be awesome, birds will sing and the swallows will return to wherever they’ve disappeared from. But it won’t all work right, not all the time. We’re talking software here, and the internet, and the egos of childish web developers. Occasional (or more often) fail is guaranteed. It’s even worse than I feared. A few days after my Disqus debacle I was talking with a developer friend of mine who was bemoaning the sorry state of OpenID implementations. It seems that all the big sites have their own flavors, and the OpenID foundation just doesn’t have enough clout to force a single standard across the web. That’s a bad state of affairs. It guarantees more fail - and also guarantees epic finger-pointing. Who will lose? The users, first, who won’t be nearly as patient nor accommodating as I am. But in the end the whole glorious promise of OpenID will be left in tatters, and we’ll be back to our walled-gardens of identification. And that’s just too bad - because an open, interoperable identity system is actually one of the best ideas I’ve heard in a long time. Too bad no one can get their act together to actually build it right. And these are the stories that will be told and retold because it’s not the successes that are heralded — it’s the epic failures. As much as I like to rag on Twitter about OAuth, their service is a million times better than it was six months ago during the Summer of the Fail. Twitter ops deserve a lot of credit for making hard decisions about which features should be cut in order to scale the service. But when it works, people don’t shower Twitter with praise. It’s expected. It’s only when there are problems that people raise their voices — and it’s no different with OpenID. Unfortunately it’s this cacophony of complaints that ends up shaping the negative perceptions of OpenID. So, when the Japanese chapter of the OpenID Foundation releases figures that show significant and gaining consumer awareness of OpenID in Japan that contradict the outdated and statistically insignificant findings (PDF) that Yahoo presented last year (on which so much criticism was heaped), few seem to notice. Progress in Japan alone isn’t enough of course. But it does suggest that there is more to the story of OpenID’s overall progress and success in the marketplace. It also suggests that OpenID has yet to succumb to Facebook Connect or that it ever will (or that that’s even the right question). Still, what all this says to me is that the OpenID Foundation and the community at large have its work cut out for itself. As more people begin to believe in the promise of OpenID, more people will commit themselves to the success of OpenID, taking ownership of the idea, and promoting it their friends and family (as they did with Firefox). Our opportunity is to make good on the hope that people have for OpenID and effectively channel it to challenge the bruised perception that defines OpenID today. If we succeed, changing perceptions truly will change reality. Twitter and the Password Anti-PatternI’ve written about the password anti-pattern before, and have, with regards to Twitter, advocated for the adoption of some form of delegated authentication solution for some while. It’s not as if Twitter or lead developer Alex Payne aren’t aware of the need for such a solution (in fact, it’s not only been publicly recognized (and is Issue #2 in their API issue queue), but the solution will be available as part of a “beta” program shortly). The problem is that it’s taken so long for Twitter’s “password anti-pattern” problem to get the proper attention that it deserves (Twitter acknowledged that they were moving to OAuth last August) that unsuspecting Twitter users have now exposed themselves (i.e. Twitter credentials) to the kind of threat we knew was there all along. This isn’t the first time either, and it probably won’t be the last, at least until Twitter changes the way third party services access user accounts. Rather than focus on Twply (which others have done, and whose evidence still lingers), I thought I’d talk about why this is an important problem, what solutions are available, why Twitter hasn’t adopted them and then look at what should happen here. I can’t link directly to it, but comment #8 on Fred Oliveira’s post captures one clear reason why the password anti-pattern increasingly matters more: Regardless of the perceived value of the service, when it comes to reputation online, little else matters than one’s accumulated social and data capital. Some people store their data capital (essentially original content coupled with residue from their social capital) with LinkedIn; others, Facebook or MySpace. Still others use their own blogs or rely on a medly of services like Twitter, FriendFeed, or Flickr. To some degree, experimentation with third party services can elevate one’s status, drive commerce, or provide a recommendation filter for friends. So handing over the keys to the vault that stores your data capital should be a big deal. The more frequently we do this, the more routine it becomes, the more we become desensitized to the inherent risks in this behavior. And so we take it for granted that we must cough up a username and password in order to try out that new shiny service, given the countless times previously where nothing bad happened. And then you get Twply. Or Quechup. Now, phishing works in a similar way, but is distinctive in an important respect: In the case of phishing, it’s kind of like a faux valet that stands outside a well-regarded restaurant waiting for unsuspecting victims to hand over the keys to their Benz (where that restaurant is your email account). Once a phisher gets a nibble, they position themselves as a known authority (i.e. your bank), preying on the naivete and disorientation of their victim. No where better is there than the web for such schemes, where the true value of account credentials are abstract and technical. The difference between run-of-the-mill phishing and password anti-pattern cases is intent. Most third parties implement the anti-pattern out of necessity, in order to provide an enhanced service. The vast majority don’t do it to be malicious or because they intend to abuse their customers — quite the contrary! However, by accepting and storing customer credentials, these third parties are putting themselves in a potentially untenable situation: servers get hacked, data leaks and sometimes companies — along with their assets — are sold off with untold consequences for the integrity — or safety — of the original customer data. Given the ends (providing cross-site functionality (importing address books, posting to blogs or Twitter, etc)), you could argue that the means are incidental or justified. But we can — and have an obligation to — do better. Solutions for the password anti-patternGiven the prevalence of this problem, several solutions have emerged, most notably OAuth. OAuth is actually an extraction of a number of protocols that came before. In the place of a username and password, it substitutes a consumer key (like a username for an application) and a token, and adds a cryptographic signature to