[OpenID board] Update to BOD on NYC OpenID Content Provider Advisory Committee Seminar

[Brian Kissel]

Hello All,



As I think everyone knows, the BBC hosted and JanRain coordinated a full day meeting of several OPs and large Content Provider organizations in NY City.  This was billed as a kickoff meeting for an "OpenID Content Provider Advisory Committee."  Here are some highlights from the event:



Summary:



*         There were 26 participants from 18 organizations including 8 OPs and 8 RPs.  Time Inc. sent 4 representatives, NY Times and BBC sent 3 each, and NPR sent 2.  All the confirmed participants except SonyBMG attended which we think is indicative that there is serious interest on the part of the Content Provider community in OpenID.



cid:image002.jpg at 01C91FE1.520C24C0



*         Topics discussed included:

o   Business case for OpenID - use cases and economic impact

o   Best practices for OpenID Providers (OPs) w.r.t. UX, data support, security, features

o   Best practices for OpenID Relying Parties (RPs) w.r.t. UX, data support, security, features

o   Optimal Content Provider user experience

o   Data Management - sources, integration, industry specific data, accuracy, security & trust

o   Coming Enhancements - PAPE, Oauth, Portable Contacts, MySpace DA, browser integration

*         Zac Bjelogrlic of the BBC gave the welcoming introduction and made a compelling case that a core group of OPs and RPs should come together to define how OpenID can be a great opportunity for Content Providers and determine how OpenID needs to evolve to realize that potential

*         Yahoo, Google, and MySpace all presented information about their OP services, thoughts on User Experience & Lessons Learned, and some future plans.  AOL will also be providing information along these lines to share with the RP participants.

*         National 4-H presented a summary of an OpenID-based integrated National, State, and Local web platform that they will be deploying in the coming months.

*         We shared the case study that Nat Sakimura has created for Japanese Airlines (JAL) federated partner commerce using OpenID with the proposed Trusted Data Exchange (TX) extension that NRI has been developing.

*         There was extensive discussion between existing and potential RPs and the OPs about what it would take for faster and broader adoption of OpenID in the Content Provider community.

*         The session was moderated and feedback captured by Rosemary Remacle of Market Focus, a strategic marketing consulting firm who will be doing some follow on customer research.



High Level Feedback:



*         User Experience.  Everyone agreed that the current user experience models that are being tried are not working.  For all but the tech savvy, users don't get what OpenID is or how to use it, even after they have been educated (Yahoo case study).  In some cases, adding an OpenID option to a login page actually reduced successful login rates.  A few of the general themes:

o   There is no consistency among OPs on how they handle authentication and interplay with the RP, which makes it hard for RPs to accept multiple OPs and still provide a consistent user experience

o   There is no consistency among RPs, so end-users get confused when each website offering OpenID does it a different way

o   Users don't get the notion of a URL as a login credential, don't know why there isn't a password

o   For some RP/OP sequences there are too many redirections and sequential clicks, users get lost and confused

o   General acknowledgement that there hasn't been much end user education yet (by OPs or RPs), and that may help, but overall the UX has to be improved as well

o   Some discussion about whether end users even need to know that OpenID is providing SSO, or whether it might be better to abstract the functionality in some way to a paradigm users understand - email address (Google draft proposal would extract OPs domain from the email address then authenticate via directed identity), visual icons for major OPs (AOL, Yahoo, Google, MySpace, etc. - the SourceForge approach), integration into the browser, selectors (like ClickPass and ID Selector), etc.

*         Data - None of the major content providers in attendance appeared to interested in OpenID until major OPs start using SREG, minimum data is email address and DOB (age), though most would like all the SREG data.  Most were also very interested in data beyond SREG: AX, OAuth, Portable Contacts, MySpace Data Availability, etc.

*         Trust/Assurance - RPs want to know that they can rely on any given OP for user authentication and/or the corresponding end-user data.  What are the mechanisms to achieve this?

