Webstock 2008: OpenID and decentralised social networks

by February 16, 2008

Simon Willison’s OpenID and decentralised social networks talk at Webstock 2008 illustrated OpenID’s user experience, potential issues, and role in building a de-centralized social network online.


  • Enables people to select trusted identity providers and utilize them to securely access and engage with any Web applications that choose to support OpenID.
  • Augments existing account mechanisms. Access providers store OpenID information in their user account table along with application specific data.
  • Can also help people fill in account creation forms. OpenID 2 standard has an attribute exchange that covers any kind of information you may want to pass back and forth between application and identity provider.
  • Is a Web page for machines: has a link page that identifies it as OpenID –to find if someone owns it need to go to specific site and have them authenticate through user name & password, client SSL certificates, SMS, instant messenger, hardware tokens, or image sequences (vidoop.com).
  • About more than single sign-on: If an identity provider incorporates a service like IM, application can send messages from where the user is authenticated.
  • People are likely to have more than one OpenID identity.

Problems with OpenID

  • Usability: first time authenticating with a service using OpenID is more complex than simply registering for the site. Subsequent times, however, only need to use OpenID user name to gain access.
  • Usability: people are unclear on what URL is. Signing in with a URL is pretty foreign to most folks.
  • Security: susceptible to phishing. Rogue sites can mimic design of identity providers. With OpenID an un-trusted site sends you to your trusted provider.
  • Security options: Yahoo! sign-in seal within Flash cookie, Verisign Seatbelt browser extension, or Windows Cardspace desktop solution.
  • Usability issues:

Building a Decentralized Social Network

  • Accumulate profile pages across Web. Can use last.fm music profile on upcoming.org to recommend events.
  • XFN microformat (rel=”me”): having this link allows you to build a bi-directional profile relationship.
  • Decentralized network requires the ability to take friends with us. Google launched social graph API that crawls relationship data and finds your friends.
  • Oauth is an open standard for secure API authentication –same process that Flickr uses to authenticate applications.
  • Components for decentralized social network: Open ID,accumulated profiles (enabled through XFN microformat), friends list, compilation of friends activity (aggregation of vitality).
  • Need a de-centralized vitality feed. This is provided by XMPP protocol.
  • Standards for a de-centralized social network: Open ID, OpenAuth, XFN and FOAF, XMPP