Privacy and open government: conversations with EPIC and others about OpenID

by Andy Oram | @praxagora | comments: 2

A few days ago I proposed a way to offer more privacy to people visiting government web sites. This blog builds on that proposal, which was largely technical, by examining the policy and organizational issues that swirl around it.

My ideas are informed by a discussion I had with Lillie Coney, Associate Director of the Electronic Privacy Information Center. The blog is also inspired by two comments on the earlier blog and brief email I exchanged with one commenter, which intertwine with Coney's in intriguing ways.

As I said in the first blog, my proposal focused on a very narrow question driven by the Obama Administration's interest in revising a memorandum from 2000 concerning the use of cookies in web browsers. The proposal suggested a way to better approach anonymity, but didn't look at the related social and political issues:

• The kinds of privacy and the degree of privacy people want
• When it's appropriate to make visitors identify themselves, or at least to provide some persistent identity
• Whom people trust to maintain identity information

This blog offers a number of points about those issues. The sections are:

• Can the government be your friend?
• Anonymity, pseudonymity, and participation
• Who should run an OpenID server?
• Thought experiment: could federal agencies offer anonymous authentication for whistle-blowers?

(continue reading)

Getting OpenID Into the Browser

by David Recordon | @daveman692 | comments: 56

Google Chrome did a smart thing: Less. They unified the search box and address bar, since that's what people do anyway. That gives us back precious pixels for the only thing that's as important to an average web user as where they're going: Who they are. Identity belongs in the browser. Don't just believe me, just this week ReadWriteWeb talks about The End of Online Anonymity and TechCrunch on how Facebook Connect is the Biggest Battle Yet For Social Networks: You, Your Identity And Your Data On The Open Web.

As Web 2.0 took root, the ability to login to a site, store preferences and build a profile became ubiquitous. Beyond reading news or blogs, it's fairly rare that you're on a site where you're either not logged in or don't have the ability to login. The downside is that just about every site requires you to create a new account and have cookies to keep you logged in. Thus when your cookie disappears, you have to login again. Maybe your browser's password manager eases this pain, but there are plenty of people that would be in a world of hurt if their browser every forgot all of their passwords (or they use a friend's computer).

If we remove passwords from the equation and instead use OpenID, there's the notion that upon visiting an OpenID enabled site (now numbering more than 25,000 across the web) you'll most likely submit a form telling that site about your OpenID. I might go to MapQuest and login by typing in my OpenID "http://www.davidrecordon.com/" or Ma.gnolia and clicking a "Sign up with a Yahoo! ID" button. These interactions, with various tweaks around them, are very much the status quo today. If OpenID wishes to see true mainstream adoption, this will need to change.

Imagine if your web browser really knew who you were on the web. Just as you login to your computer, what if when you fired up your browser, it said "Hello Dave" and asked you to "unlock it" as well (Chris Messina was quite influential in my thinking about it this way). In doing so you become securely logged into your OpenID provider (or maybe more than one of them) and as you move around the web your browser takes care of automatically logging you into the sites that you want to be, asking you about others, and helping you register with new ones using your OpenID. Argue as much as you want about the details in making this happen, but I think it's hard to disagree that making it easier for people to manage and use their identity (or identities) online is a bad thing.

There are a lot of proposals around how current OpenID interactions will change - a great summit on OpenID usability was held a little over a month ago - and whether it be more one-click buttons, less buttons, bigger logos, or email addresses I think it's also worth looking at what it will take to really get the browser involved. This certainly isn't a new idea, every major browser has the ability to remember passwords and FireFox even has those pesky user profiles so that people could theoretically have different cookies, bookmarks and other settings.

In the internet identity space this isn't a new idea either. Information Cards (more widely known by Microsoft's CardSpace implementation in Windows) have credit card like rich desktop integration built using WS-* and SAML. Dick Hardt's team up in Canada has built Sxipper for FireFox which helps with both OpenID and normal web forms as well. When I was working for VeriSign, we developed the OpenID Seatbelt which is also a FireFox extension designed to make OpenID easier and prevent phishing by detecting OpenID enabled sites and your provider.

Today, MySpace, Flock and Vidoop released a prototype of their implementation toward this vision with OpenID for Flock. All three of these browser plugins help you manage your OpenIDs, detect when you're on an OpenID enabled site, and then make it easier to sign in. To me, what Sxipper aspires to enable feels the most useful for a mainstream user.

OpenID for Flock is an add-on that polishes previous attempts of putting OpenID into a browser. While the user experience and graphics are quite a bit better than what I helped build at VeriSign, it's lacking the features that help prevent phishing (making sure you're actually logging into your OpenID provider versus a phishing site that looks like it) which is a bit surprising given Vidoop's involvement. That said, OpenID for Flock is Open Source as part of a project dubbed IDentity in the Browser (IDIB) which the same cannot be said for either Sxipper or VeriSign's OpenID Seatbelt. Given that IDIB is Open Source and already written as a Flock add-on, I'd certainly expect to see it ported to FireFox and there be far more community support of it compared to the other add-ons.

So where do we go from here? I don't know how to write great browser plugins so just doing it is out. It's great to see Flock's direct involvement in this Open Source effort as it shows browser vendors innovating and experimenting with how their own products must evolve to support identity. Maybe this will cause the other browser vendors to think seriously about what they too could be doing in future versions to help make identity management easer and more secure on the web.

