walkah: identity20

At last! Good news last night from the Internet Identity Workshop in California: OpenID 2.0 is finally final! I agree with Simon that the most interesting new thing in 2.0 is likely directed identity. And, yes, Drupal 6 already supports it.

However, one of the more interesting things (I think) is the final release of Attribute Exchange 1.0. I think attribute exchange (think profile data sharing and updating - and digitally signed assertions) represents the killer next step in online identity. Kudos to everyone involved! Time to get crackin' on some code :)

Those who have seen me speak about OpenID lately have noticed that I have become very fond of using "inspiration" from Dick Hardt's *awesome* Identity 2.0 presentation. One of the key points Dick makes in his talk is to point to Web 2.0 to drive Identity 2.0 forward. With the blogosphere a buzz (all a-twitter?) this week over the launch of the facebook platform (or "f8"), I think this reality is about to blow up in the spotlight.

This may date Dick's presentation (OSCON 2005), but in it he points to the issue of then social networking golden child Friendster and their feature for adding your amazon wishlist to your profile. The key point being: you gave Friendster your username and password to amazon - thus implicitly releasing full access to your amazon account to Friendster. So, in keeping things current, I have been using Facebook as my example social network - specifically their feature to import contacts from Gmail/Hotmail/etc:

We can all see the problem here, right?

So, enter the Facebook platform and a whole slew of developers and service providers anxious to take advantage of that amazing Facebook user base. So now we get things like this:

To enable twitter support (as Facebook tells me 12 of my friends have already done), I have to give facebook my twitter account details?!

Now, the point of this post isn't to harp on Facebook. It's a great service and I use it and enjoy it. And really, they don't have a choice (do they?)- they want to offer great features and there needs to be some way to link user accounts across these multiple services. This is exactly (one of) the problems that Identity 2.0 aims to solve.

The problem here is that we, the users, don't own our identity on the internet. There are walled gardens and data silos of information about us. Twitter and Facebook both have directory entries - a username and a password - that they use to identify me but there is no correlation that the directory entries match. I can't verify that they do without giving one system full access to the other to verify that the username on each system actually correspond to the same person. This is where we need user-centric identity. This is "why OpenID".

Last night's OpenID Mashpit went well. Despite demoing some code still under very active development, and having our internet connection drop in the middle of it - it was nice to show off some of the stuff I've been working on lately in a crowd that "gets it". More interesting, however, was getting a chance to talk about and get some clarification on certain aspects. In particular, I feel like I have a much better idea of the vision behind Attribute Exchange and how it should ideally work. If nothing else, getting to just chat about "Identity 2.0" with Dick was a treat.

Other bits of interest: we stood up a work-in-progress OpenID Provider (OP) for Bryght at home.bryght.com (using all native drupal code). It's *very* much still a work in progress, but also one of the earliest OP's "in the wild" to support the 2.0 draft spec (or most of it anyway). Similarly, SXIP has a demo Relying Party (RP) that supports attribute exchange - that will come in handy for testing against.

Thanks again to the folks at SXIP for hosting a great event, and thanks to everyone who showed up!