23 Jul 2008

feedPlanet OpenID

Dick Hardt: Facebook Connect - fatal blow for OpenID?

At F8 today, Facebook rolled out their Facebook Connect platform. With a small amount of code, other sites can integrate the Facebook identity system into their site. The keynote reminded me of early days of Microsoft as they rallied developers to build on their platform by explaining how the platform can help them and being inclusive. They even seemed humble as they talked about what they have done wrong in the past and then reaching out to developers asking for their feedback. They even have a fund and a competition for best applications.

Facebook Connect is a powerful identity system. Using Facebook Connect, a site gets access to the user's profile data and the users friends. For sites such as Digg and Movable Type that want to make users accountable for their activity, there is an implicit reputation of the user based on the depth of the profile. It is much more difficult for a spammer to build a Facebook identity to spam these participatory sites. Facebook is all about real identity rather then a fake persona. Facebook even has rich privacy controls so that users feel in control of who sees what.

The promise of OpenID was to make login simple and move profile data. A number of us have been looking at using OpenID to make an accountable web. Given the momentum and immediate value of a Facebook identity system and the lack of OpenID RP deployment, one wonders if the identity opportunities of OpenID have passed.

The announcement from MySpace supporting OpenID may enable a more open identity system to evolve, but Facebook has a compelling offering that provides significant value to sites - well, as soon as Facebook Connect is launched anyway.

23 Jul 2008 10:13pm GMT

Vidoop: myVidoop site upgrade

We've got some great upgrades to our service ready, but we'll need to take the service offline to roll them out. So, myVidoop will be unavailable tomorrow morning (7/24/08) from 7am to 9am CDT. We'll be introducing some new features which we'll tell you about in a later blog post (or just check out the site tomorrow after 9am).

23 Jul 2008 8:26pm GMT

Vidoop: Chris Messina wins Google-O’Reilly Open Source Award

We are very proud that Chris Messina (aka @factoryjoe), a recent addition to the Vidoop team, has recently received the award for 'best community amplifier'. You can read about the history and see past winners at the Google-O'Reilly Open Source Awards - Hall of Fame but the general idea is…

The Google-O'Reilly Open Source Awards have been presented to individuals for dedication, innovation, leadership and outstanding contribution to open source.

Winners are selected by a committe, made up of the following: Allison Randal, (The Perl Foundation & O'Reilly - OSCON Co-Chair), Brady Forest (O'Reilly - Technology Evangelist and Conference Chair), Brian Behlendorf (CollabNet CTO and Founder), Chris DiBona (Google, Open Source Programs Manager), Danese Cooper (Open Source Diva, Intel), David Ascher (CTO, ActiveState, and director, Python Software Foundation), Tim O'Reilly (Founder and CEO of O'Reilly Media), Nat Torkington (O'Reilly - OSCON Co-chair), Zaheda Bhorat (Google, Open Source Programs Manager).

Chris has consistently been at the forefront of the Open Web movement and an outspoken advocate of open source technologies. Since being introduced to him and the open web/identity community a little over a year ago, he has personally been very helpful in navigating the landscape, making introductions and genuinely a fun guy to hang out with. I am sure I join the rest of the Vidoop team and web community at large in congratulating Chris on a job well done and wishing him continued success in whatever ventures he pursues. Whatever it is, the web will be better off because of it :)

23 Jul 2008 4:37am GMT

Brad Fitzpatrick: Perl on App Engine

Fellow Perl hackers,

I'm happy to announce that the Google App Engine team has given me permission to talk about a 20% project inside Google to to add Perl support to App Engine. To be clear: I'm not a member of the App Engine team and the App Engine team is not promising to add Perl support. They're just saying that I (along with other Perl hackers here at Google) are now allowed to work on this 20% project of ours out in the open where other Perl hackers can help us out, should you be so inclined.

As background, I've been writing Perl code for almost 15 years now and quite fond of the language. (I'm "bradfitz" on CPAN.) Here at Google, though, it's not one of our big languages so I don't get to write as much Perl as I used to. I'd still like to run my personal web apps on App Engine, though, and I'd like to write them in Perl. And I'm definitely not alone, looking at how many people have starred the wishlist bug. Some of you have already started talking about it. We'd like to join the discussion, and start hacking out in the public.

In the process we can build the start of an open source App Engine server clone that's suitable for many purposes: initially just for regression testing & local development (like the "dev_appserver" that comes with the App Engine Python SDK), but perhaps in the future (once Hypertable/Hbase/etc are ready) a full stack to give to ISPs to let them run App Engine apps on their own.

Before I get into my proposed roadmap, let me describe what's publicly known about the App Engine architecture. In a nutshell, it looks like this:



The App runs in a multi-layer hardened environment, one layer of which will need to be a hardened Perl interpreter.

