A few years ago it was very hard to do so, but possible, because nearly all the stuff being hosted was simple text with an occasional image or graphic. Then, our bandwidth increased and digital media creation tools were delivered into the hands of ‘the rest of us’. We quickly outstripped our ability to host and manage all our content and a market for hosted applications was born. It hit its stride with Web 2.0.

The boom created a fantastic amount of opportunity. It also stripped us of control. While we were distracted by all the shiny new toys being offered over AJAX, we forgot that owning our own stuff was important.

Today, we’re back to the time when most of the people on the web were seeing it through the AOL lens. Our data lives in silos and some of these silos even claim that your stuff is actually their stuff (have YOU read the Facebook Terms of Use?).

When you post User Content to the Site, you authorize and direct us to make such copies thereof as we deem necessary in order to facilitate the posting and storage of the User Content on the Site. By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose, commercial, advertising, or otherwise, on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content. Facebook does not assert any ownership over your User Content; rather, as between us and you, subject to the rights granted to us in these Terms, you retain full ownership of all of your User Content and any intellectual property rights or other proprietary rights associated with your User Content.

We need to swing the pendulum back the other way. We need to be able to host ALL our own stuff, or at least, be the proxy whereby we manage access to all our own stuff (even if it’s hosted on a vetted, corporate-backed network in a large datacenter somewhere in the ‘cloud’).

When you come to see my pictures, you come through gallery.terrellrussell.com – but the images could actually be served from Flickr via API. And if/when I change that arrangement and move to smugmug.com via API, you’d still access them through gallery.terrellrussell.com.

I want dynamic sharing. I want to be able to put all my bits in one place (for sanity, for ease of backup, etc.) but I want some control over how those bits are shared with others (if at all).

I want dynamic privacy based on a set of rules. These rules can be simple. These rules can be complex. There can be sets of rules that seem to cover 80% of the people 80% of the time. The flexibility in a system like that would be paramount – how we deal with that flexibility is a different problem to be solved.

I want sharing rulesets that determine which stuff is visible and which stuff isn’t. I want to have rulesets that determine this visibility by viewer, type of data (pictures/video/status), viewer tags, tags on the data, reputation from a third party, time of day, time passed since the creation of the stuff… Let it be whatever – that’s the point. A rules engine that can handle arbitrary rules and apply them on the fly.

The graphic above is a first attempt at drawing what I want. People will come to get stuff from me (or send stuff to me). Their request will be processed through a set of rules I’ve put in place, identified as coming from a person/device I know, and then filtered through whatever authorizations that person/device has been granted. If they are then allowed to see or receive what they’ve requested, I’ll send it to them.

This has to be done with open source tools and protocols and we’ve already got two of them in the wild. OpenID for authentication and OAuth for authorization. Additionally, we have XRDS-Simple for service discovery. We need an Open SharingRulesEngine (OShaRE?).

I want to have a full audit of how my stuff is getting accessed. I want the ability to drill down and figure out what’s going on. Not that I’ll use it very often – but I want to know that I can.

I want to be in control of who sees my content. If you see a photo I took, embedded somewhere else, I’d like to know that happened. I’d like to have a feel for where the edge of my ‘influence’ lies and how it’s interacting with the rest of the world.

We’ve seen rules engines and rulesets and recipes before. They exist for business and email (procmail) and distributed archival infrastructure (iRODS). Help me build one for granting access to my stuff!

This could all be a pipe dream. I’m not convinced one way or the other (the current sticking point is the realization that the gatekeeper software has to know about every piece of content I create/store… complex… but doable…). But I do know that if the option for individuals to host their own identity and their own content is available, the market for innovation will move that much faster. And that’s almost always a good thing.

Whaddya say? 2 years for basic infrastructure that can do this? 5-7 years before it’s polished and anyone is using it but me?

open id from livejournal is not safe

If you are logged in to livejournal, that information can be shared with third parties without your consent through OpenID. Right now livejournal.ru and kommersant.ru are doing it.

Have not found a way to disable it, they are using http://www.livejournal.com/openid/server.bml?openid.mode=checkid_immediate and livejournal is giving out my auth info without asking…

OpenID is in the air, and providing services across domains will become very important very soon. I think we’re still about six months out from the Big Bang. August. I’m calling it.

