Dear Internet
September 22, 2006
I’m doing it again but hopefully for the last time. I’m too much of a dork and want to be able to hack on my blog more than I can from the wordpress.com interface. But alas! Have fear! My new blog is super uber improved and still running on WordPress! Thanks Matt and the rest of the Automattic team!
You can find my new home at http://kveton.com/blog. See you there!
Thanks for your patience,
The Management
OpenID Questions
September 1, 2006
I often receive questions from folks via email about OpenID. I like getting the notes but always feel like I could be doing more in terms of answering them. Plus I’m a geek so if I do something more than once I think there should be a bash/perl script to do it for me. Here is one of the questions I recently received (the names have been changed to protect the innocent):
If I create today an identity say at `bob.foo.com’, can I move that identity later to a different location? Say my initial identity is hosted by my employer, and I switch jobs, I would like my identity to come with me; For instance are there mechanisms to:
* Not depend on the actual string `bob.foo.com’, but some actual key generated that actually is hosted in bob.foo.com?
* Be able to fetch the data so I can later host it at bob.newdomain.com?
This is not the first time time we have heard this question come up. My advice today? Make sure you pick an OpenID that you’d like to have for a long time. There isn’t a solution for this yet as most of the solutions out there today (for example, i-names) require some sort of centralized registry. (Full disclosure: JanRain is bringing up an i-broker as part of the i-names eco-system). The main premise around OpenID has been de-centralization and simplicity. Having a centralized registry flies in the face of that as well as adds another level of complexity. What I’m saying is I don’t have an answer for this, but again, I believe the community and marketplace will solve this problem in the very near future.
I should also mention that from its inception, OpenID was meant for really light-weight applications. Yes, its maturing and adding new functionality that makes it more robust. However, if you change your blog from LiveJournal to WordPress today you can’t take your posts with you and more importantly your “identity” with you (unless of course you leverage something like claimID).
Finally, OpenID also has the concept of delegation. I can have two lines of code HTML on my site and delegate that to some identity provider. View source on Brian’s page to see an example of delegation in action. Its not ideal, but its definitely a start and it does give users more of a sense of control.
* What kind of security is there to prevent someone breaking into one of the openid servers from pretending to be me?
Today, it is a strong password. Versign recently proposed the concept of security profiles. The ability to choose the level of security you use for different applications. For things like blogging or commenting in forums probably don’t require heavy authentication. As we move into the realm of doing more “important” stuff with OpenID’s, these profiles will be critical and give the users choice in terms of picking how much/how little security they want. I also see the opportunity for value-adds in this space on top of OpenID as great business opportunities. However, it all starts with a unique identifier and that identifier is your OpenID.
These security profiles will hopefully go a long way towards addressing possibilities with man-in-the-middle and phishing attacks. DNS poisoning is also still an option but IMHO one of those “The Internet Sucks ™” problems.
Are there any available OpenID servers that I can run myself?
As a matter of fact there are. Shameless plug: we’ve developed a PHP Standalone Server that is open source and soon to be part of the ASF Heraldry Project. In addition, Verisign will be donating the Ruby on Rails code base that powers their PIP identity provider to the Heraldry project as well. I’m sure we’ll see versions of these servers in many more languages soon as the libraries start to mature and proliferate.
BarCampEarth Announced
August 4, 2006
The most prolific community organizer and fire-in-the-belly-generator Chris Messina announced BarCampEarth which will happen all over the world August 25-27th, 2006. Who would have thought so many BarCamp’s springing up all over the world in such a short time?!
Way to go Chris and way to go to the BarCamp community the world over. I’ll be joining folks at BarCampPortland that weekend to join in the celebration/fun/antics. Hope to see you there!!
