<HTML>
<HEAD>
<TITLE>Re: [OpenID] Musing on FaceBook, OpenID and the next mountain to climb</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>We are in complete agreement over the lack of any quality best practices and public research on OpenID. Yahoo! Has done some and will share it when possible. But the lack of best practices does not apply to the Facebook example since they already knew their best practices and could have applied them to OpenID + AX. What drives me nuts is the argument that “we looked at x and it didn’t look like what we wanted” when a simple conversation would have made a difference. I’m sure the OpenID Foundation and this community would have been extremely happy to work with Facebook to enable them to implement their solution using open standards. But their attitude is not to talk to these communities.<BR>
<BR>
---<BR>
<BR>
As for the lack or proper resources – we are almost a year away from OpenID 2.0 going final and made almost no progress on much of what people have been talking about. At this point it is safe to assume that salvation is not going to come from the community. I am tired of people saying “we need” without any contribution to follow.<BR>
<BR>
Unfortunately, OpenID is not high on my list of projects right now (with OWF IPR, OAuth IETF, and XRDS topping the list), but this isn’t just the result of personal preferences. It is because the foundation and its leadership have failed to get anything done other than create titles, and I refuse to pay $100 to try and fix it. From my limited vantage point it looks like the foundation has the resources but not the will to actually do something. Other than offering a too-heavy IPR process (with a mediocre license), what should motivate people from bringing their ideas to the foundation?<BR>
<BR>
OpenID is an interop protocol and a product. It is a decent interop protocol, still has a way to go, and can actually benefit from some heavier standards review. But as a product it is obviously failing. So far many are happy to sell it (OP) but few are buying it (RP) and those who do (users), rarely use it. This is where companies like Facebook can make a huge difference by taking a lead and pushing it into the right direction. Yahoo! Is trying to do this, and we have a long way to go in terms of improving the product and make it useful.<BR>
<BR>
And there is plenty of horseshit to go around :-).<BR>
<BR>
Google is working on some OpenID solution, but so far has done very little in terms of engaging the community. They have some obvious challenges to figure out (for example, the fact that they use email addresses as the username), but they are not engaging the community in their process. AOL created endpoints without any real value or effort to educate their users. The list go on... I try to only pick on the big boys.<BR>
<BR>
EHL<BR>
<BR>
<BR>
<BR>
<BR>
On 9/17/08 12:30 PM, "Dick Hardt" <<a href="dick.hardt@gmail.com">dick.hardt@gmail.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hey Eran, good to see you jump into the conversation ...<BR>
<BR>
On 16-Sep-08, at 11:41 PM, Eran Hammer-Lahav wrote:<BR>
<BR>
> Dick Hardt wrote:<BR>
>> Last time I looked, OAuth and OpenID were different as well. So much<BR>
>> for reuse of work in the Open Web. Standardizing this and having it<BR>
>> in<BR>
>> libraries would help developers.<BR>
><BR>
> When OAuth came up with its security model and assertion<BR>
> verification process (using tokens) it examined the OpenID solution<BR>
> and concluded that it was too complex for most developers to<BR>
> implement, as well as concerns about its use of DH crypto. The<BR>
> reality is, many people are even having problems with OAuth's<BR>
> signature workflow (which I'll take some blame for as the spec can<BR>
> use improvements and clarifications).<BR>
><BR>
> David and I had many conversations regarding the possibility of<BR>
> merging the underlying methods of both protocols. I even wrote about<BR>
> it back in January to almost no community interest (<a href="http://www.hueniverse.com/hueniverse/2008/01/the-war-of-the.html">http://www.hueniverse.com/hueniverse/2008/01/the-war-of-the.html</a><BR>
> ). The bottom line is, if you add a feature or two to each one, they<BR>
> can completely replace the other.<BR>
<BR>
A common way of normalizing and signing name/value pairs would have<BR>
allowed that code to be reused.<BR>
<BR>
I proposed this to the group as well.<BR>
<BR>
My point: it is a hypocritical to point the finger at Facebook saying<BR>
they were not reusing open web standards, when the various open web<BR>
standards don't even reuse or standardize on common procedures.<BR>
<BR>
<BR>
><BR>
><BR>
>> The functionality they wanted to expose is currently not<BR>
>> in the OpenID specifications -- and I think the user experience is<BR>
>> superior with Facebook Connect than OpenID.<BR>
><BR>
> Like what?<BR>
<BR>
If the use has a Facebook account, 99.9% chance they know it. If they<BR>
have an OpenID account 99.9% chance they don't.<BR>
<BR>
With Facebook Connect, the user clicks on button to use it. There is a<BR>
wide, inconsistent variation on what the user needs to do to use OpenID.<BR>
<BR>
With Facebook Connect, I get all my friends, all my privacy settings<BR>
along. There is not best practices for doing this with OpenID.<BR>
<BR>
With Facebook Connect, the RP can look at my profile, and if they<BR>
think I am a "good" netizen, let me participate without moderation.<BR>
OpenID has no best practices for doing this.<BR>
><BR>
>> I don't think that the Facebook team wanted to reinvent anything --<BR>
>> so<BR>
>> if the tech was already available to do what they wanted, they would<BR>
>> have used them.<BR>
><BR>
> (No one expects me to be polite about this one)<BR>
><BR>
> HORSESHIT!<BR>
<BR>
Ok, but what do you REALLY think? ;-)<BR>
<BR>
><BR>
><BR>
> First, they never made the effort to truly engage the community and<BR>
> understand either specifications. Second, for the most part, they<BR>
> reused existing Facebook pieces to create Facebook Connect. Those<BR>
> pieces could have been converted or added support for OpenID and<BR>
> OAuth a long time ago. And third, this is exactly what they wanted<BR>
> to do - these are some of the brightest minds in the industry and<BR>
> they know what they are doing.<BR>
<BR>
<BR>
I can see and agree with your point around OAuth, but this is an<BR>
OpenID list. I am clearly a big promoter of OpenID, but I don't have a<BR>
good argument on why they should have used OpenID for what they are<BR>
doing with Facebook Connect.<BR>
<BR>
Could they become an OP like Yahoo! is? Sure. But SSO is not the major<BR>
value proposition of Facebook Connect -- it is getting all the other<BR>
aspects and user experience I mention above.<BR>
<BR>
I anticipate that if Digg supports both OpenID and Facebook Connect --<BR>
I will use Facebook Connect to login as I will get a richer, simpler<BR>
experience and I am running Sxipper, so I can just click a button to<BR>
use my OpenID.<BR>
<BR>
-- Dick<BR>
<BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>