make sure that no one tampers with the “request envelope” while in transit. Interestingly, OAuth emerged from a shortcoming with OpenID. Since OpenID authentication works without passwords, we needed a way for OpenID to be used with APIs and in desktop applications. Therefore, we needed a way to delegate authentication back to an original source, and then receive authorization to act on behalf of the user, all without ever needing their user credentials. Of course this problem wasn’t unique to OpenID, and so we developed it to be agnostic about how authentication is performed (that is, with or without OpenID). Since its release just over a year ago, OAuth has replaced both Yahoo and Google’s custom delegated authentication protocols, and has become a central component of OpenSocial. More recently, Eran Hammer, the specification’s editor and lead author, brought OAuth to the IETF in order to advance the community-driven protocol to the next level of internet infrastructure. But it’s not the only solution to this problem. FriendFeed implements what they call a Remote Key in place of a user’s password: What’s a remote key? A remote key is a kind of password that you can give to third-party applications and websites to let them interact with FriendFeed on your behalf. There are limits to what can be done using a remote key, which means it’s a lot safer than giving a site your FriendFeed password. This idea was suggested to Twitter in November. While there are benefits to this model — especially in terms of simplicity — it requires a user to remember two secrets: their password and their remote key. It also means that all third-party applications act at the same level of authority, since services can’t distinguish one application from another. For a service like FriendFeed, where most of the interactions seem to happen on-site, this model makes sense. For a service like Twitter, whose primary traffic comes from external sites and applications, it does not. And then there’s the “security through obscurity” solution that provides access to data with single or limited use URLs that are usually so long and cryptic as to be virtually unguessable. This is the solution that Basecamp offers its OpenID users and that Flickr uses for its guest pass service. Twitter and OAuthAnything besides the standard username and password combo will arguably add complexity and confusion to the user experience of web apps and mashups (both for users and developers). Alex Payne made this point loud and clear: Still, sooner than later, something is going to need to be done. And Twply is only the tip of the iceberg. As people continue to accrue social and data capital, we’re going to need to offer them better options for securing their accounts while providing them flexible and usable access. The sooner we start training people on the new model, the better off we’ll all be. But Alex has additional gripes about OAuth: The downside is that OAuth suffers from many of the frustrating user experience issues and phishing scenarios that OpenID does. The workflow of opening an application, being bounced to your browser, having to login to twitter.com, approving the application, and then bouncing back is going to be lost on many novice users, or used as a means to phish them. Hopefully in time users will be educated, particularly as OAuth becomes the standard way to do API authentication. Another downside is that OAuth is a hassle for developers. BasicAuth couldn’t be simpler (heck, it’s got “basic” in the name). OAuth requires a new set of tools. Those tools are currently semi-mature, but again, with time I’m confident they’ll improve. In the meantime, OAuth will greatly increase the barrier to entry for the Twitter API, something I’m not thrilled about. These are actually very good points. At the same time, there’s a balance to be found between accepting the status quo (thereby promoting it) versus creating the solution. Alex has repeatedly referred to the work of the Twitter User Experience team as slowing down their adoption of OAuth, but it seems to me that there’s been an open opportunity to engage with the OAuth and OpenID communities to address these issues, especially as they are at the core of why Google has yet to become an OpenID relying party. These problems are not unique to Twitter and are issues that the entire community needs to address. As much as I’m a pain in the ass about OAuth support in Twitter, I am also willing to jump in and help develop solutions — but thus far, Twitter has been absent from the channels where solutions are being generated. Everyone’s got their priorities and Twitter has come a long way in the past several months in terms of performance and stability. But in 2009, I want to defeat the password anti-pattern once and for all! Starting with Twitter would be a significant strategic achievement and I know that Twitter is game, it’s just matter of getting it done and making it happen. So, Alex, where do we begin? What can we do to help? The results of the OpenID Board election are in!I received an SMS from Michael Richardson this morning (around 8am here in Hawaii) congratulating me on my election to the board of the OpenID Foundation. It seems fitting that I should receive first word from him, since, as the Karl Rove of my campaign, he came up with the “kind of a big deal” slogan from Anchorman. Anyway, I’m thrilled about the outcome of the election and am looking forward to working with Snorri Giorgetti, Nat Sakimura, David Recordon, (each of whom received two year terms along with me) and Eric Sachs, Scott Kveton, and Brian Kissel (who received one year terms). I’m also pleased that 80% of the 217 foundation members voted in the first-ever OpenID election. We’ve obviously got a lot of work ahead of us, but I’m very confident that we’ll make great strides in 2009. Responding to criticisms about OpenID: convenience, security and personal agencya href=”http://www.flickr.com/photos/factoryjoe/3111987220/” title=”Twitter / Chris Drackett: @factoryjoe openID should … by factoryjoe, on Flickr”img src=”http://farm4.static.flickr.com/3001/3111987220_bdd75e1938.jpg” width=”500″ height=”206″ alt=”Twitter / Chris Drackett: @factoryjoe openID should be dead… its over-rated.” class=”figure figure-a”//a a href=”http://shelfworthy.com”citeChris Dracket/cite/a responded to one of my tweets the other day, saying that “OpenID should be dead… it’s way over-rated”. I’ve of course heard a href=”http://factoryjoe.com/blog/2008/10/28/openid-usability-is-not-an-oxymoron/”plenty of criticisms/a of OpenID, but hadn’t really heard that it was “overrated” (which implies that people have a higher opinion of OpenID than it merits). Intrigued, I replied, asking him to elaborate, which he did via email: blockquoteI don’t know if overrated is the right word.. but I just don’t see OpenID ever catching on.. I think the main reason is that its too complex / scary of an idea for the normal user to understand and accept. In my opinion the only way to make OpenID seem safe (for people who are worried about privacy online) is if the user has full control over the OpenID