Basically, we need a hardened Perl runtime which can:

Basically we need a Perl interpreter that's very tame and isn't allowed to do anything other than read web requests and write out responses. Any privileged operations (like Datastore access, fetching URLs, etc) need to be done via a trusted XS Perl module (the "apiproxy") that takes a service request parameter and returns a service response. The request and response are both encoded as Protocol Buffers, which were recently open sourced by Google.

Perl on App Engine then would involve the following steps (in no particular order):

Not included is the Google-internal side of things, gluing the hardened Perl interpreter into the GAE world. That needs to be done by a Googler and not open source.

If you'd like to discuss this and/or help out, join the perl-appengine mailing list. We'll be submitting code to the appengine-perl project on Google Code hosting. For more information about this, see the Perl-on-AppEngine FAQ.

Brad & the other Perl Googlers

23 Jul 2008 3:49am GMT

Johannes Ernst: A Big OpenID Relying Party: Orange

Ariel Gordon, in charge of everything identity at France Telecom / Orange, tells me that Orange.fr, their portal, is now OpenID-enabled.

This must be one of the largest OpenID Relying Parties so far. Congratulations, Ariel!

[permanent link]

23 Jul 2008 3:36am GMT

22 Jul 2008

feedPlanet OpenID

Simon Willison: Email Address to URL Transformation (EAUT) specification now available!

Email Address to URL Transformation (EAUT) specification now available!. Allows OpenID users to login using their E-mail address, which is converted in to an OpenID URL based on rules specified in an XRDS document attached to the root domain. Seems like a good idea to me.

22 Jul 2008 7:30pm GMT

Vidoop: Email Address to URL Transformation (EAUT) specification now available!

We're proud to announce that Draft 5 of the Email Address to URL Transformation (EAUT) specification is now available. What does this mean to me you may be asking yourself? It means that coming soon to an OpenID login form near you, you will be able to use your email address as an OpenID.

In basic terms EAUT makes it easy to take an email address and transform it into an URL, making your email work with services like OpenID. The goal with Emailtoid is to demonstrate the technology and provide a fallback solution for a larger, decentralized network based on the EAUT specification.

Using an email addresses as a login is already a familiar process. The problem is that an email address is not very useful as an endpoint for identity information. A URL is much better for storing identity information, though using a URL to login is counter intuitive. This is the usability disconnect that EAUT aims to address.

With EAUT, email providers can host an XRDS document at their root (eg, aol.com). Here's an example XRDS document:

<?xml version="1.0″ encoding="UTF-8″ ?>
<XRDS xmlns="xri://$xrds">
    <XRD xml:id="main" xmlns="xri://$xrd*($v*2.0)" version="2.0″ xmlns:simple="http://xrds-simple.net/core/1.0″ xmlns:openid="http://openid.net/xmlns/1.0″>
        <Type>xri://$xrds*simple</Type>
        <Service priority="10″>

            <Type>http://specs.eaut.org/1.0/template</Type>
            <URI>http://openid.aol.com/%7Busername%7D</URI>
        </Service>
    </XRD>
</XRDS>

If the example email is vidooprocks@aol.com, The above XRDS document, hosted on aol.com, would mean that the resulting URL is http://openid.aol.com/vidooprocks - which is a valid OpenID (or would be if somebody had that email).

Now, what happens when the email provider doesn't have an XRDS document, or has one but doesn't have any EAUT types in there? You use a fallback service - just like Emailtoid!

With EAUT, relying parties can now have the best of both worlds. They can ask for email addresses, which people are used to, but still only have to implement OpenID. Please let us know if you have any questions or feedback on our Emailtoid support page.

22 Jul 2008 5:40pm GMT

21 Jul 2008

feedPlanet OpenID

Johannes Ernst: MySpace and OpenID?

Techcrunch: MySpace To Join OpenID, Bringing Total Enabled Accounts to Over A Half Billion.

[permanent link]

21 Jul 2008 11:55pm GMT

Vidoop: Vidoop will be lifting your spirits during OSCON 2008

OSCON 2008 by itself is enough to geek out about, but don't forget about the parties!

If you fall in love with Portland and decide to stay, the good times keep rollin' with a Django sprint on August 22 from 9am to 6pm here at the Vidoop offices.

21 Jul 2008 8:09pm GMT

Simon Willison: MySpace To Join OpenID, Bringing Total Enabled Accounts to Over A Half Billion

MySpace To Join OpenID, Bringing Total Enabled Accounts to Over A Half Billion. Another 200 million OpenIDs-but the important difference between this and the Yahoo! and AOL announcements is that MySpace users know what their profile URL is. Whenever people have told me OpenID is flawed because people don't understand URLs I've answered "sure they don't, but they know their MySpace page".

