Manage your online identity.

Two interesting pieces of OpenID news today:

1) “Blogger in Draft” has announced support for leaving comments via OpenID. This is big news if for no other reason that when Google breathes, the industry notices. Their implementation is good, but still needs some interface work and completeness with regards to delegation. I expect they’ll get things polished very quickly once any user-flow issues are dealt with. No doubt there will be many people eager to see how robust their solution is - if/when they roll this out across their other properties, OpenID becomes significantly more visible.

2) I saw announced today a new service from two self-described ‘research coneheads’ at Microsoft Research - InkblotPassword. InkblotPassword is an OpenID provider that allows your password to be a collection of self-descriptions of inkblots that the site provides. When you enter your username, your inkblots are shown to you and you enter your self-assigned ‘descriptors’. You end up with a very strong password that is easily remembered - since you’re actually being prompted by images that become familiar to you over time. Very fascinating. The interface is a little rough, but make sure to use the giant question mark help button on the upper-right. It will explain everything just fine.

See you at IIW next week. Come say hello.

Internet Identity Workshop, the bi-yearly identity open space, will be held December 3-5 2007 at Mountain View’s Computer History Museum. Organized by Phil Windley, Kaliya Hamlin and Doc Searls, these are (in our opinion) some of the most important and positive meetings for the identity community.

ClaimID will be attending (represented by Terrell), and this marks the first year we’ll be sponsoring the IIW. We’ve seen the impact of these wonderful meetings, and we wanted to do what we can to help move them forward. As we are a wee company, there’s still a lot of sponsorship need - so please consider sponsoring the IIW.

We look forward to seeing you in Mountain View in December!

OAuth

A few days ago, the minds behind OAuth launched the site and declared their spec at 1.0-final. This is big news as many sites are duplicating engineering efforts in creating their own APIs. OAuth is a standardized, open way of managing an API handshake for your web application. OAuth can be implemented by the application provider or by the consumer/widget.

From the front page:

An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.

It’s a valet key for web applications:

Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything.

At claimID, we’re very excited to see this development, as we’ve been planning for an authenticated API for sometime. We hope to work through our own implementation soon. Congratulations to everyone associated with the OAuth progress. This is another step to making the web more open and interoperable.

As always, our friend Chris Messina is all over it:

Cheers and congrats to all the folks who helped to make this happen. It might be a relatively minor step in terms the development of new technology today, but looking out long enough into the horizon, I think we’re adding a significantly important piece of puzzle that’s been missing for some time.

Definitely an important piece, and until this past week, a missing piece.

OpenID.net

Additionally, OpenID.net got a facelift earlier this week. The new site is much cleaner and does a much better job of explaining what OpenID is, as well as what you can do with one. Congratulations to David Recordon and Scott Kveton for their hard work pulling things together. The OpenID Foundation now has a nicer place to call home as well.

Of course, we’re also tickled to be alphabetically blessed - we’re listed first on the “How do I get an OpenID” page:

Today, Joseph Smarr, Marc Canter, Robert Scoble, and Michael Arrington released A Bill of Rights for Users of the Social Web, calling for services to support a more open approach to identity information. The document is simple and effective:

We publicly assert that all users of the social web are entitled to certain fundamental rights, specifically:

• Ownership of their own personal information, including:
  • their own profile data
  • the list of people they are connected to
  • the activity stream of content they create;
• Control of whether and how such personal information is shared with others; and
• Freedom to grant persistent access to their personal information to trusted external sites.

Sites supporting these rights shall:

• Allow their users to syndicate their own profile data, their friends list, and the data that’s shared with them via the service, using a persistent URL or API token and open data formats;
• Allow their users to syndicate their own stream of activity outside the site;
• Allow their users to link from their profile pages to external identifiers in a public way; and
• Allow their users to discover who else they know is also on their site, using the same external identifiers made available for lookup within the service.

Not only are we proud to support this bill of rights, but I’m happy to report that we’re also in compliance with it.  At ClaimID, we’ve long innovated in the open-identity space; our work with MicroID and our deployment of OpenID-based social networks stand in evidence.  At the same time, we’ve always respected your identity rights, giving our users control to do what they’d like with their data.  We’ve always known that being open and forthwith is the right approach, and we’re certainly pleased to see these values gaining so much traction.

Our users have asked for this for a while - and we’re glad to finally see it out of development.

We’re happy to announce that we’ve got SSL enabled now at claimID.com. You should be able to login to your existing account at https://claimID.com. Those of you reading who don’t already have an account can register with the knowledge that there’s nobody in the middle watching your password. Additionally, the change_password page is encrypted as well.

We’ve chosen to only enable a few points of the site - where your password is used. The rest of the site (and your OpenID URLs, most importantly) have not changed. This is important because your OpenID is your login to other sites - and a change from http to https would effectively change who you are at those other sites. But fear not - you’re still you.

Thanks to everyone who asked for this. It’s been a long time coming.

