walkah: openid

This past weekend, I had the privilege of being one of the chosen attendees for Social Web FooCamp. Needless to say, I was flattered and had an amazing time (thanks again, @daveman692 and @davemorin ) . One thing, however, became very apparent: the conversation, currently, is being dominated by the 'big players' (Google, Yahoo, Facebook and Myspace predominantly). In several discussions I found myself increasingly dropping the phrase:

... on the rest of the web

the big guys

First off, this is not a critique of the Google's and Facebook's of the internet. They are incredibly valuable to the growth of the openweb. The fact that Google, Yahoo and Myspace all three have various OpenID and OAuth initiatives in the wild and are actively pursuing additional ways to open their data is awesome (and Facebook wants to get there). It helps raise awareness and bring (slash confirm) "legitimacy".

The big guys also have resources. They can attend the conferences (and camps!) and have dedicated resources to write the standards, participate in the discussions and help shape the future.

However, they are only part of the discussion.

perspective

The issues the major providers face are different from the rest. They have a few sites with large numbers of users (hundreds of millions). Out here on the rest of the web, we have millions of websites, each with a "small" number of users (hundreds or thousands). We all understand the necessity for open data, identity, standards and protocols, but our reasoning tends to be slightly different.

The big guys recognize the benefit of exposing their data and most are providing OpenID and various levels of OAuth. How many are consuming it?

Sure, the big players want to be the primary authority for your identity and your information. In some cases, it is their business. But, rather than ranting against 'the man', I ask: have we - the rest of the web - given them a compelling reason to yet?

open source platforms for the open web

It's one thing for a major site (with hundreds of millions of users) to act like a silo, but on the rest of the web it amounts to isolation.

Those of us working on open source web platforms have an enormous potential for influence here. Implementing the various open standards "from scratch", while possible, is not realistic or even necessary. Increasingly, individuals have Wordpress blogs or perhaps their company, organization or club has a Drupal site. Web developers are increasingly turning to these platforms, or development frameworks such as Rails and Django. These platforms all have a real opportunity to bake in implementations of these open standards. The DiSo project offers a central place for co-ordination around these efforts.

We have data - gobs of it. We also, collectively, have the users and, in most cases, have more authoritative information about them (we know ourselves, our employees and our members).

We - the rest of the web - need to join the conversation: attend the events, participate in the mailing lists, and build the code to power the open, social web.

In just a few days, most of the drupal community will be headed to Washington, DC for DrupalCon. As the conference draws closer, I always get excited to see friends I don't get to see and share exciting ideas, but this time there is a lot of growing interest and activity around OpenID.

As has become a bit of a tradition, I'll be giving my 4th OpenID talk. This year, I'm hoping to focus a bit on the exciting new developments from the OpenID community and looking at some of the things being built on top of OpenID (like the OpenID/OAuth hybrid model and the DiSo project).

Also, Chris Messina will be one of the keynote presenters - also talking about online identity. We had Chris on the lullabot podcast this week - be sure to check it out!

Finally, for those of you coming to DC - I'm going to round up interested parties on Saturday for an OpenID code sprint. Hope to see you there!

I had an interesting e-mail exchange yesterday with Chris Messina and a handful of folks from the DiSo project about "DiSo for Drupal". For those of you who haven't heard of it DiSo is:

DiSo (dee • zoh) is an umbrella project for a group of open source implementations of these distributed social networking concepts. or as Chris puts it: “to build a social network with its skin inside out”.

See, Chris recently started a new job working on DiSo full-time at Vidoop. With the announcements of Facebook connect and Google's Friend Connect, there is a battle raging for control of your identity and your relationships. DiSo, in many respects, is the free open answer for the rest of the internet. It combines several free, open standards that already exist in the wild like OpenID, OAuth, and Microformats for exchanging identity and "friend" information.

So, Chris reached out a handful of us Drupal folks about getting on board. The good news is: we, the Drupal community, are already well on our way:

• OpenID (in Drupal 6.x core)
• OpenID Provider : http://drupal.org/project/openid_provider
• OpenID Attribute Exchange : http://drupal.org/project/openid_ax (in progress via Google SoC)
• OAuth : http://drupal.org/project/oauth
• Atom : syndication only - http://drupal.org/project/atom - might be nice to have a basic envelop generator/parser implementation
• XMPP : http://drupal.org/project/jabber , http://drupal.org/project/xmpp and http://drupal.org/project/xmpp_server (the latest of which is maybe the most promising)
• vCard / hCard : http://drupal.org/project/vcard

The big holes at the moment (from a DiSo perspective) are XRDS-Simple support and better support for microformats - specifically XFN.

From the list of Drupal modules above, you may notice that this is an area of interest of mine :-P I look forward to working with the rest of the DiSo project and the Drupal community on this stuff!