provider. While this is possible for people like you and me, my mom is never going to get to this point, and if she wants to use OpenID she is going to have to trust her sensitive data to AOL, MS, Google, etc. I think that people see giving this much “power” to a single provider as scary. Lastly I think that OpenID is too complex to properly explain to someone and get them to use it. People understand usernames and passwords right away, and even OAuth, but OpenID in itself I think is too hard to grasp. I dunno, just a quick opinion.. I think there is a reason that we don’t have a single key on our key rings that opens our house, car, office and mailbox, not that that is a perfect/accurate analogy, but its close to how some people I’ve talked to think OpenID works./blockquote Rather than respond privately, I asked whether it’d be okay if I posted his follow-up and replied on my blog. He obliged. To summarize my interpretation of his points: strongOpenID is too complex and scary, potentially too insecure, and too confined to the hands of a few companies./strong The summary of my rebuttals: ul hr / h3 id=”convenience”Convenience/h3 OpenID should not be judged by today’s technological environment alone, but rather should be considered in the context of the migration to “cloud computing”, where people no longer access files on their local harddrive, but increasingly need to access data stored by web services. All early technologies face criticism based on current trends and dominant behaviors, and OpenID is no different. At one time, people didn’t grok sending email between different services (in fact, you couldn’t). At one time, people didn’t grok IMing their AOL buddies using Google Talk (in fact, you couldn’t). At one time, you had one computer and your browser stored all of your passwords on the client-side (this is basically where we are today) and at one time, people accessed their photos, videos, and documents locally on their desktop (as is still the case for most people). Cloud computing represents a shift in how people access and share data. Already, people rely less and less on physical media to store data and more and more on internet-based web services. As a consequence, people will need a mechanism for referencing their data and services as convenient as the codec:\/code prompt. An OpenID, therefore, should become the referent people use to indicate where their data is “stored”. An OpenID is not just about identification and blog comments; nor is it about reducing the number of passwords you have (that’s a by-product of user-centered design). Consider: ul The big picture of cloud computing points to OpenIDs simplifying how people access, share and connect data to people and services. hr / h3 id=”security”Security/h3 I’ve heard many people complain that if your OpenID gets hacked, then you’re screwed. It’s like putting all your eggs in one basket, they claim. But that’s really no different than if your email account gets hacked. Since your email address is used to reset your password, any or all of your accounts could have their passwords reset and changed; worse, the password emand/em the account email address could be changed, locking you out completely. At minimum, OpenID is no worse than the status quo. At best, combined with OAuth, third-parties never need your account password, defeating the a href=”http://adactio.com/journal/1357″password anti-pattern/a and providing a href=”http://factoryjoe.com/blog/2007/12/19/public-nuisance-1-importing-your-contacts”a more secure way to share your data/a. Furthermore, because securing your OpenID is outside of the purview of the spec, you can choose an OpenID provider (or set up your own) with a level of security that fits your needs. So while many OpenID providers currently stick with the traditional username and password combo, others offer more sophisticated approaches, from client-side certificates and hardware keys to biometrics and image-based password shields (as in the case of my employer, a href=”http://vidoop.com”Vidoop/a). One added benefit of OpenID is the ability to audit and manage access to your account, just as you do with a credit card account. This means that you have a record of every time someone (hopefully you!) signs in to one of your accounts with your OpenID, as well as how frequently sign-ins occur, from which IP addresses and on what devices. From a security perspective, this is a major advantage over basic usernames and passwords, as collecting this information from each service provider would prove inconvenient and time-consuming, if even possible. Given this benefit, it’s worth considering that identity technologies OpenID won’t force anyone to change their current behavior, certainly not right away. But wouldn’t it be better to have the option to choose an alternative way to secure your accounts if you wanted it? OpenID starts with the status quo and, coupled with OAuth, provides an opportunity to make things better. We’re not going to make online computing more secure overnight, but it seems like a prudent place to start. hr / h3 id=”agency”Personal agency for web citizens/h3 Looking over the landscape of existing social software applications, I see very few (if any) that could not be enhanced by OpenID support. OpenID is a cornerstone technology of the emerging social web, and adds value anywhere users have profiles, accounts or need access to remote data. Historically, we’ve seen similar attempts at providing a universal login account. Microsoft even got the name right with “Passport”, but screwed up the network model. Any identity system, if it’s going to succeed on the open web, needs to be designed with user choice at its core, in order to facilitate marketplace competition. A single-origin federated identity network will always fail on the internet (as citea href=”http://josephsmarr.com/”Joseph Smarr/a/cite and citea href=”http://therealmccrea.com”John McCrea/a/cite a href=”http://www.webmonkey.com/blog/OpenID_Q_A:_Plaxo_s_Joseph_Smarr_and_John_McCrea”like to say/a of Facebook Connect: a href=”http://therealmccrea.com/2008/07/16/my-prediction-for-2008-a-mid-year-check-in/”qWe’ve seen this movie before/q/a). As such, selecting an identity provider should not be relegated to a default choice. Where you come from (what I call emprovenance/em) has meaning. For example, if you connect to a service using your Facebook account, the relying party can presume that the a href=”http://developers.facebook.com/news.php?blog=1story=108″profile information/a that Facebook supplies a href=”http://www.insidefacebook.com/2008/12/10/facebook-connect-making-blog-comments-more-authentic/”will be authentic/a, since Facebook works hard to ferret out fake accounts from its network (unlike MySpace). Similarly, signing in with a Google Account provides a verified email address. Just like the issuing country of your passport may say something about you to the immigration official reviewing your documents, the OpenID provider that you use may also say something about you to the relying party that you’re signing in to. It is therefore critical that people make an informed choice