On Friday, David Recordon, one of the original authors of OpenID, released a single-page specification for OpenID Connect, a concept that I outlined on this blog in January before I joined Google.

I’m particularly excited about this early proposal because it builds on all the great progress that the community has made recently on a litany of technologies, including OAuth 2.0 and the link-based resource descriptor format (LRDD) and its emerging JSON-based variant (JRD).

But I’m most excited about OpenID Connect because it forces the OpenID community to evaluate the progress we’ve made over the last three years (OpenID 2.0 was introduced in 2007) and to think critically about where we go next, and how we get there, given what the market has indicated it wants.

Rearticulating the problem

When Brad Fitzpatrick first created OpenID, he was looking to solve a fairly mundane problem: develop a protocol that made it possible for a commenter to claim her comments on someone else’s blog. For the commenter, she had a way to vouch for her words; for the blog owner, he had a way to establish the authenticity of the comments left by his readers. Given this context, all that was required in the early days of OpenID was a stable way to uniquely identify people — gathering additional profile information wasn’t as necessary because blog commenting forms already asked for — and often required — that commenters supply their name and email address.

Thus the basic architecture of OpenID concerned itself with establishing identity across contexts (i.e. “Bob” from Context A is the same “Bob” found in Context B), rather than with profile portability. This focus lent itself to privacy-preserving anonymous and pseudonymous transactions where identity could be established without the need to divulge personally-identifying information, or without forcing you to collapse the boundaries of separate social contexts.

This feature of OpenID (called directed identity) enabled you to hold a single account at, say, yahoo.com, but sign in to third party sites using “non-correlatable identifiers”. That is, this feature made it possible to maintain discreet profiles for logging in to other sites across the web without needing a different password to manage each.

The ability to “select [the] OpenID identifier” that I want to share with stackoverflow.com is how this feature manifests on yahoo.com:

The economics of user-centric identity

Features like directed identity, however, present several challenges for users and OpenID relying parties.

For users, these features complicate the sign in flow by introducing new interface surfaces (as seen above) and management tasks. They also increase the cognitive burden of registration by requiring a user to pick a profile (or create a new one) to use in a given context. Additionally, the ability to refrain from disclosing profile information when registering for a new service may seem economically advantageous to the user at the outset (“Aha! I refuse to tell you my name or email address!”) but results in unintended disadvantages over time.

That is, because OpenID users share less information with third parties, they are perceived as being “less valuable” than email-based registrants or users that connect to their Facebook or Twitter accounts.

Why? Simply put: OpenID, by design, favors the user rather than the relying party. In contrast, technologies like Facebook and Twitter Connect emphasize the benefits to relying parties. So while it might seem like an inconvenience to custom-tailor your personal privacy settings on Facebook, the liberal defaults are meant to make Facebook users’ accounts more valuable to relying parties than other, more privacy-preserving account configurations.

So, as Twitter and Facebook have grown in popularity and the number of sites willing to outsource their account management to them have increased, both OpenID users and providers find themselves in a predicament: if they continue to restrict the flow of data, the number of OpenID relying parties will diminish in favor of Facebook- and Twitter-Connected sites. If instead OpenID users become more liberal with the data that they are willing (and able) to share with third parties, they will still need to rally support from relying parties to be recognized as valuable users. Thus making more data available from OpenID users is the first essential step that we must take to regain our footing in the marketplace.

But it won’t be enough.

To overcome both the real and perceived economic disadvantage of supporting OpenID, we need to make adopting OpenID exceedingly simple, straight-forward, and economically advantageous — in real terms.

Why harmonizing “Connect” is important

I wrote my overview for OpenID Connect convinced that the “connect” verb (inherited from the Twitter and Facebook platforms) would help users distinguish between merely registering for a site and signing up for and sharing some data about themselves. Even though Facebook abandoned the “connect” brand at F8 this year, I’m still of the mind that the “connect” verb suits our purposes, even if it’s going to take several years to catch on in common usage.

In any case, if OpenID solves the problem of providing a stable and unique way to identify someone, then the “Connect” in OpenID Connect layers in the ability to access data on someone’s behalf (via conventional APIs like Portable Contacts or ActivityStreams).

It’s this assemblage of authentication and authorization technologies that the industry is calling out for — as evidenced by the success of Facebook and Twitter Connect and more recently, Messenger Connect from Microsoft and upstart efforts like Diaspora that cite OpenID among the technologies they intend to leverage. Without a common standard, each of these efforts is inventing its own custom-tailored solution, retarding industry-wide progress and delaying the development of next generation social applications.