Verification underlies Identity. Identity underlies claims about a person. Aggregated claims underlie the reputations we ascribe to people. With reputation, we can do really cool stuff. And it’s coming…

Cross-posted at claimID proper:

ClaimID allows real people to aggregate what is online about themselves. It allows them to bring links together, sort them, talk about them, and generally refocus their online identity on their own terms. We’ve had great success so far in getting that message out – and the feedback we’ve received has been positive. People really like the empowerment and are pleased when their claimID page begins to appear in the search results for their name.

But we also want to convey that these links are validated – verified in some way. So we introduced MicroID and OpenID to our system. Since that time, people have been pointing to their own websites, their own blogs, and their own OpenIDs hosted at other Identity Providers (AOL, Verisign, JanRain, Livejournal, etc.). And with all of those identities, it made sense for us to create a trusted place for you to aggregate them.

Verified Page

Today, we launched a special page for each person that brings these verified links into greater focus. The verified information about a person is presented all on one page, in one place – and you can be sure that these links are maintained by the person who owns the claimID account because of the math behind the scenes. MicroID and OpenID are based on strong hashing algorithms and cryptography and have been designed to validate and verify claims – just the sort of thing we’re doing at claimID.

Our pages are at:
- http://claimid.com/terrell/verified
- http://claimid.com/fred/verified

They’re very clean and very powerful.

Once you find someone’s claimID Verified Page, you can be pretty sure that who you’re reading about at claimID is the same person at all those other sites. This allows us to really begin to tap into the power of distributed identity and maybe even hint at some uses for basic reputation across disparate websites. Of course, if you don’t want to display your verified identity, you can easily turn this off in your account settings.

We’re not done with online reputation yet, but the single verified page at claimID is a very strong early step.

We retooled the documentation, made it more apparent to the new user the benefits of having and using an OpenID and generally tidied up our original copy as we prepare for that “big growth” that we keep seeing poke its head around the corner.

From the official blog post:

At ClaimID, our strength has always been translating the complex into the simple. We want to give you the best solutions, without requiring you to read a protocol or understand code. As web identity plays a greater role in all of our lives, we feel that we can really help people by enabling them with solutions simply. And as OpenID grows (and it will grow, says Bill Gates), we want to be there to help you take advantage of this amazing and useful tool.

We’ve seen lots of convergence in the last few months – and even more in the last couple days – and we want to make sure we’re helping as many people as possible follow along at home.

Scott Kveton from JanRain has a nice writeup on the latest happenings:

OpenID has always been about convergence. When Brad, David and Johannes talked about how OpenID and Yadis could work together over a year ago. When the XRI folks brought their amazing people and technology to be integrated into OpenID 2.0 last Spring. This past Summer when Sxip Identity joined the OpenID party by joining in on developing the specification and offering up their attribute exchange specification to the OpenID community. And now today, we have a commitment from Microsoft to take part in the OpenID community as well as enable the technology for their future identity products.

There are a couple of points I’d like to make outside of the above announcement to hopefully address any concerns that the OpenID community might have:

• JanRain will never require users of our libraries or services to use Windows CardSpace ™. We offer support for this technology as another option for users much like using our Safe SignIn and Personal Icon technologies on MyOpenID.com. We’ll also continue to support the OpenID efforts going on with Mozilla and Firefox.
• Windows CardSpace ™ is shipping with Vista today and is a well thought-out technology that helps address many of the privacy and security concerns that people have had with OpenID. OpenID helps users describe their identity across many sites in a public fashion. The two together are very complimentary products and each has its strength.
• Microsoft did not cave in to the OpenID community and the OpenID community is giving nothing up to Microsoft. This is a collaboration on bringing the best technology to the marketplace as quickly as possible to help secure users and solve the single sign-on solution once and for all.
• Please reserve judgment on what this all means until you see it all work together. The technology is really quite simple and the ramifications for end-users is huge. It also goes a very long way to completely addressing the phishing concerns we’ve heard so much about.

A great many things have happened since then. Higgins is now demoing live open source implementations of a variety of tools, including Bandit, around the newly announced OpenID 2.0 spec. We have full OpenID 1.1 libraries in all the major programming languages. OpenID 2.0 code should be rolling out within a couple weeks from a number of the vendors here. Dick Hardt of Sxip demoed the newly announced Sxipper Firefox plugin. There was a Safari InfoCard Selector demo complete with modal overlays. There were a surprising number of demos (Java, even) fully functioning with versions of Microsoft’s CardSpace (coming baked into every copy of Vista in a few short months). Avery Glasser of VxV Solutions demoed his company’s voiceprint technology fully integrated and interoperable with OpenID. JanRain demoed their new BotBouncer site designed to serve as a centralized CAPTCHA repository so users can know a particular OpenID has passed a humanness test.