*         Security - Standard concerns about phishing and protecting end user data.  Interestingly, when surveyed across 13 possible topics to discuss at the session, Security only came in at # 7

*         ROI - What are the quantitative benefits and what are the costs associated with implementing OpenID?  Some, like NPR, said that even if the upside isn't proven, if they can be certain there isn't any downside (Yahoo and Google presented data that if done improperly, OpenID actually reduces registration and login) and the cost is low, they would be willing to deploy it since they can qualitatively project how OpenID will be of value to them and their customers long term. General agreement that case studies and industry data would be helpful with this.

*         Business rule templates for RP/OP and federated RP/RP interactions.  Suggested that the OIDF should come up with these, akin to what Liberty and SAML provide.

*         OpenID Brand.  There was an interesting discussion on whether OpenID was a B2B or B2C brand, or both.  It appeared that the Content Providers wanted OpenID to be a B2B brand at a minimum so they could count on something around OpenID.  They felt that there was a role for the OIDF to play in defining best practices for OPs and RPs in UX, authentication, attribute assurance, privacy, security, data management, etc. as well as possibly "validating/certifying" some key elements of the ecosystem, whitelist/blacklist services, legal frameworks, etc.  On the B2C side it was less clear that the Content Providers thought there was as compelling a role for the OpenID brand - that is, it wasn't clear that "login with your OpenID" was necessarily the right way to go.  The underlying functionality was good, just not clear that the branded UX implementation was optimal - first priority should be ease of use and adoption, not the brand.



Possible Next Steps:



*         OIDF Foundation Support:  OpenID Foundation should charter this group as the "Content Provider Advisory Committee to the OpenID Foundation" - everyone in support of this?  Seems that the Customer Research Committee (CRC) should continue to drive this advisory committee and explore whether other advisory committee segments should be pursued.

o   Volunteers?  The official Customer Research Committee (CRC) is Johannes Ernst, Scott Kveton, Raj Mata, and Brian Kissel.  If there are others that would like to be more involved, please let us know, we need the help.

*         Discussion Website:  A Google Group was created to post the various presentations and links that were discussed at the session.  Additionally, several discussion threads were created to allow participants to continue the dialog on various topics of interest.  Currently there are 26 people registered on this site.  If you'd like an invitation, just send me the email address you'd like to log in with.  If you already have an email account confirmed with Google Groups, that's the best one to use.  If you have content that would be of interest to these major media and affinity group organizations to help them make their case to adopt OpenID, this is a good forum for sharing that content.

*         Case Studies: We need case studies.  Nat Sakimura is working on enhancing the JAL study with some metrics and Bob Ranson of 4H offered to do one once they are live. Who else can we get data from?  SourceForge, Plaxo, OxFam, CNN, Google Blogger, AOL properties - anyone know of some RPs who have had good results so far?  I am working on a case study with the CTO of PropertyMaps.com who has blogged about significant additional registrations and logins via OpenID.  We really need to start cranking these out.  This will help address part of the ROI questions from above.

*         Deployment Checklists: We need to provide better guidance to prospective RPs on how to deploy OpenID, integrate it with their existing registration systems, deploy an intuitive and industry standard UX experience, manage OpenID related data, etc.  Joseph Smarr of Plaxo created a good baseline some time ago, but it's now out of date and not as complete as most RPs would like.  Any suggestions on how we get this done?  Any volunteers?

*         Customer Interviews:  The Customer Research Committee has retained Rosemary Remacle of Market Focus to do up to 15 additional "voice of the customer" interviews.  She's looking for introductions to organizations and people who would have useful perspectives on how to accelerate adoption and usage of OpenID.  In particular, we'd like introductions to other major media companies that weren't present at the NYC session including.  If you have contacts at any of these firms, please contact Rosemary (rosemary at mktfocus.net<mailto:rosemary at mktfocus.net>) or Johannes Ernst who is managing this project.

o   Gannett, Washington Post, CBS, NBC, ABC, Fox, Disney, Viacom, Tribune, Sony, McClatchy, EW Scripps, Dow Jones, Liberty Media, IDG, McGraw-Hill, Monster, Sinclair Broadcast, CareerBuilder, IAC/InterActiveCorp, Community Newspaper Holdings, United Online, Gemstar-TV Guide, Sun-Times Media Group, Forbes Media, CMP Technology (United Business Media), American Express Publishing, CNET Networks

o   Are there others that we should be targeting for these interviews?