Thus, by leveraging OAuth as the core of OpenID Connect, we can build on the consensus and momentum that has been achieved in the marketplace, and by weaving in a standard and much-simpler discovery mechanism, we can preserve the decentralized design of OpenID. Presuming that Facebook, Twitter, Google, and others all become OpenID Connect providers, that means that site operators can implement one connect API and interoperate with potentially dozens of providers with a single, well-understood open source stack of technologies.

Such an outcome would be good for relying parties (or “clients” in the parlance of Recordon’s proposal) as well as citizens of the web, who deserve a choice when it comes to entrusting a provider with their digital identity but are increasingly marginalized by “privacy-preserving technologies” that are not economically viable.

“Connect” also provides a convenient answer to the question of what kind of interface to present to the users who want to use their OpenID:

(Note that I also used the “connect” verb very intentionally in my social agent mockups for designing identity into the browser.)

If every site that supports third party authentication today added a “connect” button in place of their conventional “sign up” or “register” buttons and deployed a consistent user experience around picking a provider (some combination of NASCAR buttons and a type-anything email/URL field) that executed the OpenID Connect protocol, we’d be well along the path of decentralizing the social web, and restoring balance to the ecosystem.

What does OpenID stand for?

Of course, applying the OpenID brand to this solution isn’t something that I would do trivially, since the OpenID Foundation is the real authority for the trademark. However, at the foundation’s board meeting earlier this year at the OpenID Summit West, we unanimously decided to expand the scope of the OpenID Foundation’s mission to include advancing the technological underpinnings of internet identity in general, without regard for the existing OpenID technology.

This is a critical recasting of the role that OpenID and the OpenID Foundation plays in the ecosystem. Though there are other groups with similar mandates, the OpenID Foundation has decided to take on the internet identity opportunity as a general problem, rather than one narrowly scoped to disposable use cases.

In that light, it seems to me that we have come to a crossroads in the history of the foundation — however knowingly — and decided to take aggressive actions to advance the cause.

Without speaking for the foundation as a whole, I believe that it is essential that we are able to reconceive OpenID as the brand for decentralized digital identity. OpenID need not be thought of as merely an identity algorithm, but as a means for representing and conducting oneself online and across digital environments. Thus as the identity landscape undulates, the OpenID Foundation is in the position to articulate solutions that are not protocol-bound, but responsive to needs of the time, and able to adapt to and weather the shifting winds of technological progress.

After OpenID 2.0, OpenID Connect is the next significant reconceptualization of the technology that aims to meet the needs of a changing environment — one that is defined by the flow of data rather than by its suppression. It is in this context that I believe OpenID Connect can help usher forth the next evolution in digital identity technologies, building on the simplicity of OAuth 2.0 and the decentralized architecture of OpenID.

Careful readers would understand that I said that funneling all user authentication (and thus the storage of all identities) through a single provider would be evil. I don’t care who that provider might be — but centralizing so much control — the fate of our collective digital existences! — in the hands of a single entity just can not be permitted.

That said, I do want to say some nice things about the open things that Facebook launched at F8, because as an advocate of the open web, there are some important lessons to be had that we’d do well to learn from.

• Simplicity: I have to admit that Facebook impressed me with how simple they’ve made it to integrate with their platform, and how clear the value proposition is. From launching OAuth 2.0 (rather aggressively, since the standards process hasn’t even completed yet!) to removing the 24-hour caching policy, Facebook made considerable changes to their developer platform to ease adoption, integration, and promote implementation. This sets the bar for how easy (ideally) technologies like OpenID and ActivityStreams need to become.
• Avoiding NIH (mostly): In particular, Facebook dispensed with their own proprietary authorization protocol and went with the emerging industry standard (OAuth 2.0). I hope that this move reduces complexity and friction for developers implementing secure protocols, increasing the number of available high quality OAuth libraries, and leads to fewer new developers needing to figure out signatures and crypto when sometimes even the experts get these things wrong. By standardizing on OAuth, we’re within range of dispensing with passwords once and for all (…okay, not quite).
• Giving credit: I also think that Facebook deserves credit for giving credit to projects like Dublin Core, link-rel canonical, Microformats, and RDFa in their design of the Open Graph Protocol. I’ve seen many other efforts that start from scratch when plenty of other initiatives already exist simply because they’re unawares or don’t do their homework (one of which is the OpenLike effort!). I’m not sure I agree with the parts that Facebook extracted from these efforts, but as David Recordon said, we can fight over “where the quotes and angle-brackets should go“, but at the end of the day, they still shipped something that net-net increases the amount of machine-readable data on the web. And if they’re sincere in their efforts, this is just the beginning of what may emerge as a much wider definition of how more parties can both contribute to — and benefit from — the protocol.
• Open licensing: Now that I’ve been involved in this area for a longer period of time, I’ve learned a simple truth: it’s hard to give things away, especially if you want other people to use them, even moreso when some of those potential users are competitors. But, that’s why the Open Web Foundation was created, and why David and I are board members. After setting up foundations over and over again, we decided that it needed to be easier to do! Now all the hard work of the Open Web Foundation’s legal committee is starting to pay off, and I am quite satisfied that Facebook has validated this effort. We’re still so early in the process that it’s not entirely clear how to make use of the Open Web Foundation’s agreement, but surely this will motivate us to find our own Creative Commons-like approach to proclaiming support for open web licensing on individual projects.