Summer is coming - which means it's time for Google's Summer of Code. This is the fourth year of the project (and the fourth year that Drupal has been involved). We continue to be one of Google's favourite open source projects this year grabbing 21 spots - which means a $105,000 investment in Drupal development this summer!

I'm excited as this will be my third year as a mentor and my project this year will be OpenID Attribute Exchange support for Drupal. Attribute Exchange is one of the next important pieces in digital identity and one that I'm pretty excited about. My student, Anshu Prateek, has shown a lot of enthusiasm. I think it's gonna be a good summer!

With almost a week gone by since I left Boston, it's high time to do a quick recap of DrupalCon Boston 2008. Despite spending most of the week battling a nasty stomach flu, making two trips to the Apple Store in Cambridge, and being without my laptop (which suffered a failed keyboard and trackpad), I had a great time and want to offer my congrats to the organizing team for a solid event!

Although I took part in 6 sessions, I only presented one of them on my own: OpenID and Identity in Drupal. I was pleased with how the session went - packed room with lots of great feedback and discussion. For those interested, check out the slides on slideshare.

Otherwise, it was really great to see all the old faces and meet some new ones. For anyone who missed it, the Acquia party was a blast (Orbit rocks!). Looking forward to the next!

Here we go again! One week from today, DrupalCon Boston 2008 will get underway. For the 3rd straight conference, I'll be doing a session on OpenID in Drupal:

OpenID and Identity in Drupal: the future of user.module

Those of you who have attended my OpenID talks at previous DrupalCons should definitely come out to this one, as I would like to dive a bit deeper into roadmapping future changes, additions and directions for the code as well as touching on rolling out OpenID support across the Drupal.org infrastructure itself. I'd also like to discuss additions and changes to user.module that will better accommodate alternate authentication mechanisms.

Can't wait to see you there! Oh, and yes, I'll bring my socks ;-)

There have been reports that Harvard recently had a Joomla! based website compromised, and the database contents have been made available via BitTorrent. Of interest - the compromise was apparently via the usage of an insecure password. From the Torrent Freak article:

A file included with the release labeled password.txt carries a message:

Thomas gatton….stupid people, you don’t use a secure password

While it's not entirely clear whether it was an insecure system password or an insecure Joomla! password used - it does highlight an important aspect of security.

Ensuring that you write secure code is only (a small) part of the security problem. With our recent Drupal 6.0 release, we have tried to incorporate several changes to help our users be more secure:

• Password strength checker: when selecting a password now in Drupal, users are advised when their passwords are "weak". Encouraging tougher to crack/guess passwords particularly for admin and privileged users.
• OpenID support: Even a strong (hard to guess / crack) password can be compromised by a clever attacker if you consistently log in without SSL (i.e. when you're at that internet cafe). Also, remembering several (hundreds!) of complicated, strong passwords can be daunting and frequently leads to poor password choices. By including OpenID authentication support, Drupal users and administrators no longer have to remember passwords to every site they administer. They can use their OpenID - which in turn can implement stronger authentication methods to limit potential vulnerabilities. Development Seed has a great article on how they use OpenID to avoid sharing passwords for admin accounts.
• Update module: One of the biggest security challenges is keeping you site up to date. Drupal sites tend to be a combination of Drupal core and several (10 - 50) contributed modules - keeping them all up to date is a complicated task. It's also a crucial security precaution.

The point being: writing secure code is one thing, but there is a much trickier, critical task in educating users and administrators. It's something we're working towards within the Drupal Security Team and within the community in general. We're not done yet, and welcome your feedback and suggestions!

Happy Valentine's Day everyone! I case you hadn't heard, Drupal 6.0 has finally been released! It's been just over a year since our last major release and, while it feels sort of like an eternity, there is a ton of great stuff in this new release.

I'm really proud to have helped contribute OpenID support (relying party) to this release - the first step in a larger plan to put (keep?) Drupal at the front of the digital identity curve. Those interested in hearing more, check out my OpenID session at DrupalCon.

There's a ton of other great new stuff in 6: Update module (if you haven't used update status in Drupal 5 - you should), revamped i18n support, and Drag 'n' Drop everywhere (Nate, you're a rockstar)!

Drupal, be mine. :-*

It's official!. ReadWriteWeb picked up on it early last week, when OpenID link tags appeared on flickr profile pages. Rampant speculation ensued, but the wraps are off. "Yahoo! Support Triples Number of OpenID Accounts to 368 million". Full details at http://openid.yahoo.com/ .

At last! Good news last night from the Internet Identity Workshop in California: OpenID 2.0 is finally final! I agree with Simon that the most interesting new thing in 2.0 is likely directed identity. And, yes, Drupal 6 already supports it.

However, one of the more interesting things (I think) is the final release of Attribute Exchange 1.0. I think attribute exchange (think profile data sharing and updating - and digitally signed assertions) represents the killer next step in online identity. Kudos to everyone involved! Time to get crackin' on some code :)