Social Web FooCamp

In only a couple weeks (gah, how’d that happen…) I’ll head back to the Social Web FooCamp. This is a great honor to be invited back and I hope to continue providing insight and ideas on the tangle/noisiness/mess of our social Internet.

IIW8

I’ll be at IIW8 again in May. This is a fantastic event and one I hated missing last Fall. I really look forward to seeing everyone in the Identity community again. So much has changed in only a few years – and Doc Searls, Kaliya and Phil Windley always put on a great un-conference.

Progress

And then, back to the library. Also, found two guys in Brazil who simulated my (not finished yet) dissertation. I guess that means I’m officially in a race now. Excellent.

The last month and a half have really been a blur. Let’s see if we can work out why…

PARC
I met Ed Chi at ASIST last October when he hijacked a panel with his very interesting work on WikiDashboard. I had seen the work already and knew enough about it to approach Ed and pick his brain about how I could collaborate with the project. In December, while in Mountain View for IIW again, I made an appointment to visit PARC and see how things worked inside a research center famous for many years for doing cool things. I left with the plan to apply for a summer internship working under Ed in the Augmented Social Cognition group on WikiDashboard itself. In the Spring, I heard that they really wanted me and I made the decision to be in Palo Alto for four months. I’m thrilled with the work I’ve been doing for the past four weeks and the people I’m working with. There is quite a bit of interest in wikis and other collaborative tools in ASC and I am very pleased to be in the middle of it. I hope to be able to share a bit more about what I’m working on when the time is right.

Drive to California
Of course, after making the decision to be in California for the summer, I needed to work out how that was going to happen logistically. The decision was made to drive and so, for six days, many miles were covered, a sister was visited, and lots of money was spent on gasoline. All in all, a grand success – and one I look forward to duplicating on the way home in early September, except for the gasoline part.

IIW 2008a
Already being in Palo Alto, it was very easy to join in the semi-annual gathering that is the Internet Identity Workshop. This was my fifth(?!) and again, it was great to sit and talk with the people building this next generation of technologies. The climate has shifted even more now to business models and reputation – a far cry from the spec discussions and interop demos from only a year or two ago. I spent an afternoon talking with Eugene Eric Kim, yet again, and still find him one of the most compelling people working in this space. He’s got projects around the world and he’s excited about how these technologies are helping groups get their stuff done.

Park Alumni Society
Speaking of groups getting their stuff done – I’ve been in a heavy development cycle in the last couple of months. I’ve written more code and pushed more new features into production in the last 7-8 weeks than any time since writing claimID. I am the president of an alumni group at NC State and run our intranet and web presence as well. We recently added a unified login to our forums and wiki and the new application that runs the Park Office’s interactions with the scholars themselves. The effort required to network across classes and facilitate communication should go way down. I’m very happy with the result and hopefully I can start to sleep a little more soon.

Park Scholarships
The Park Scholarships itself is undergoing some change. The director of the scholarship has announced her decision to take a new position, and after eleven years, we need to find a new leader. I have been asked to be on the search committee by the Chancellor and I hope we can help deliver a candidate who can fill the rather large shoes being left behind in August.

ClaimID
ClaimID is getting some development love itself this early summer (in between rigorous interviews). Fred and I are integrating a new authentication mechanism into the mix. It works by selecting images instead of typing passwords. Watch this space as we work out all the kinks and make a new shiny thing.

iPhone
And with all of that, I’ve finally found the need to enter the modern world of telephony. I bought an iPhone before the trip out west, and have been thrilled at how much it’s changed my daily interaction with the information around me. Numbers, addresses, internet, camera, music, podcasts, calendar, maps – it’s in my pocket and it syncs with the stuff I already had. Very cool. Highly recommended.

A great many things have happened since then. Higgins is now demoing live open source implementations of a variety of tools, including Bandit, around the newly announced OpenID 2.0 spec. We have full OpenID 1.1 libraries in all the major programming languages. OpenID 2.0 code should be rolling out within a couple weeks from a number of the vendors here. Dick Hardt of Sxip demoed the newly announced Sxipper Firefox plugin. There was a Safari InfoCard Selector demo complete with modal overlays. There were a surprising number of demos (Java, even) fully functioning with versions of Microsoft’s CardSpace (coming baked into every copy of Vista in a few short months). Avery Glasser of VxV Solutions demoed his company’s voiceprint technology fully integrated and interoperable with OpenID. JanRain demoed their new BotBouncer site designed to serve as a centralized CAPTCHA repository so users can know a particular OpenID has passed a humanness test.

I also ran a session this morning on MicroID and how it works as a lightweight verification method for claiming a webpage (and eventually a part of a webpage). I received a variety of questions about SHA1 and it’s being broken back in February of 2005 as well as the MicroID not being a true HMAC. The answers, as best I could describe them, hinge on the fact that these are not true secrets being hashed and passed around for MicroID. We’re only using hashing in the first place to try and obfuscate the email address of the user – not protect any nuclear secrets.

Additionally, Dick Hardt posed a question that forced me to step back and reconsider a couple things about MicroID.

He asked, if you’ve got an OpenID, couldn’t you just use it as the communication identifier itself and skip the hashing step (which exists to obfuscate the email for publication purposes)?

Of course, he’s right about this. If a site has decided they want to play along with all of this fancy identity stuff and expose something which allows others on the internet to verify claims that their users are the same person at a different service, why would they pick to expose MicroID if they could just implement OpenID and expose it instead?

The answer, I think, is mostly that it’s easier to do MicroID today (it’s just a hash). But in the long run, once OpenID is in a lot more places and a lot more visible to everyone online, it will probably be just as easy to simply include a user’s verified OpenID in the head of their page – no hashing – no obfuscation necessary.

Something like this:

<meta name=”openid” value=”http://claimid.com/terrell”>

Then, other sites can simply check to see that they, too, have independently verified that particular OpenID and ‘connect’ the accounts.

Just like MicroID does today.

In fact, I’m proposing here that MicroID be tweaked to include the opportunity to do just this. Declare as part of the spec the publishing standard for publishing OpenIDs as well as MicroIDs for public consumption.

Perhaps claiming a blog comment would be easy if it looked something like this:

<div class=”openid-http://claimid.com/terrell”>

It seems simple enough and allows these simple claims to be made as the technology matures beyond simple email addresses as communication identifier.

MicroID specifies for the first part of its hashing formula to be any communication identifier, but if it’s an OpenID specifically, or i-name, it doesn’t need to be obfuscated and hidden from view.

Thoughts? What am I missing? Are there use cases where someone/someservice would still want to obfuscate the OpenID? Should it ever not be public?