about who provides (and protects) their identity online, and that the enabling technologies are built with the option for individuals to vouch for themselves. In the network model where anyone can host their own independent OpenID (just like anyone can set up their own email server), competition may thrive. Where competition thrives, an ecosystem may arise, developed under the rubric of market dynamics and Darwinian survivalism. And in this model, the individual is at the center, rather than the services he or she uses. This the citizen-centric model of the web, and a href=”http://blogs.law.harvard.edu/vrm/2008/11/20/vrm-is-personal/” title=”Doc Searls: VRM is personal”each of us are sovereign citizens of the web/a. Since I define and host my own identity, I do not need to worry about services like a href=”http://blog.pownce.com/2008/12/01/goodbye-pownce-hello-six-apart/”Pownce being sold/a or a href=”http://iwantsandy.com”I Want Sandy/a users a href=”http://www.valuesofn.com/blog/2008/11/fork-in-road.html”left wanting/a. I have choice, a href=”http://factoryjoe.com/blog/2007/11/26/data-banks-data-brokers-and-citizen-bargaining-power/”I have bargaining power/a, and I have emagency/em, and this is critical to the viability of the social web emat scale/em. hr / h3 id=”conclusion”Final words/h3 As cloud computing goes mainstream (evidenced in part by the a href=”http://gigaom.com/2008/12/26/for-amazon-netbooks-are-a-smash-hit/”growing popularity of Netbooks this holiday season!/a), we’re going to need a consumer-facing technology and brand like OpenID to help unify this new, more virtualized world, in order to make it universally accessible. Fortunately, as we stack more and more technologies and services on our OpenIDs, we can independently innovate the security layer, developing increasingly sophisticated solutions as necessary to make sure that only the emright/em people have access to our accounts and our data. It is with with these changes that we must evaluate OpenID — not as a technology for 2008’s problems — but as a formative building block for 2009 and the future of the social web. Where we’re going with Activity StreamsThe a href=”http://diso-project.org”DiSo Project/a is a href=”http://willnorris.com/2008/12/diso-one-year-later”just over/a a a href=”http://factoryjoe.com/blog/2007/12/06/oauth-10-openid-20-and-up-next-diso/”year old/a. It’s remained a somewhat amorphous blob of related ideas, concepts and aspirations in my brain, but has resulted in some notable progress, even if such progress appears dubious on the surface. For example, a href=”http://oauth.net”OAuth/a is a core aspect of DiSo because it enables site-to-site permissioning and safer data access. It’s not embecause of/em the DiSo Project that OAuth exists, but my involvement in the protocol certainly stems from the goals that I have with DiSo. Similarly, Portable Contacts emerged (among other things) as a response to Microsoft’s “a href=”http://twitter.com/kevinmarks/statuses/1068364292″beautiful fucking snowflake/a” a href=”http://dev.live.com/contacts/”contacts API/a, but it will be a core component of our efforts to distribute and decentralize social networking. And meanwhile, a href=”http://openid.net”OpenID/a has had momentum and a following all its own, and yet it emtoo/em fits into the DiSo model in my head, as a cornerstone technology on which much of the rest relies. a href=”http://www.flickr.com/photos/factoryjoe/3122318414/” title=”Subscribing to a person by factoryjoe, on Flickr”img src=”http://farm4.static.flickr.com/3120/3122318414_1cd49deeb5.jpg” width=”500″ height=”333″ alt=”Subscribing to a person” class=”figure figure-a” //a Tonight I gave a a href=”http://www.slideshare.net/factoryjoe/activity-streams-presentation/”talk specifically about activity streams/a. I’ve a href=”http://factoryjoe.com/blog/2008/06/11/a-conversation-about-social-network-interop-and-activity-stream-relevance/”talked about them/a before, and I’ve a href=”http://factoryjoe.com/blog/2008/06/11/adding-richness-to-activity-streams”written about them/a as well. But I think things started to click tonight for people for some reason. Maybe it was the introduction of the a href=”http://www.flickr.com/photos/factoryjoe/3122318414/”mocked up interface/a above (thanks a href=”http://www.zengestrom.com/”Jyri/a!) that shows how you could consume activities based on human-readable emcontent types/em, rather than by the service name on which they were produced. Maybe it was providing a narrative that illustrated how these various discreet and abstract technologies can add up to something rather sensible and desirable (and looks familiar, thanks to Facebook Connect). In any case, I won’t overstate my point, but I think the a href=”http://groups.google.com/group/activity-streams/”work/a that we’ve been doing is going to start accelerating in 2009, and that the a href=”http://activitystrea.ms/”activity streams project/a, like OAuth before, will begin to grow legs. And if I haven’t made it clear what I’m talking about, well, we’re starting with an assumption that activities (like the ones in Facebook’s newsfeed and that make up the bulk of FriendFeed’s content) are kind of like the synaptic electrical impulses that make social networking work. Consider that people probably read more Twitter content these days than they do conventional blog posts — if only because, with so much more content out there, we need more smaller bite-sized chunks of information a href=”http://www.nytimes.com/2008/12/18/technology/personaltech/18basics.html” title=”Staying Informed Without Drowning in Data”in order to cope/a. a href=”http://www.flickr.com/photos/factoryjoe/3103164628/” title=”FriendFeed - Add/Edit Services by factoryjoe, on Flickr”img src=”http://farm4.static.flickr.com/3285/3103164628_15137f54bf_m.jpg” width=”216″ height=”240″ alt=”FriendFeed - Add/Edit Services” class=”figure figure-b” //aSo starting there, we need to look at what it would take to recreate efficient and compelling interfaces for activity streams like we’re used to on FriendFeed and Facebook, but without the benefit of having ever seen any of the services before. I call this the “zero knowledge test”. Let me elaborate. When I say “without the benefit of having ever seen”, I primarily mean from a programmatic standpoint. In other words, what would it take to be able to deliver an equivalent experience to FriendFeed without a href=”http://singpolyma.net/2008/12/describing-actionstream-sources/”hardcoding support/a for only a few of the more popular services (FriendFeed currently supports 59 out of the thousands of candidate sites out there)? What would we need in a format to be able to join, group, de-dupe, and coalesce individual activities and otherwise make the resulting output look human readable? Our approach so far has been to a href=”http://www.apparently.me.uk/23202.html”research/a and a href=”http://wiki.diso-project.org/activity-streams”document/a what’s a href=”http://wiki.diso-project.org/activity-streams-examples”already out there/a (taking a hint from the a href=”http://microformats.org/wiki/process”microformats process/a). We’ve then begun to specify different approaches to solving this problem, from a href=”http://wiki.diso-project.org/activity-stream-machine-tags”machine tags/a to a href=”http://microformats.org/wiki/activity-streams”microformats/a to a href=”http://martin.atkins.me.uk/specs/atomactivity”extending ATOM/a (or a href=”http://www.apparently.me.uk/22793.html” title=”ActivityRSS instead of AtomActivity?”perhaps RSS/a?). Of course, we really just need to start writing some code. But fortunately with products like a href=”http://movabletype.com/motion/”Motion/a in the wild and plugins like a href=”http://singpolyma.net/plugins/actionstream/”Action Stream/a, we at least have something to start with. Now it’s just a matter of rinse, wash and repeat. I’m a candidate for the board of the OpenID Foundation!The OpenID Foundation board election opened up on December 10. After a grueling nominations process (not really), we were left with 17 candidates vying for seven community board member seats. Your candidates are (alphabetized by first name):
