I’ve been intending to write about iCards next, but Paul and Kim have yet to get back to me. Since I just got out of the OpenID panel at SXSW, I’ll go ahead and cover the panel. Beware–This is going to be a long one.
I actually made my way through the labyrinth that is SXSW to one of the lesser rooms about 15 minutes early (WAY early in SXSW time). To my shock, the room was already packed (300-500 people). Even more telling, this was a very sophisticated 300-500 people. I would guess that about a quarter were implementing or looking to implement identity solutions in some form or another. In other words, this space is SCALDING hot.
Jason Levitt (formerly with Yahoo) moderated the panel. Artur Bergman (Wikia), David Recordon (Six Apart), Simon Willison (simonwillison.net), Andy Smith (Google), and George Fletcher (AOL) were on the panel and seated from left to right in the order I’ve listed them. I’ll probably describe the panel as I describe the participants, so let me just make clear (before I say anything that can be construed as snarky) that all of these guys did a great job and all of them clearly understand the identity space very well. Besides the fact that it is of personal interest to me, this was one of the best panels of the event.
Jason Levitt—It was a little funny watching him trying to “moderate” this discussion. After Simon gave a (very good) overview of OpenID, Jason was going to do a small presentation about Yahoo, but his laptop wasn’t cooperating. While he was trying to fix it, an impromptu conversation began between the audience and the panel. By the time he finally got his computer working, the few slides were almost an unwelcome interruption. He then tried to take over the questioning from the audience and the panel over-ruled him. As his last act as moderator, he requested that AT LEAST audience members should ask questions from the microphone. Overall, he did a good job of letting go, which was clearly the right (though not necessarily easy) thing to do.
Simon Wilson—As I already mentioned, Simon gave a very good overview of Open ID. A few points were of particular interest:
1. He demonstrated that once you sign into an RP (relying party–a site that needs to authenticate you) with your OpenID, your OP (open ID provider) can ask you if you would like it to remember that you trust that site. This means OpenID can support persistent trust relationships.
2. He demonstrated “Simple Registration”. These are 9 common registration fields you can choose to have your OP give to any RP. This is huge because it means you can associate and share identity claims through your OP.
3. He also explained that in Open ID 2.0, the RP can use their base URL (e.g. aol.com) instead of the unique identifier (opened.aol.com/drstarcat). The cool thing about this, is you could have a button that says “Authenticate with Aol” instead of the more technical “Please enter your Open ID URL here”.
I haven’t run into Simon before, but he was introduced as an Open ID evangelist—NO KIDDING! He was RELENTLESSLY positive about the technology. The audience was sophisticated and asked some real questions. Simon’s answers were overwhelmingly optimistic:
1. If someone gets my OpenID, can’t they login to all my sites? Yes, but this happens if they get a hold of your email as well (they can send password reminder requests).
2. What about fishing? Paypal has the same issue and survives.
3. Big companies refuse to be relying parties? Not an issue. Google, Yahoo, and AOL don’t NEED to be relying parties. Open ID is best for smaller sites that don’t want to deal with registration.
4. Doesn’t the big two (Google and Microsoft/Yahoo) serving as THE OPs become just like Passport was back in the day? Nope, two is better than one.
I don’t necessarily disagree with any of these points, but I would have appreciated some acknowledgment of the real challenges that face Open ID (and any identity solution). Regardless, Simon is a great evangelist for Open ID, and I’m sure we’ll be connecting in the future.
George Fletcher—George was main “adult” in the room (he actually has grey hair!), and was also the most moderate voice. He’s in charge of implementing OpenID at AOL, and it’s pretty clear he understands the issues. One of his recurring themes was that OpenID really needs more requirements around it’s security layer (like mandating SSL) if it’s going to be trusted.
He also didn’t gloss over the question about why no major Internet properties are relying parties. Simon turned to him to claim that AOL was opening its properties to OpenID authentication (this is a common and mistaken claim based on Ficklets, a unique Aol property), and George tellingly gave him a little “not really” shake of the head. He basically admitted that properties that are tasked with protecting real user assets aren’t likely to use OpenID until some of the security and trust issues can be resolved.
The Implementors (David, Artur, and Andy)—I’m not lumping these three guys together because they are less important or distinctive. Just the opposite—David and Artur really drove much of the conversation and gave some of the best answers, and anyone who reads this blog will know that, as someone who likes to build things in reality, I like and respect nothing more than real implementors . These guys are exactly the kind of people I love on my team.
David, bushy-haired and having a lot of fun, made a few great points:
1. Because OPs focus on providing identity as a job, they can devote all their resources to doing it correctly.
2. Security vendors who come up with security enhancements will be able to more efficiently market their improvements with a few OPs (instead of millions of RPs).
3. Becoming an RP is a good idea for a startup (by reducing technical and legal liability); whereas, becoming an OP is a very bad idea (by increasing technical and legal liability).
4. There are no real OpenID adoption metrics, as its distributed nature makes this nearly impossible.
Artur gives the slightest impression of a German (Swedish?) economy of emotion and words, but also made some great points and was having some real fun. His primary response to most questions was, “That’s the responsibility of the OP”. In other words, I think he feels that not every issue should be solved on the specification layer (though he did advocate additional, optional specifications for more secure OpenID implementations); rather, it is the responsibility of the OP to innovate and find ways to become a trusted provider. This makes a lot of sense, as this will allow the market to determine the correct trade-offs between security and usability.
There were actually a number of other great things that came out of this panel, but I’ll save most of those for later posts. Two important takeaways though:
1. OpenID DOES define an “attribute exchange” layer, which extends the “simple registration” fields, so that an OP can use the protocol to broker identity claims.
2. OpenID along with OAuth can compete with much of the functionality of iCards and, because of their simplicity, have emerged as the stack to beat in the identity space.