OAuth Core 1.0 Final – Out the door into a service near you

At IIW 2007b OAuth Core 1.0 Final was released.

I wish I could attend IIW but I had previous work related obligations that I simply could not get out of. I do hope to attend the next one (IIW 2008a).

Now it’s time to update the C# client to the latest and really final version of the spec.

Congrats to everyone involved with OAuth. It is a truly amazing group of people and I think we can all be proud of the outcome!

Corporate Identity and Identity Issues

There is a lot of buzz about Sun’s announcement of OpenID support and the fact that Sun will be giving OpenIDs for all of its employees.

While this is indeed good news for the identity community in general and for the OpenID community specifically, it got me thinking about the implications for such a move in which a big company OpenID enables all of its employee.

If a company OpenID enables all of its employees and its OpenID server is usable for outside parties to authenticate against it means that now every employee of that company, when authenticating with his/her OpenID can be verified as an employee of that company (providing that no one spoofs the domain and DNS settings, etc).

On one hand, now when I read a forum post or blog comment that was created by a certain company employee which authenticated using his/her corporate OpenID account I can evaluate that this person indeed works for that company and take that into account when evaluating the things he/she said.

On the other hand, it loosens the rope around the employees necks and allowing them to express under their corporate identity which, in some cases, may circumvent the PR department. Since we already know (or can verify) that this identity did come from that company it can cause PR hell (or goodness, depends on the information :-) ).

The only way to properly utilize this power is to educate corporate users on identity issues, not just the rest of the users using the internet. The corporate will greatly benefit from that by avoiding PR hell and the users will gain better understanding about internet and online identities which is always a good thing to educate people about in this always on, publicly accessible and fast world we live in.

What do you think on the subject of corporate identities?

Will better education of people regarding their online identity and separating their corporate identity from their personal identity will help everyone better understand when they are in their corporate hat and when they are on their own?

I wonder what would be the best ways of educating people about that? Should it start from having multiple user names when sharing a single computer?

The new and slick myOpenID.com

I’m probably the last person to talk about it, by myOpenID.com has a cool and slick new design [via Scott’s blog].

They also added a cool new feature, client side certificate, so when you install such a certificate on your machine you don’t need to do anything to sign in. It does all that for you!

Just remember to NOT use it on public computers or on computers that are being used by more than one person and do not have a different user names for each person.

Congrats to Scott and all of the fine team at JanRain!

In the transition, one thing was lost though, my personal icon. It wasn’t a biggy cause I uploaded it again. On the other hand if I haven’t read about the redesign of the site I would have probably thought I was hijacked to a different one :-) (not!).

Twitter and OpenID

Dave Winer says:

“[…] we could make Twitter the open identity system we’ve been looking for. Make your Twitter ID the one that you use to log on to other service […]”

I say let Twitter support OpenID with all of the good Relaying Party Best Practices including (but not limited to):

  • Ability to associate an existing account with an OpenID
  • Ability to switch to another OpenID (sort of a password recovery for OpenID)
  • Ability to create a new account directly with an external (non Twitter) OpenID (be a standard relaying party)

If they want to, they can also be an OpenID provider (which should be good for them, of course ;-) ).

OpenID, Trust, Vendor Locking and Delegation

There is a lot going on about OpenID these days and a lot of claims are being raised which prevents greater adoption of OpenID by users.

One of these claims is about Trust and Vendor Locking. How can I trust a certain OpenID vendor? after all, gaining access to my OpenID account will give access to all of the sites I’ve signed in/up using OpenID.

This is a legitimate claim, since it reminds everyone of how Microsoft Passport.NET Live ID is not that successful being a one vendor, non transferable identity.

One of the key elements of OpenID is that it’s decentralized and there is no one body that controls it but if a user signed up to a certain OpenID vendor they are essentially locked into that vendor unless they have the proper skills or items that allows them to perform delegation.

Having delegation is exactly the thing to make all of these claims go away since delegation give the power back to the user. The underlying OpenID vendor will supply the service but everything MUST go through the user’s domain to get to the vendor, thus allow the user to change vendors without being locked in.

The problem with delegation, however, is that it requires a certain amount of preparation. You either need to have your own site/blog and add the necessary <head> tags or you need to use a service like FreeYourID.com (I’ve previously written about it here) which gives you a URL composed out of your name (using the .name domain).