*         User Experience:  We really need to address this issue of UX since it's a game changer.  While Vidoop is taking the lead on working with other OIDF members to create the FireFox browser plug-in, that is a longer term initiative and IMHO we need something sooner.  Here are some possible suggestions:

o   Major OP Collaboration on UX.  At the session both Yahoo and Google shared some data, observations, and recommendations on how to improve UX.  If Yahoo, AOL, Google, and MySpace can all agree on some general guidelines to allow RPs to offer intuitive, compelling, and consistent user experiences, that would be a huge win.  I know that some of the aforementioned have already started discussions on UX.  How do we accelerate this and produce either a "de facto standard" or some kind of OIDF guidelines for OPs and RPs to achieve the best UX and customer adoption?  In any case, we should include large, market moving prospective RPs like the ones who attended the NYC session in the discussion.  It's not a win if all the OPs agree to something that RPs aren't going to deploy and promote and end users don't embrace.  We think we now have a critical mass of interested content provider RPs that we can collaborate with on this.

o   Education.  If we're going to come up with some de facto standards or OIDF endorsed guidelines, we then need to educate RPs and end users.  Even if we're not going to do that, we need to decide where the most confusion and frustration is today w.r.t. UX and do what we can to educate RPs and end users how to leverage the benefits of OpenID, whether or not the OpenID "brand" is part of the mix.

o   Examples.  However we decide (or don't decide) to proceed, we need to be able to point RPs and end users to websites that we think represent "good" (if not best practice) deployments of OpenID and highlight the aspects of the reference deployments that help drive adoption and usage.

*         Data.  This appears to be a mission critical topic.  We need to figure out how the major OPs can start providing the data that major RPs want/need in order to implement OpenID.  As in the UX discussion above, perhaps the major OPs can collaborate (independently or in the context of an appropriate OIDF committee) to set standards for data sharing via the various available mechanisms (SREG, AX, OAuth, Portable Contacts, TX, etc.)

*         OpenID Brand.  The OIDF needs to address the aforementioned B2B and B2C brand questions and come up with a definitive position on each to address market needs and set expectations.  Perhaps we should have one committee for B2B and another for B2C to make recommendations on exactly what the OIDF and member companies should do w.r.t. the role OIDF plays in the areas of interest expressed by the Content Providers.

*         Trust/Assurance & Business Rules/Templates/Frameworks.  This appeared to be a second order concern with UX and data availability being the top issues, but will likely be the logical next step whenever authentication assurance is required for more sensitive transactions or richer data is being transferred.  Some work has been done with PAPE and TX to head in this direction, but there is still a lot more we need to do.  Several people from the Liberty/SAML/WS-Fed camp have suggested benchmarking what these organizations have developed to determine if we can create lighter duty (and hopefully compatible) versions of their models that are more appropriate for the OpenID ecosystem.  Not sure if there is an existing committee that's well positioned to address this (Tony Nadalin and the Security Committee?) or whether another committee should be formed for this.  But this is something that will need to be addresses in short order after UX and data availability, and given the complexity of the issues, we probably need to get started on it right away.  Any volunteers to come up with a recommended game plan?



Any other comments or recommendations from those who attended the session?



Cheers,


Brian

OpenID Foundation Customer Research and Marketing Committees

___________



Brian Kissel<http://www.linkedin.com/pub/0/10/254>

CEO, JanRain - OpenID-enable your websites, customers, partners, and employees

5331 SW Macadam Ave., Suite 375, Portland, OR 97239

Email: bkissel at janrain.com<mailto:bkissel at janrain.com>     Cell: 503.866.4424     Fax: 503.296.5502



Get your FREE OpenID at myOpenID.com<http://www.myopenid.com/>





__________ Information from ESET NOD32 Antivirus, version of virus signature database 3474 (20080926) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


__________ Information from ESET NOD32 Antivirus, version of virus signature database 3481 (20080929) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20080930/646ff239/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 30011 bytes
Desc: image002.jpg
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20080930/646ff239/attachment-0002.jpg>