In my mind, Gears can help us get there. While it started as a project by Google to evolve web browsers faster and add needed features like offline support, it's grown beyond that with offline support now coming in HTML 5 and a new Geolocation API. Today Gears runs on half a dozen different browser/platform combinations including FireFox, Internet Explorer, Safari, Chrome and Android. If there was ever a developer platform to build an Open Source cross browser implementation of what OpenID support might look like, Gears seems like the place to do it. Not only does this mean that we'll need to write less code to have it work in multiple browsers, but ideally if it became mature enough maybe the Gears team would choose to ship OpenID support as well? All of a sudden, the community could be down from a handful of browser plugins to one leading Open Source example.

What do you think? Do you agree that identity is becoming as essential to a browser as location? Should we content ourselves for issues like security to be relegated to a few dozen-pixel lock icon, or have Big-Red-Phishing-Warnings set a standard that important issues deserve significant real estate? Really though, should the browser become more actively involved in how you use the web on a daily basis?

Microsoft Releases a Technology Preview of OpenID for Windows Live

by David Recordon | @daveman692 | comments: 6

This morning at Microsoft's Professional Developers Conference, the Windows Live ID team announced that Windows Live ID will support OpenID 2.0 with a Community Technology Preview today and production support sometime next year.

Beginning today, Windows Live™ ID is publicly committing to support the OpenID digital identity framework with the announcement of the public availability of a Community Technology Preview (CTP) of the Windows Live ID OpenID Provider. You will soon be able to use your Windows Live ID account to sign in to any OpenID Web site!

Microsoft joins Yahoo! who implemented support for OpenID earlier this year for all of their accounts. By sometime next year, every AOL, Microsoft and Yahoo! user will have an OpenID which makes the emerging focus on improving OpenID's user experience even more important.

Angus Logan from the Live team has put together a quick screencast showing the current developer oriented process for testing the Windows Live ID OpenID Provider with an OpenID 2.0 enabled site.

Windows Live ID OpenID Provider Screencast from Angus Logan on Vimeo.

While this is great news from Microsoft, real web-scale adoption of technologies always faces a chicken-and-egg problem between developers and vendors. Developers don't want to adopt a technology without buy-in from platform providers and platform providers don't want to support a technology if developers won't use it. We've largely been able to successfully avoid this concern with OpenID as it grew from roots in an open source community with lots of people and companies involved in making OpenID what it is today. There are now well beyond half a billion OpenIDs available on the web which means we can mark the first phase of OpenID adoption, platform support, as a success.

The next phase of developer adoption will not be measured in the number of OpenIDs or sites that support it, but rather user experience, accessibility, and seamlessness of integration into a wide variety of applications and experiences.

Portable Contacts API Starts to Get Real

by David Recordon | @daveman692 | comments: 13

This evening Joseph and John of Plaxo and I have been hosting a hackathon at Six Apart for the Portable Contacts API (video about PorC). The Portable Contacts API is designed "to make it easier for developers to give their users a secure way to access the address books and friends lists they have built up all over the web."

We originally expected a handful of people to show up and hack on implementing bits of the specification, but so far have been blown away at the progress made and about the twenty people that came. Tomorrow is a summit style meeting hosted by MySpace also in San Francisco to try to finalize the specification among a wide range of providers and consumers. I'm expecting a handful of interesting demos, but wanted to share two that have already come together tonight.

Joseph Smarr and Kevin Marks of Google hacked together a web transformer that integrates Microformats, vCard, and the Portable Contacts API. Given Kevin's homepage which is full of Microformats, they've built an API that extracts his profile information from hCard, uses a public API from Technorati to transform it to vCard, and then exposes it as a Portable Contacts API endpoint. Not only does this work on Kevin's own page, but his Twitter profile as well which contains basic profile information such as name, homepage, and a short bio.

Brian Ellin of JanRain has successfully combined OpenID, XRDS-Simple, OAuth, and the Portable Contacts API to start showing how each of these building blocks should come together. Upon visiting his demo site he logs in using his OpenID. From there, the site discovers that Plaxo hosts his address book and requests access to it via OAuth. Finishing the flow, his demo site uses the Portable Contacts API to access information about his contacts directly from Plaxo. End to end, login with an OpenID and finish by giving the site access to your address book without having to fork over your password.

While the individual building blocks are fairly geeky themselves, pulling them together like has been happening tonight shows that we're only at the beginning of building the next generation of social networks. When the pieces work together, people won't have to know what's going on under the hood; it will just work--and will be almost like magic. John has more photos up on his blog.

Building Better Silos

by Mike Loukides | @mikeloukides | comments: 17

It's been good to watch the use of OpenID spread. It's great to see that ma.gnolia.com has dropped "traditional login" in favor of OpenID. And I was encouraged to read about Yahoo's support of OpenID. Granted, it took me a while to get around to trying it.
But when I got around to trying it, Yahoo!ID was a disappointment. The promise of OpenID is to return ownership of ID to the users, and to eliminate identity silos, in which the big sites compete to own your identity and your data. If that's the goal, Yahoo!ID may not be a step backwards, but it's certainly not much of a step forwards.

(continue reading)