So far, a great deal of discussion has gone on about the various candidates’ platforms on the OpenID general mailing list. Candidates have also written about things that they would like to change in the coming year on their blogs as well, notably Dave Recordon and Johannes Ernst. For my own part, I wrote up many of my ideas when I announced my candidacy. I also maintain a wiki page of goals that I have for OpenID. The three issues that are at the top of my list should I be elected to the board really come down to:
I will lay out my rationale for these positions in a series of upcoming posts. In the meantime, if you’d like to vote in this election, you will need to register for a $25 year-long membership in the OpenID Foundation (basically providing you the privilege to participate in this and other foundation elections and activities). I also solicit your feedback, concerns and wishes for OpenID. Though I have plenty ideas about the kind of work that needs to go into OpenID to make it into a great cornerstone technology for the open web, I’m also very interested in hearing from other people about their experiences with OpenID, or about their ideas for how we can advance the cause of OpenID in 2009. Bookmarks for November 24 to December 08A bi-weekly collection of linky goodness. Fluidity/Discover.io “Fluidity enhances the effectiveness of the social networks you are already on, helping you cut through the noise and identify both new people and old acquaintances to connect with. Today, you would need to explicitly search and message them, or to random WordPress › WP-Oomph « WordPress Plugins “Adds the Oomph Microformats toolkit’s microformat overlay to any WordPress-generated pages (as long as the page has a microformat in it, of course).” iList Classifieds - Post and Search Free Classified Ads “At iList, we harness the power of your social networks on Facebook, MySpace, Twitter and more to share your listing with millions of people.” Biggest Battle Yet For Social Networks: You, Your Identity And Your Data On The Open Web “Today’s the day that Facebook makes their big press push for their Facebook Connect service, which was first announced last May. The NY Times has a story giving a broad overview of Connect as well as competing services from MySpace (Data Availability) an Open Source: The Model Is Broken - BusinessWeek “The open-source business model that relies solely on support and service revenue streams is failing to meet the expectations of investors” Extensions ?(Chromium Developer Documentation?) Design document for Chrome extensions. Copyright Policy | Change.gov: The Obama-Biden Transition Team “Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License. Content includes all materials posted by the Obama-Biden Transition project. Visitors to this website agree to grant a non-exclusive, irrevoc calaboration - Google Code “Calaboration makes it easy to set up iCal to synchronize with your Google Calendar calendars. It automatically finds all of your calendars and allows you to add any of them to iCal with the press of a button.” Spoonjuice - Night Stand “Night Stand displays a beautiful digital clock on your iPhone or iPod touch. You don’t have to buy a night stand clock for your bedroom anymore: you get a gorgeous, glowing clock for FREE and right under your fingertips. Anytime you need it, anywhere you A YouTube for All of Us (YouTube Blog) YouTube cracks down on smut and custom thumbnail images. Sounds like decent ideas for the health of the ecosystem. Apple finally taking orders for new in-ear headphones (AppleInsider) “the Apple Earphones with Remote and Mic are described as having “all the performance and comfort of the acclaimed Apple iPod Earphones plus convenient buttons that let you adjust volume and control music and video playback.”One of the biggest draws of The End of the Red Light District (Ning Blog) “Our focus is on creating incredibly simple, beautiful software and rapidly adding new features for the benefit of all. We can’t do that as efficiently as we need to and still support adult networks on Ning. It’s that simpl” Site-Wide Metadata for the Web “This memo describes a method for locating site-wide metadata for Web sites.” Somatic Rebirth System by David Lanham “Redrawn and updated Somatic system replacement icons.” Microformats.org Wiki 2.0 · Microformats Wiki “Microformats.org has been served by a near-default MediaWiki theme since it first went live in 2005. Over the years the kind of content published on the wiki has been established, and the editing practices of our community better understood. The ‘Wiki 2. Twittershare | Phoreo.com - Design + Technology for Do-Gooders “Share pictures, music, video, and other files with friends using Twitter.” Memo to OpenID: Keep it simple, please | Webware - CNET “OpenID and its brethren could use a good, simplified marketing pitch, not to mention some announcements and partnerships that are more prominent than an extension for a niche Web browser. They need to use the resources that the likes of MySpace and Yahoo Wells Fargo vSafe: Protect, Organize & Access Important Documents “The new Wells Fargo vSafe service offers secure online storage for you to safeguard, organize, and access electronic copies of important documents—from birth certificates and immunization records to wills and treasured photos.” Kathleen Parker - The Twitter Phenomenon — In Touch, Always, in Cyberspace - washingtonpost.comView all my bookmarks on Ma.gnolia Announcing my candidacy for the board of the OpenID FoundationThis is the statement that I submitted to answer the call, nominating myself as a candidate for community representative to the OpenID Foundation board: I have long been involved with the OpenID community and have advocated for its adoption ever since I discovered it. It is a central building block of the emerging Open Stack and of the DiSo Project, an effort that I co-founded to create reusable components for decentralized social networking. To get right to it: I’m running for a seat on the OpenID board because I believe that there is a need