A new post from Alavilli Praveen on the dev.aol.com site mentions the ongoing and recent upgrades to the AOL account management tools. They have integrated OpenID and have put the functional pieces in place for other AOL products and services to add OpenID via OpenAuth.

Additionally, this is news since they are only allowing OpenIDs from a select group of hosted services at this time. Of course, we’re happy to be right there near the top.

Original post - AOL & OpenID - Status Update:

Since the AOL Account Management site is something in our control, we went ahead and added OpenID support to it - even though user’s cannot really do anything in there apart from changing their profile information.

We currently support OpenIDs from the following OpenID providers:

1. myopenid.com
2. claimid.com
3. livejournal.com
4. verisignlabs.com
5. myvauthid.com
6. openid.sun.com
7. myvidoop.com

We are open to accept OpenIDs from other providers too - so please contact us via AOL Developer Site with your information.

We’re a little late on this news, but we wanted to congratulate Drupal, Plone and dotnetnuke, the first three recipients of the OpenID Foundation code bounties. Scott Kveton writes:

The OpenID Foundation is pleased to announce today that it has awarded three code bounties, $5000 each, to Drupal, Plone and dotnetnuke. The announcement was made today during the State of Lightning Talks at the O’Reilly Open Source Conference here in Portland, OR.

The bounty program was announced last year at OSCON ‘06. The bounty is on-going with 7 more bounties to be claimed. These awards come on the heels of the creation of the OpenID Foundation which is aimed at helping fostering the work of the OpenID community.

For more information about the bounty program and how you can participate, head on over to http://iwantmyopenid.org/bounty.

Great work to all on pushing OpenID forward.

We’re pleased to announce that we’ve built a ClaimID application for Facebook. This simple application will display your verified ClaimID account (verified with OpenID) on your Facebook profile, allowing people who visit your profile to have a trusted link to your ClaimID page. Here’s what the app (when added) looks like:

If you’d like to check out or add the app, you can visit its page here, or you can visit the app’s canvas page here. Feel free to add feature requests to the app’s wall, or just send us a note to info @ claimid.com.

And yes - its been a little quiet here for the past month, but with a wedding and international travel, we’ve been busy! But we’re glad to be back with this new feature for Facebook users.

Information Week’s Nick Hoover has penned a thoughtful article on the challenges of online reputation, and you can read the Slashdot coverage here.  ClaimID is featured in the article, alongside a number of web and identity luminaries such as Jimmy Wales, David Recordon and Kim Cameron.  The article is a thoughtful treatment of the very challenging problem we’re collectively trying to solve.  Without a question, identity and reputation are two long-term, large-scale challenges.  We’re excited to have come as far as we have, and we look forward to continued work and innovation in the area.

Yesterday, the announcement that Sun would offer “trusted” OpenID’s to its employee network has created a bit of buzz around the identity blogosphere. To break it down a little, two particularly interesting points emerged. First was simply the idea that Sun would support and offer OpenID’s was noteworthy - they stand with Microsoft and AOL as large vendors embracing OpenID in one way or another. Second was the assertion of a trusted OpenID space. As Tim Bray wrote:

What’s more interesting is that we’re rolling out an OpenID provider, but with a twist: You can’t get an OpenID there unless you’re a Sun employee, and if someone offers an OpenID whose URI is there, and it authenticates, you can be really sure that they’re a Sun employee. It doesn’t tell you their name or address or anything else; that’s up to the individual to provide (or not).

…

The applications are obvious; if anyone wants to offer deals or special treatment online to Sun employees, well, that’s easy now. (I know of at least one company named after a fruit whose online store offers a nice Sun employee discount based on knowing a “secret” URL; this would have to be a much better alternative).

Phil Windley asks the right questions:

Still, I like that Sun’s taking OpenID seriously. Ignore the employee status as URL issue and just concentrate on the asserted strength of the authentication process, if you like. Even so, there are still some flies in the ointment.

• First, how do we know this is true, except that Tim says it?
• More importantly, how does a machine know it’s true?
• How do we avoid huge whitelists of machines who’s OpenIDs we trust (or blacklists of machines we don’t)?

While a number of individuals took umbrage at some of the language and assumptions Bray made in his post, JanRain CTO Michael Graves ultimately sees it as a positive event.

At any rate, it’s worth noting here that Sun’s announcement is proof positive that solutions to big problems often start out small (see Tim’s closing line of his post). Sun’s deployment of openid.sun.com isn’t a silver bullet for the problems of internet identity — not by a long shot — but this is a practical, simple step forward that, embraced widely by other organizations, will effect long-sought improvements in trust and trust and identity as building blocks for network applications.

I see this as a positive as well. When major vendors start adopting and running open-source, public domain projects like OpenID, there’s generally a halo effect. Of course, the politics of the project get more complex, but that’s to be expected. Ultimately, the challenges of enforcing and trusting domains seems a lot like some of the exceptions people raise to the MicroID standard, but with good policies, I believe its a solid direction. Certainly, one can imaging higher-ed institutions implementing something like what Sun has done, which is something I’d love to see.