I also ran a session this morning on MicroID and how it works as a lightweight verification method for claiming a webpage (and eventually a part of a webpage). I received a variety of questions about SHA1 and it’s being broken back in February of 2005 as well as the MicroID not being a true HMAC. The answers, as best I could describe them, hinge on the fact that these are not true secrets being hashed and passed around for MicroID. We’re only using hashing in the first place to try and obfuscate the email address of the user – not protect any nuclear secrets.

Additionally, Dick Hardt posed a question that forced me to step back and reconsider a couple things about MicroID.

He asked, if you’ve got an OpenID, couldn’t you just use it as the communication identifier itself and skip the hashing step (which exists to obfuscate the email for publication purposes)?

Of course, he’s right about this. If a site has decided they want to play along with all of this fancy identity stuff and expose something which allows others on the internet to verify claims that their users are the same person at a different service, why would they pick to expose MicroID if they could just implement OpenID and expose it instead?

The answer, I think, is mostly that it’s easier to do MicroID today (it’s just a hash). But in the long run, once OpenID is in a lot more places and a lot more visible to everyone online, it will probably be just as easy to simply include a user’s verified OpenID in the head of their page – no hashing – no obfuscation necessary.

Something like this:

<meta name=”openid” value=”http://claimid.com/terrell”>

Then, other sites can simply check to see that they, too, have independently verified that particular OpenID and ‘connect’ the accounts.

Just like MicroID does today.

In fact, I’m proposing here that MicroID be tweaked to include the opportunity to do just this. Declare as part of the spec the publishing standard for publishing OpenIDs as well as MicroIDs for public consumption.

Perhaps claiming a blog comment would be easy if it looked something like this:

<div class=”openid-http://claimid.com/terrell”>

It seems simple enough and allows these simple claims to be made as the technology matures beyond simple email addresses as communication identifier.

MicroID specifies for the first part of its hashing formula to be any communication identifier, but if it’s an OpenID specifically, or i-name, it doesn’t need to be obfuscated and hidden from view.

Thoughts? What am I missing? Are there use cases where someone/someservice would still want to obfuscate the OpenID? Should it ever not be public?

OpenID works for you in a couple different ways:

1) You can use your OpenID to sign into any system that supports them – and without a password for each site (you’re actually only logging into your own OpenID and then your openid host and the new site are exchanging tokens).

2) You can delegate from any site you own to an OpenID account of your choice. This is important because you can then log into your new favorite cool site with your own domain name.

(e.g. I can log into zooomr.com or claimID.com or wikitravel.org or livejournal.com with terrellrussell.com which is delegated at the moment to my account at myopenid.com which is run by the guys at janrain.com who are writing and releasing all the open source libraries for OpenID).

You can sign up for an OpenID at any of these providers.

More info at the OneTrueWiki.

While building claimID.com, I’ve become intimately aware of how big this will be in the next few years (months) once some bigger players get on board. There is talk of the Identity Big Bang coming soon.

Separately, Fred put together a similar list of OpenID Resources at the claimID blog. Great minds and all that.

In addition, Jason set up an OpenID server at Joyent proper. A little bare at the moment, but it should be skinned and looking like the rest of Joyent pretty soon. It’s currently running the same base code as Verisign’s PIP server, so if you’re interested, you can download it here.

• Marshall Kirkpatrick at Techcrunch
• Johannes Ernst
• Scott Kveton
• Christian Stocker

This is a mid-major player now supporting another open standard. Only good things can come of this kind of implementation. And it will continue to gain in value as others join in.

The Identity Big Bang is what, only 12 months away now? 18? How will we know? GoogleAuth? BBAuth? Will they all play together?