The problem with the solution of FreeYourID.com is that its only one .name vendor that provides this service. Although they are responsible for the whole .name TLD it is still a sort of vendor locking. If all .name providers will support such a service, things will look much better.

To sum things up, a possible answer for the claims about OpenID, Trust and Vendor Locking is to simply highlight the benefits of delegation and provide all of the necessary technical means needed to make this as easy as possible.

Below is a list of a couple of ideas I thought about (some are more of a wishful thinking since it doesn’t depend on the OpenID community alone) which might make things easier for everyone:

  • Support for OpenID for .name domains available with all the .name providers
  • Built-in support for Delegation in blogging platforms including hosted ones such as WordPress.com, Blogger, TypePad and the rest (for WordPress blogs that you are on your own server/domain you can use my OpenID Delegation plugin :-) )
  • Support for migrating existing accounts in existing sites to an OpenID account, thus allowing users to consolidate their various accounts on various sites into an OpenID account.
  • Support for migration of accounts between OpenID vendors including support in the OpenID spec to figure out a permanent redirection and perform a necessary fix up (similar to a permanent redirection performed in HTTP).

Technology is suppose to make things easier for everyone and lower the barrier of participation so that everyone, regardless of their skills, can use technology for their benefit. Let’s lower the participation barrier for OpenID and let everyone claim their own identity.


If you haven’t done so already, go check out (and hopefully use, afterwards) idproxy.net.

As written in idproxy.net’s about page:

idproxy.net acts as a bridge between these two worlds. You can sign in to idproxy.net using your Yahoo! account, and then create one or more OpenID accounts for use elsewhere on the Web.

Basically, if you have a Yahoo ID, you can sign-in and create an OpenID for yourself at idproxy.net thus allowing you to use your Yahoo ID and password to connect to any OpenID supported site.

Go try it out!

idproxy.net is written by Simon Willison. You can read more about the service in this post on his blog.

OpenID Delegate Plugin for WordPress

Continuing my WordPress plugin frenzy and after release the MicroID WordPress plugin, I’m releasing another plugin, this time for OpenID delegation.

The plugin is named “OpenID Delegate” and you can read all the details and download it from here.

Q: So what’s this OpenID I’ve been hearing about?
A: According to OpenID.net:

OpenID is an open, decentralized, free framework for user-centric digital identity.

OpenID starts with the concept that anyone can identify themselves on the Internet the same way websites do-with a URI (also called a URL or web address). Since URIs are at the very core of Web architecture, they provide a solid foundation for user-centric identity.

What does it mean? Well, basically it means that if you have an OpenID account on an OpenID server and you are accessing an OpenID supported site (see the list of them here) you can use a special URI that your OpenID provider provides you and the password you have chosen to sign-up (and afterwards sign-in) to these sites.
That’s right. You’ll use the same URI and password to sign-in and up for all OpenID supported sites. This is also referred to in the enterprise (and the rest of the world) as Single Sign On or SSO for short.

Q: “So, what’s your OpenID Delegate plugin got to do with it?”
A: It’s quite simple. Assuming you run your own WordPress blog, wouldn’t it be cool to use your blog’s URL and the password provided by your OpenID provider as your URI of choice for signing in and up to OpenID supported sites? Yes it will!

Q: “But you could have just modified your theme and added the necessary meta tags…”

A: Yeap, I know could, but it’s much easier having it as a plugin, allowing me to replace themes without remembering that I’ve added these values to the head tag.

Q: “Where do I get an OpenID account?”

A: Well… you have a couple of ways. First, you might already have an OpenID account if you have an account at either WikiTravel, LiveJournal, DeadJournal, Zooomr, Technorati, etc (see the rest of the list here. Not all of these sites are OpenID providers though).
If you don’t have an account you can open a free one at myOpenID – a free OpenID provider.

The 3rd option you’ve got is to run your own server (not for the faint hearted).

It’s time to own your identity, but if you can’t really own it (i.e. run your own server) at least delegate it and make others think you do!


I’m blogging directly from Eurekamp where I’ll start a presentation and discussion about Trust and Identity online. I’ll try to cover topics such as why do I need, how to do it (OpenID, OpenID, OpenID) how to claim what is content that was generated by me (MicroID, MicroID, MicroID).

I’ll post some of the slides here after we will finish.

The slides will be a bit not organized, mainly because they are markers to the point in the presentation/discussion and does not represent a standard presentation.