OAuth 1.0, OpenID 2.0 and up next: DiSo

OFFICIAL OAuth logoIIW 2007b is now over and with its conclusion, we have two significant accomplishments, both the sum of months of hard work by some very dedicated individuals, in the release of the OpenID 2.0 and OAuth Core 1.0 specifications.

These are two important protocols that serve as a foundational unit for enabling what’s being called “user-centric identity”, or that I call “citizen-centric identity”. With OpenID for identity and authentication and OAuth for authorizing access to portions of your private data, we move ever closer to inverting the silos and providing greater mobility and freedom of choice, restoring the balance in the marketplace and elevating the level of competition by enabling the production of more compelling social applications without requiring the huge investment it takes to recreate even a portion of the available social graph.

It means that we now have protocols that can begin to put an end to the habit of treating user’s credentials like confetti and instead can offer people the ability to get very specific about they want to share with third parties. And what’s most significant here is that these protocols are open and available for anyone to implement. You don’t have to ask permission; if you want to get involved and do your customers a huge favor, all you have to do is support this work.

To put my … time? … where my mouth is (I haven’t got a whole lot of money to put there) … Steve Ivy and I have embarked on a prototype project to build a social network with its skin inside out. We’re calling it DiSo, or “Distributed Social Networking applications”. The emphasis here is on “distributed”.

In his talk today on Friends List Portability, Joseph Smarr laid out an import set of roles that help to clarify how pieces of applications should be architected:

  • first of all, people have contact details like email addresses, webpage addresses (URLs), instant messaging handles, phone numbers… and any number of these identifiers can be used to discover someone (you do it now when you import your address book to a social networking site). In the citizen-centric model of the world, it’s up to individuals to maintain these identifiers, and to be very intentional about who they share their identifiers with
  • Second, the various sites and social networks you use need to publish your friends and contacts lists in a way that is publicly accessible and is machine readable (fortunately does well there). This doesn’t mean that your friends list will be exposed for all the world to see; using OAuth, you can limit access to pieces of your personal social graph, but the point is that it’s necessary for social sites to expose, for your reuse, the identifiers of the people that you know.

With that in mind, Steve and I have started working on a strawman version of this idea by extending my wp-microformatted-blogroll plugin, renaming it to wp-contactlist and focusing on how, at a blog level, we can expose our own contact list beyond the realm of any large social network.

Besides, this, we’re doing some interesting magic that would be useful for whitelisting and cross-functional purposes, like those proposed by Tim Berners-Lee. Except our goal is to implement these ideas in more humane HTML using WordPress as our delivery vehicle (note that this project is intended to be an example whose concepts should be able to be implemented on any platform).

So anyway, we’re using Will Norris’ wp-openid plugin, and when someone leaves a comment on one of our blogs using OpenID, and whose OpenID happens to be in blogroll already, they’ll be listed in our respective blogroll with an OpenID icon and a class on the link indicating that, not only are they an XFN contact, but that they logged into our blog and claimed their OpenID URL as an identifier. With this functionality in place, we can begin to build add in permissioning functionality where other people might subscribe to my blogroll as a source of trusted commenters or even to find identifiers for people who could be trusted to make typographic edits to blog posts.

With the combination of XFN and OpenID, we begin to be able to establish distributed trust meshes, though the exposure of personal social graphs. As more people sign in to my blog with OpenID and leave approved comments, I can migrate them to my public blogroll, allowing others to benefit from the work I’ve done evaluating whether a given identifier might be a spam emitter. Over time, my reliability in selecting and promoting trustworthy identifiers becomes a source of social capital accrual and you’ll want to get on my list, demonstrating the value of playing the role of identity provider more widely.

This will lead us towards the development of other DiSo applications, which I’ve begun mapping out as sketches on my wiki but that I think we can begin to discuss on the DiSo mailing list.

66 thoughts on “OAuth 1.0, OpenID 2.0 and up next: DiSo”

  1. It seems to me then, what’s missing from this is a standardized method of adding and removing friends from your network. While importing your data into a network is great, having to maintain it by hand sucks. So creating a standardized interface that can be accessed by social network applications through OAuth is just as important as creating a method of displaying this information.

  2. Great news! but you might want to check that XFN link, I got a nasty surprise when clicking it :)

  3. How is DiSo different from the endeavors down at Dataportability.org?

  4. @Chris Jay: whoops! Fixed!

    @Erick: I’m a member of the Data Portability group, but I’m antsy to build something!

  5. @Chris You’ve added a Magnolia link for OpenContacts but it’s linked to opencontact.org
    Without an S.. :-) Don’t think that’s correct..

  6. Hey Chris, I’ve had so many tabs opened today, that I finally realized I never finished reading this post! Glad I did however. As I’m glad I’ve gotten membership to DiSo and the mailing list. Very much looking forward to working in this group for the betterment of the online community as well as my own nefarious means! (Okay just kidding, honest!)

    Looking forward to “what’s next!”

  7. “…this project is intended to be an example whose concepts should be able to be implemented on any platform.”

    Is anyone already working on a DiSo for Drupal?

  8. This is a fascinating idea. I would like to become a mental supporter due to lack of time – how about an icon/badge/thingy that I can put on my homepage or in my FB profile?

    cheers,
    M

  9. This is exciting! This is very much in line with the software I’m writing right now, which aims to turn the internet into a social network (i.e. regardless of the software you use).

    I implemented a new protocol for notifying a website when you added it to your contact list (blogroll) because I couldn’t find an appropriate standard, but I think I’m on the right track :)

Comments are closed.