Simon Willison’s OpenID and decentralised social networks talk at Webstock 2008 illustrated OpenID’s user experience, potential issues, and role in building a de-centralized social network online.
OpenID
- Enables people to select trusted identity providers and utilize them to securely access and engage with any Web applications that choose to support OpenID.
- Augments existing account mechanisms. Access providers store OpenID information in their user account table along with application specific data.
- Can also help people fill in account creation forms. OpenID 2 standard has an attribute exchange that covers any kind of information you may want to pass back and forth between application and identity provider.
- Is a Web page for machines: has a link page that identifies it as OpenID –to find if someone owns it need to go to specific site and have them authenticate through user name & password, client SSL certificates, SMS, instant messenger, hardware tokens, or image sequences (vidoop.com).
- About more than single sign-on: If an identity provider incorporates a service like IM, application can send messages from where the user is authenticated.
- People are likely to have more than one OpenID identity.
Problems with OpenID
- Usability: first time authenticating with a service using OpenID is more complex than simply registering for the site. Subsequent times, however, only need to use OpenID user name to gain access.
- Usability: people are unclear on what URL is. Signing in with a URL is pretty foreign to most folks.
- Security: susceptible to phishing. Rogue sites can mimic design of identity providers. With OpenID an un-trusted site sends you to your trusted provider.
- Security options: Yahoo! sign-in seal within Flash cookie, Verisign Seatbelt browser extension, or Windows Cardspace desktop solution.
- Usability issues:
Building a Decentralized Social Network
- Accumulate profile pages across Web. Can use last.fm music profile on upcoming.org to recommend events.
- XFN microformat (rel=”me”): having this link allows you to build a bi-directional profile relationship.
- Decentralized network requires the ability to take friends with us. Google launched social graph API that crawls relationship data and finds your friends.
- Oauth is an open standard for secure API authentication –same process that Flickr uses to authenticate applications.
- Components for decentralized social network: Open ID,accumulated profiles (enabled through XFN microformat), friends list, compilation of friends activity (aggregation of vitality).
- Need a de-centralized vitality feed. This is provided by XMPP protocol.
- Standards for a de-centralized social network: Open ID, OpenAuth, XFN and FOAF, XMPP