for change, for evolution, for setting a clear direction, and a need for a passionate rededication to the promise that OpenID represents. Above all else, I also believe that the OpenID brand needs to be strengthened to mean something specific, in the same way that brands like Visa and Mastercard now, many years after their introduction, indicate the ability to use an abstract identifier (like a piece of plastic) to access something of value (namely, your accounts). In the case of OpenID, for some, it may mean connecting with friends or pulling in photos or bookmarks from one’s favorite services. It may also simply mean not having to get another password, or it might provide a more convenient way to identify yourself. But bottom line, the Foundation needs to see through OpenID becoming a strong and recognizable consumer brand. To do this, we need to: 1) I believe that we must make OpenID more usable, but I also believe we must enhance the value of having an OpenID in the first place. Single sign-on is not enough. Facebook Connect demonstrates real value for both relying parties and for Facebook account owners; OpenID must mean more to people than one less password — it has to be seen as a vehicle leading to the socialization of the web in a way that’s meaningful, durable, and that enhances individual choice — and therefore, freedom. 2) Over the past year, we have chalked up high level support from such companies, and though their support is invaluable, we must continue to increase our visibility and credibility by consistently becoming more inclusive, more diverse and more expansive in our reach. The OpenID community needs to organize itself as an ally to developers, designers, relying parties, businesses, governments, municipalities, and educational institutions, and move beyond the emphasis on large internet companies. To make OpenID more usable and valuable: a) To this end, I believe that the Foundation should commission an ongoing series of general user studies on trends in online identity management and conduct surveys on OpenID brand awareness, OpenID usability, virtual identity internalization, and online social behavior. The Foundation should endeavor to become an authoritative source of knowledge, understanding and best practices for creating identity solutions for people on the social web. b) Personally, I would like to improve the state of the OpenID web site and use of social media. I’ve done quite a bit of work marshalling communities with social software and am happy to take on such responsibilities. c) I also believe that further progress must be made to harmonize OpenID and OAuth, and that the work that Google has spearheaded in this regard is critical. d) I would like to centralize the OpenID libraries, either on Google Code or GitHUB, and through the existing bounty program, incentivize the development of optmized language-specific libraries, as we have done with the OAuth community. This effort would be incomplete without the development of a test suite and series of test servers against which various libraries and implementations could be tested. To help expand scope, reach, visibility of OpenID: a) To do this, we must develop 21st century trademark guidelines, as Mozilla has, that enable us to maintain the integrity of the name and the mark, while also supporting widespread publishing and promotion of the mark, through non-commercial grassroots communities and networks, just like the Firefox brand. As a former community admin of the Spread Firefox project, I can confidently lend my experience here. c) There is a need for more decentralized *camp-style events that promote solutions built on Open Stack technologies like OpenID, and we need to increase our presense and marketing materials at popular trade events both within and beyond the web community. I have proposed to O’Reilly a full day of workshops at the upcoming Web 2.0 Expo event in San Francisco and have initiated a conversation with Wired to develop a series of tutorials for their Webmonkey How-to wiki. We need to move beyond web-based outreach and marketing and start encouraging involvement in OpenID from folks in the real world. d) Along with improving OpenID in desktop contexts and mobile devices, I think that OpenID can become useful in console gaming situations, just as people have become used to the idea of Wii Codes and Xbox gamertags (why aren’t those OpenIDs?!). OpenID is at a critical juncture, and with the right people involved, the OpenID Foundation and its supporters will usher in the future of the free and open social web. Recent conversations have convinced me that the role of the boardmember brings with it a certain visibility, responsibility, and an opportunity to lead from within that would provide me with a platform to be more effective and to realize my aspirations for OpenID more quickly. I am also impressed by the caliber of individuals running for the board (though I would have preferred to see a more diverse pool of candidates, since OpenID isn’t only used by male internet users). And to put my candidacy in context, I want to make it clear that I will continue to advocate for and advance the cause of OpenID whether or not I am selected to the board. Nominations close on Monday and I need at least two seconds to be eligible to be voted on. Voting begins on Dec 10 and ends Dec 24, with the results of the election being announced by Dec 31. In order to vote in the election, you’ll need an OpenID and membership in the OpenID Foundation (which will run you $25). But if you really need a reason to spend $25 and vote for me, here it is: Now, this is a story all about how My life got flipped-turned upside down. And I liked to take a minute Just sit right there, I’ll tell you how I became the prince of a town called Bel Air. In west Philadelphia — born and raised. On the playground was where I spent most of my days Chillin’ out, maxin’, relaxin’, all cool and all shootin some b-ball outside of the school, when a couple of guys who were up to no good startin making trouble in my neighborhood. I got in one little fight and my mom got scared She said ‘You’re movin’ with your auntie and uncle in Bel Air’. I begged and pleaded with her day after day, but she packed my suitcase and sent me on my way. She gave me a kiss and then she gave me my ticket. I put my walkman on and said, ‘I might as well kick it’. First class, (yo this is bad), drinking orange juice out of a champagne glass. Is this what the people of Bel-Air living like? Hmmmmm this might be alright. But wait I hear they’re prissy, wine all that. Is Bel-Air the type of place they send this cool cat? I don’t think so I’ll see when I get there I hope they’re prepared for the prince of Bel-Air. Well, the plane landed and when I came out there was a dude who looked like a cop standing there with my name out. I ain’t trying to get arrested, I just got here! I sprang with the quickness like lightning, disappeared! I whistled for a cab and when it came near, the license plate said fresh and it had dice in the mirror. If anything, I can say this cab is rare! But I thought ‘Nah forget it’ - ‘Yo homes to Bel Air!’ I pulled up to the house about 7 or 8 And I yelled to the cabbie ‘Yo homes smell ya later’ I looked at my kingdom I was finally there to sit on my throne as the Prince of Bel Air. Bookmarks for November 10 to November 24A bi-weekly collection of linky goodness. Garmin | Mac OS X - Current Software, news and more “Garmin is committed to creating a great software experience for all of our customers. This page is dedicated to keeping you up-to-date on our growing range of software made for Mac and helping you enjoy the full potential of your Garmin device.” Live Piracy Map 2008 “This map shows all the piracy incidents reported by the IMB Piracy Centre in Kuala Lumpur during 2008.” Garmin Connect A social network for Garmin product customers! Open Radar - Community bug reports This is brilliant. I wish I’d thought of it! BodyTrace - Weight tracking - weight loss and bodybuilding motivation at it’s best “A comprehensive weight tracking program that allows you to monitor your weight, follow the changes of your body and let others see your progress. Your friends and supporters will keep you going, even at the hardest times.” Obama 60 Minutes Interview: Talks National Security, Financial Crisis, First Dog (VIDEO) “The interview covered many other topics, including national security, the financial crisis, Obama’s thoughts on Lincoln and FDR, and an update on the new First Dog.” Yahoo’s Jerry Yang to Step Down, As a Search for New CEO Commences (AllThingsD) “Yahoo CEO Jerry Yang will step down from his job as CEO, said sources close to the company, as soon as the board finds a replacement for him, in what sources close to the situation call a joint decision by him and the company’s directors.” OpenTable’s iPhone app makes reservations a breeze I’ve been waiting for this one. Apple brings HDCP to a new aluminum MacBook near you Oh fuck me. Digital Nomads Digital Nomads is a community site for individuals that work or play without regard for their physical location. It is a place where they can come together to read about other digital nomads, share ideas, tips and tricks, and best practices, and read the Barnraiser - Prairie “Prairie is a lightweight OpenID based Internet identity server. Instead of registering at every web site with different username and password combinations you use your identity server to log you in.” ConnectID: Naval gazing After rebuking the OpenID awareness, survey, Paul asks: “Is federated identity made easier, or more difficult, when the user is expected to be aware of not only where a non-local identifier is, but also what sort it is?” Landing sites « WordPress Plugins “When visitors is referred to your site from a search engine, they are definitely looking for something specific - often they just roughly check the page they land on and then closes the window if what they are looking for isn’t there. Why not help them b WordPress-Ready Contact Form v.2.0WP - Beast-Blog.com “This is the official page for the Secure and Accessible PHP Contact Form v.2.0WP for WordPress (versions 2.0 and later) created by Mike Jolley and Mike Cherim.” Apple discontinues 23-inch Cinema Display | Macworld “Apple officially discontinued its 23-inch Cinema Display on Tuesday, making way for recently announced 24-inch LED Cinema.” New Media Requires New Thinking on Cultural Policy (Michael Geist) Great post on why net neutrality is an important economic — and cultural — issue. Code Like a Pythonista: Idiomatic Python “In this interactive tutorial, we’ll cover many essential Python idioms and techniques in depth, adding immediately useful tools to your belt.” voiceofsandiego.org | San Diego’s nonprofit source of daily news, opinion and commentary. Independent media FTW! OAuth channel for WCF RESTful services - Pablo M. Cibraro (aka Cibrax) “Alex Henderson (Aka Bittercoder) has written a pretty good OAuth library in .NET for implementing an OAuth consumer and service provider. The library is available here under a MIT license (do wherever you want with it), and it is very easy to use. Alex h Cheap, Easy Audio Transcription with Mechanical Turk - Waxy.org “The result: my 36-minute recording was transcribed while I slept, in less than three hours, for a grand total of $15.40.This is a fraction of the cost/time of any other transcription service online, including the Turk-driven Casting Words, though you p LIFE photo archive hosted by Google “Search millions of photographs from the LIFE photo archive, stretching from the 1750s to today. Most were never published and are now available for the first time through the joint work of LIFE and Google.” Iconfactory : Freeware : Frenzic System “CandyBar system replacement set styled after Frenzic” Bowtie Start Pack (MacThemes Forum) 11 themes for BowTie, the iTunes controller! TapExpense “TapExpense helps you keep a record of daily expenses. It is designed for mobile users and international travelers.” Agenda | Change.gov: The Obama-Biden Transition Team “President-elect Obama and Vice President-elect Biden have developed innovative approaches to challenge the status quo in Washington and to bring about the kind of change America needs.The Obama Administration has a comprehensive and detailed policy age The Results of Project Icon (WordPress Blog) The results of the survey to determine the icons for WordPress 2.7. Deadline: Good things come to those who plan “Deadline is the simplest calendar ever made. You write in plain English, and it will set up a reminder for you.Once your appointments have been entered, you can quickly search through them based on words or dates.” Iterasi unveils bookmarklet, glimpse into potential for Web archive » Silicon Florist Iterasi now offers saving of web pages using a bookmarklet! Spice up your inbox with colors and themes (Official Gmail Blog) Gmail now supports themes…! Hot! goodsense - A green advertising network. “HELLO, WE ARE GOODSENSE. WE ARE THE PREMIER AD NETWORK FOR REACHING CONSUMERS WHO CARE ABOUT LIVING GREEN, THE ENVIRONMENT, AND SUSTAINABILITY.We provide advertisers with the opportunity to reach influential green consumers through well-vetted and relev OpenCongress.org: What’s Happening In Congress? at Ryan Is Hungry “A screencast for OpenCongress.org, an open source, collaborative website that helps citizens keep track of everything happening in Congress.” Adobe Labs - Alchemy Looks like Flash may go open source after all. About time. Google Analytics Tracking for Adobe Flash - Google Analytics Tracking Code - Google Code The Google Analytics Tracking for Adobe Flash component makes it easy for you to implement Google Analytics in your Flash-driven content. This component contains all of the functionality of the Google Analytics Javascript code, and is 100% compatible with Heekya | What’s your story? “Heekya is a social storytelling platform that will change the way you create, share, and discover stories. Heekya allows you to easily integrate photos, videos, audio and text to create interactive stories that can be shared with family, friends, and the Why Firefox Won’t Survive Chrome (Microsoft Watch) “News Commentary. It’s not a question