Update: More…

Chris Messina at FactoryCity

Thomas Hawk

Alan Castonguay at VerseLogic

others at Technorati Search

This is our official announcement on the claimID blog:

ClaimID proudly announces it has joined a consortium of ten forward-thinking companies to fund the development and adoption of OpenID. ClaimID utilizes OpenID, a standards-based identity protocol; it lets you do cool stuff like log into LiveJournal or Wikipedia (very soon!) with your claimID URL. Not only is that cool, it just makes sense – OpenID is decentralized, scalable, easy-to-use and it saves you from having to create new accounts at every site you log into.

Announced by JanRain CEO Scott Kveton at OSCON, the consortium’s first project is an OpenID code bounty. The consortium will offer $5,000 to ten open source projects that successfully implement OpenID. I know what you’re thinking – “$5,000 to implement OpenID – sign me up!” Well, there are a few conditions. Your project must be OSI licensed, and there must be either 5,000 downloads a month or 200,000 users of publicly installed instances. Software like WordPress, phpBB, Drupal or Joomla are great examples – and you can suggest others. Not only will each of these projects be getting $5,000, but they will also be investing in the future of identity, and making it easier for people to use their projects. It is a win-win all around.

The consortium is made up of forward-thinking companies that share a goal to make identity better on the net. They are Verisign, JanRain, Cordance, ooTao, Opinity, Four Kitchen Studios, Zooomr, NetMesh, Sxip and claimID. We’re looking to expand our consortium, so if you’re interested in supporting this important cause, please contact us. The coordinating site, located at http://iwantmyOpenID.com, and bounty program were organized by the OpenID community.

We’re so happy to be able to take part in this very important goal. We feel that OpenID is great way to give people the identity solutions they need. With this bounty program and consortium, we hope that people will take this opportunity to collaborate, converse and compromise. We’re convinced we’ve made a great decision in supporting OpenID, its community and this consortium, and we look forward to the important progress this initiative will make.

Big news indeed. This is very exciting – I’ve only been working in the identity space with real code for about six months, but only a few minutes after hearing about OpenID, I got it. It made sense.

If we can get that few minutes to happen for more people, through open source software, all the better. This is a first step to much more powerful applications. It will help bring our social connections and trust into the online arena with grace and beauty.

Meanwhile… Brian Ellin sees a giant snowball causing an identity earthquake (a mixed metaphor, but who cares!):

Imagine a snowball teetering, getting ready to roll down the mountain. With a little push to get it going, that ball could turn into something really huge. Something disruptive.

Announcing the OpenID code bounty. $5,000 to ten popular open source projects who implement OpenID in their applications. Announced this morning at OSCON, and the word is already spreading:

• iwantmyopenid.org – bounty homepage
• Kveton on the code bounty
  
• ClaimID on joining the consortium
• Johannes Ernst talking about the bounty
• other blogs talking about the bounty at technorati

Spread the word.

He makes a point about global identity identifiers (OpenID, LID, i-names, etc.) being capable of allowing “cross-context reputation systems to emerge”.

I think he’s right on – and I’ve been working on some plans for one of these systems over the last few weeks.

I think a distributed system built on the DNS and existing URL-based identifiers is the key and hope to show that a subjective, individualized opinion about someone can be collectively tabulated and measured in a meaningful way. I’ve been most impressed with Dr. Windley’s work. This recent paper is something new and should generate rich discussion and inspiration.

This work is directly related to the great discussion generated at the Identity Mash-Up in Boston in June put on by the Berkman Center at Harvard. A third day open-space discussion at the MIT Media Lab named The Laws of Reputation led directly to the principles in the paper. Go OpenSpace! I was not in the room as I was fixing a bug in claimID with Brian Ellin that 45 minutes. Blasted productive OpenSpace!

We now have a system whereby a user can log into their claimID account with any of the verified OpenIDs they’ve added to their account previously. This is a mere convenience on the surface, but becomes quite a draw for getting our point across about how powerful OpenID is and will be as it becomes accepted at more and more sites. We think the real power behind OpenID and the rest of the Identity 2.0 vision is both its user-centric distributed nature and the ongoing education of users themselves. Both are key and both are at the heart of our mission at claimID.

If you haven’t signed up yet – please try it. You can create an account with any of your existing OpenIDs, if you already have them (LiveJournal, TypeKey, Verisign PIP, MyOpenID, LID, etc.). If not, just sign up the ‘regular’ way (with a password, ick), and you’ll be on your way.

We have some copy to write and some polish to apply, but the cogs are running smoothly (very cool) and I’m very excited what this will mean for those watching the identity space.