21 Jul 2008 7:42pm GMT

20 Jul 2008

feedPlanet OpenID

Martin Atkins: Mourning the death of the "rev" attribute

Let's play "name the opposing relationship". rel="employer" is to rel="employee" as:

rev is not an acceptable solution, and is being removed in HTML5. What's the alternative?

20 Jul 2008 8:17pm GMT

David Recordon: My OSCON Schedule

Headed up to Portland this afternoon for OSCON and just put my schedule online if you want to check it out. I won't be there Wednesday as I'll be down at Facebook f8 for the day. Then back up Thursday for a 9:15am keynote on Supporting the Open Web!

Really busy week, with no sleep for me, but should be tons of fun and I look forward to seeing a bunch of awesome people!

20 Jul 2008 7:23pm GMT

19 Jul 2008

feedPlanet OpenID

Rakuto Furutani: OpenID動向 - Trusted Data Exchangeがユーザ属性ポータビリティの切り札になるか?

第三回 Liberty Alliance 技術セミナーで=natさんの基調講演を公聴してきて、OpenID関連の動向を仕入れたのでメモ。

OPとRP間で属性情報を交換するための拡張として、SREGやAXがあるが、AXも今ひとつ普及するに至っていない。(myopenid.comとVeriSignだけ?)また、プライバシポリシーや利用規約の問題もあり、日本企業では、ユーザ属性をサードパーティに公開出来ない事も多い。

基本的に、AXとSREGの違いは、



が挙げられるが、根本的な問題は、OpenIDのユーザ属性として、クレジットカード番号や電話番号などプライバシー性の高い情報を使う事など、気が狂っていると思われている事だ。AXへの本格的な以降が進まないのは、結局OpenIDで扱うユーザ属性は、ニックネームやメールアドレスのみで、SREGで十分に事が足りているからではないだろうか。

さて、単純なユーザ属性の交換と、OP側でのユーザの許可の仕組みしか提供していないAXに代わる仕様として、Trusted Data Exchangeが=natさん、=masakiさん (NRI)から提出されている。

TXのコンセプトには次のような物が含まれる。

仕様は既に、提案済みで、仕様が取り込まれる方向で話が進んでいる様子。OpenIDによるログインフォームは、会員登録の敷居を下げる。結果的に、サービスを利用する敷居が下がり、クレジットカートや住所などの個人情報が信頼できないRPに渡る可能性が高くなる。ユーザ属性ポータビリティには、Reputation Platformの構築は、急務であると言える。

年内に取り込まれるだろうか?

もう一つの最新動向は、PAPEの仕様拡張。PAPEと言えば、OpenIDの認証強度を明示するためのOpenID拡張だが、採用するセキュリティモデルを明示的に指定するための仕様を提案しているとの事。現状のPAPEでは、NISTの定めるセキュリティモデルを指定できるだけであるが、日本のFISCの基準を採用する際には、次のように指定できるとの事だ。


openid.pape.auth_level.fisc:2
openid.pape.auth_level.ns.fisc: http://www.fisc.or.jp/ex/authlevel



See also: まちゅダイアリー - SAML と OpenID と CardSpace

19 Jul 2008 3:12am GMT

18 Jul 2008

feedPlanet OpenID

David Recordon: TheSocialWeb.tv: Meebo Community IM



Shot another episode of TheSocialWeb.tv with John and Joseph yesterday. Focused mainly on Meebo's new Community IM and how it's continuing the trend of making the entire web more social. Check it out and I'll be at both Facebook f8 and OSCON next week.

18 Jul 2008 4:34pm GMT

Vidoop: myVidoop server maintenance

myVidoop.com will be down for server maintenance from 12am - 2am CDT July 18, 2008. We appologize for not posting this notice sooner.

Update: the maintenance window is actually from 12am - 4am CDT; we apologize for any inconvenience this may cause.

Update: the maintenance has been completed and myvidoop.com is back online.

18 Jul 2008 4:36am GMT

17 Jul 2008

feedPlanet OpenID

Johannes Ernst: What's Next For OpenID?

While OpenID 2.0 has certainly been a big step forward, it's clear that much technical work remains to be done to make OpenID as useful and as broadly applicable as possible. (And don't get me started on how much marketing work needs to be done...)

Here's my list of what I'd like to see us in the OpenID community work on from now through 2009. We don't need to do all of it at once of course. I'm blogging this so I can get some feedback ...

Note: I do not know how to solve all of them, but then, that's what we have the brainy OpenID community for ;-)

What's your list?

Update 13:18: http://mylid.net/mglcel suggests: "What about social networks storage on OpenID?" Sounds like a good idea, but perhaps a bit difficult politically. That shouldn't keep us from working on it, though.

[permanent link]

17 Jul 2008 8:18pm GMT