of if but when Google will cut off Mozilla’s oxygen supply.” Yahoo! OpenID limited testing for Simple Registration support (Yahoo! Developer Network Blog) “Today, we are announcing the start of a limited test of the Simple Registration extension for the Yahoo! OpenID service. The Simple Registration extension allows OpenID RPs to request user profile data from the OpenID provider. Yahoo! will be providing Y YDN Forums -> OpenID General Discussion OpenID General Discussion”/> This is the place to give feedback and discuss Yahoo! OpenID The Faces of Mechanical Turk - Waxy.org “Last week, I started a new Turk experiment to answer two questions: what do these people look like, and how much does it cost for someone to reveal their face?” Social Patterns Wiki “The Designing Social Interfaces patterns wiki is a companion site to the book that Christian Crumlish and Erin Malone are currently writing for O’Reilly Media.We decided to share the patterns as we write the patterns and the book to get community feedb Track Your Push-ups With GiveMe27 Track Your Push-ups with GiveMe27Do your push-ups. Track it. Get stronger. Cyberscams Befriend Social Networks - BusinessWeek “Now fraudsters may log on as your “friend.” How Facebook, LinkedIn, and other social networking sites are fighting a rise in scams” spy :: visualizes the conversations on Twitter, Friendfeed, Flickr, Blogs and more. “spy can listen in on the social media conversations you’re interested in. What do you want to listen for?” CalorieKing - Diet and weight loss. Calorie Counter and more “Control your weight or your weight will control you. At CalorieKing, our mission is to put you in charge of your weight so you can enjoy the life you choose.” Workout Programs, Exercise Routines, and Food Diary | Gyminee “Gyminee is the premier fitness social network for detailed tracking, online accountability, and motivation. Whether you are trying to lose weight or get fit, it’s time to start taking your fitness seriously.” introPLAY: Train. Compete. Achieve. PLAY together. “introPLAY is an Athletic Performance Network where athletes train together as part of the introPLAY community. introPLAY is for both casual and committed athletes, from the weekend warrior trying to shed a few pounds to the experienced competitor trainin Getting Things Done with “Things”: a Review by Erik Hanberg | GTD Times Things.app is getting a lot of attention — deservedly so. Another decent review, with some suggestions for improvements. AddressBookSync | Facebook Picture Synchronization with OS X Address Book “AddressBookSync is a Mac OS X application to download Facebook profile pictures to Address Book cards. This is a handy tool to keep your contacts’ pictures updated if you have numerous Facebook friends in your Mac OS X Address Book.” The Age of Conversation 2: Why Don’t They Get It? by Gavin Heaton, Drew McLellan (Book) in Business & Economics “This book is a daring challenge to the business community. Gone are the top-down, command and control messages that held sway through the 20th Century. In are a raft of new techniques that start with listening, responding and action that set the scene fo 24C3: Building a Hacker Space “With the help of Design Patterns we will show you how to set up your own Hacker Space. The Design Patterns are based on more than 10 years of experience with setting up and running a Hacker Space.” Sni.ps | Know The Source “With sni.ps, content capture and attribution as easy as click and embed. Sni.ps tracks the original source of content, whether that’s a quote, a photo, video or a flash object. You respect your sources while you share content with your readers.” RunningAHEAD - Achieving goals through better information “RunningAHEAD offers a collection of free tools to help you train effectively. There is more to a training log than just entering statistics. It should be an integral part of your training, whether you are new to running or are a seasoned pro. At a minimu RunThere | Go! A running community. traineo | Fitness & Weight Loss Community Yahoo Improves Its OpenID Support - Webmonkey “Yahoo continues to make strides to improve its OpenID implementation. Thursday it announced limited testing for Simple Registration, which supplies profile data once a user logs in with their Yahoo OpenID.” Go Go Gadget OAuth Support - Webmonkey “Passwords are a little bit more secure now that Google added OAuth support to its iGoogle Gadgets. Developers can now use their gadgets to easily grab data from OAuth-enabled APIs. Using OAuth, users do not have to give their passwords to developers. Ins PdbTextMateSupport 0.3 “Display source code in TextMate while debugging with pdb. This module is used to hook up pdb, the python debugger, with TextMate, an advanced text and programming editor for Mac OS, enabling it to display the debugged source code during a pdb session.” NoiseBridge “Noisebridge is an infrastructure provider for technical-creative projects, collaboratively run by its members. We are incorporated as a non-profit educational corporation for public benefit.” Charlie Rose - A conversation with Lawrence Lessig “A conversation with Lawrence Lessig about his book “Remix”, and his former colleague Barack Obama.” Lifestreaming in Obamaland | Outside the Lines - CNET News Personally, I’m excited about a lifecasting president… but on the other hand, does it make someone who is supposed to be superhuman somehow more like us? Is that what the Palin phenomenon was all about? And is that really a good thing? antrepo — Modul 300 dpi Pixel Based Font “Modul 300 dpi Base was created for graduate thesis. This thesis presents font designs which are capable of covering what is demanded by the “digital age” and discusses the issues that need to be considered regarding the applications within this new age.” Keywordfinder - find the right keywords to increase search traffic and help your SEO “Keywordfinder helps you discover very successful keywords for any topic you enter. This allows you to write page copy that makes it much easier for people on the web to find your content.” Yahoo! Browser Plus Opening Up “Yahoo BrowserPlus, the technology platform from Yahoo that lets desktop and web applications interact, is going open source. The company announced the plans today on its blog, indicating they hope the move “will allow developers to rapidly extend the pla Open Sourcing BrowserPlus: Q & A with Lloyd Hilaiel (Yahoo! Developer Network Blog) “Lloyd Hilaiel from Yahoo’s BrowserPlus team answers some questions about how the project got started, what kept it alive, and how today we’ve announced our intent to open source this original technology, enabling open development on a platform for in-bro Sunlight Foundation’s Fortune 535 Just how much ARE our Congresspeople worth? Apparently, quite a lot. Obama CTO - Help set the priorities for the Obama administration “Barack Obama promised to use technology to make it easier for citizens to participate in government. Our goal is to provide our country’s first Chief Technology Officer (CTO) with one example of how this might work.” Politics4all - Political Social Networki |