Ev Williams wrote a good blog post on identity yesterday, that I suggest you go and read. The odd thing is that he leaves out the publicly articulated thoughts that we use blogs, Twitter and other services to publish as an expression of our identity. Before I get to that, though, I'd like to connect his facets back to the open specs that represent these aspects.
Authentication
Ev mentions OpenID here, and is essentially correct that it is not helpful on its own. It was designed to verify URLs for blog comments. If all you do is use OpenID, you just replace logging into your site with logging into another, adding extra confusion without much benefit. However, once you have a URL for someone, you can then discover further information about them, by examining that URL and its links. Microformats can encode this directly in the webpage, or you can use related links to discover API endpoints for more.
The distinction between Authorization and Authentication is elided by Ev, and in practice OAuth has been winning out over OpenID as it is explicitly an Authorization APi that had Authentication as a side effect. The new OpenID Connect proposals try to remedy both these failing by using OAuth and by standardizing on how to list other endpoints.
Representation
Here Ev is looking for what is commonly called profile information. We have some mature standards for this - vCard is widely used by email clients, and is currently going through another standardization round to add modern features. The hCard microformat gives a simple way to embed profiles in web pages. Also, the rel="me" part of XFN makes it straightforward to link web pages together that represent different aspects fo your public representation. This is supported by Facebook, Twitter and Google, but sadly not by about.me whom Ev praises.
If you want a general data format for profile data, Portable Contacts is what you need.
Communication
Ev's emphasis on email addresses here illustrates the problem with them; they are primarily write-only; though we persist in using them for log-in IDs, they are not readily discoverable. The WebFinger spec gives a way round this - a way to go from an email to endpoints for other readable identity standards. Other communication standards have piggy-backed on email address, such as Jabber and Wave.
Personalization
This hints at the glaring gap in Ev's model, the expression of personal taste and preference. This is commonly done by reviewing, and we have the hReview microformat to express that, but it can also be useful just to track a history of media played or places visited to derive preferences over time. Here Activity Streams are an obvious fit, and it would be good to map such proprietary formats as Amazon purchases, Last.fm scrobbles, iTunes played songs and so on into a common format to derive this.
One model we can use for this is tagging - associating keywords with things. Many feed specs have tagging built in, and the rel="tag" microformat is a way of indicating these publicly.
Reputation
As Ev says, this is problematic, and also often highly contextual; I may trust someone's advice on restaurants without listening to them about which programming language to use. Reputation and trust are subtle, deeply human and very hard to model. The best answer here may be to rely on the power of faces and following; if we attach the face of someone we know to their public statements, we can decide for ourselves how much weight to give them.
Which brings me back to my opening point. When we decide who to pay attention to online, we tend to rely on what they say; if you get an @ reply on twitter, clicking on that person's name to see their most recent comments is hugely useful in deciding how much attention to pay to them. Similarly, the history of public blog posts, or their reviews of movies, music, books or restaurants arre other reasons we may follow them, and our identity is most strongly formed from the stories we tell and retell about ourselves. Feeds, whether in Atom, RSS or hAtom, and Activity Streams give rich representation of our thought, opinions and actions.
Whom we choose to associate with or follow is also an expression of our identity, and a useful signal when deciding how much attention to pay to someone, and XFN and Portable Contacts are both usefule in discovering these connections.
Dare Obasanjo also responded to Ev's Identity post, and added in payment as well as the friends as missed aspects. I'd love to discuss this further with both Ev and Dare at the Internet Identity Workshop next month, which is where many of the specs mentioned above were conceived and agreed. Maybe Ev can bring some others from Twitter with him too; their past contributions to OAuth were highly useful and there is plenty more to get our teeth into, as Ev's post shows.
That is the simplest and clearest explanation of Open ID I have read. I always wondered how it was supposed to solve identification on the Web and just assumed I was misunderstanding something.
ReplyDeleteThat's the clearest explanation of Open ID I have read. I always wondered how it would solve identification on the Web and just assumed I was misunderstanding something.
ReplyDelete