So, while I still have my reservations about Facebook’s master plan, they did do a number of things right — not everything — but I’m tough customer to please. When it comes to the identity stuff, I’m definitely non-plussed, but that’s where my ideology and their business needs collide — and I get it.

What this means is that we all need to show more hustle out on the field and get serious. With Facebook’s Hail Mary at F8, we just got set back a touchdown, and a field goal just ain’t gunna cut it.

I attended Facebook’s F8 conference yesterday (missed the keynote IRL, but you can catch it online) and came away pondering the Open Graph Protocol.

In they keynote Zuck said (as Luke Shepard calls him):

Today the web exists mostly as a series of unstructured links between pages. This has been a powerful model, but it’s really just the start. The open graph puts people at the center of the web. It means that the web can become a set of personally and semantically meaningful connections between people and things.

While I agree that the web is transmogrifying from a web of documents to a web of people, I have deep misgivings about what the Open Graph Protocol — along with Facebook’s new Like button — means for the open web.

There are three elements of Facebook’s announcements that seem to conspire against the web:

• A new format
• Convenient to implement
• Facebook account required

First, to support the Open Graph Protocol, all you need to do is add some RDFa-formatted metatags to the HEAD of your HTML pages (as this example demonstrates, from IMDB):

Simple right? Indeed.

And from the looks of it, pretty innocuous. Structured data is good for the web, and I’d never argue to the contrary. I’m skeptical about calling this format “open” — because it smells more like openwashing from here, but I’m willing to give it the benefit of the doubt for now. (Similarly, XAuth still has to prove its openness cred, so I understand how these things can come together quickly behind closed doors and then adopt a more open footing over time.)

So, rather than using data that’s already on the web, everyone that wants to play Facebook’s game needs to go and retrofit their pages to include these new metadata types. While they’re busy with that (it should take a few minutes at most, really), won’t they also implement support for Facebook’s Like button? Isn’t that the motivation for supporting the Open Graph Protocol in the first place?

Why yes, yes it is.

And that’s the carrot to convince site publishers to support the Open Graph Protocol.

Here’s the rub though: those Like buttons only work for Facebook. I can’t just be signed in to any social web provider… it’s got to be Facebook. And on top of that, whenever I “like” something, I’m sending a signal back to Facebook that gets recorded on both my profile, and in my activity stream.

Ok, not a big deal, but think laterally: how about this? What if Larry and Sergey wanted to recreate PageRank today?

You know what I bet they wish they could have done? Forced anyone who wanted to add a page to the web to authenticate with them first. It sure would have kept out all those pesky spammers! Oh, and anyone that wanted to be part of the Google index, well they’d have to add additional metadata to their pages so that the content graph would be spic and span. Then add in the “like” button to track user engagement and then use that data to determine which pages and content to recommend to people based on their social connections (also stored on their server) and you’ve got a pretty compelling, centralized service. All those other pages from the long tail? Well, they’re just not that interesting anyway, right?

This sounds a lot to me like “Authenticated PageRank” — where everyone that wants to be listed in the index would have to get a Google account first. Sounds kind of smart, right? Except — shucks — there’s just one problem with this model: it’s evil!

When all likes lead to Facebook, and liking requires a Facebook account, and Facebook gets to hoard all of the metadata and likes around the interactions between people and content, it depletes the ecosystem of potential and chaos — those attributes which make the technology industry so interesting and competitive. It’s one thing for semantic and identity layers to emerge on the web, but it’s something else entirely for the all of the interactions on those layers to be piped through a single provider (and not just because that provider becomes a single point of failure).

I give Facebook credit for launching a compelling product, but it’s dishonest to think that the Facebook Open Graph Protocol benefits anyone more than Facebook — as it exists in its current incarnation, with Facebook accounts as the only valid participants.

As I and others have said before, your identity is too important to be owned by any one company.

Thus I’m looking forward to what efforts like OpenLike might do to tip back the scales, and bring the potential and value of such simple and meaningful interactions to other social identity providers across the web.

There are six videos in the series; you can also watch the entire uncut screencast (parts 1-6) if you’ve got a half hour to spare. Here they are:

Introduction

Identity in the Browser

People, Apps & Pages

Share

Follow

Connect

I’d be eager to hear your feedback, here or by email. There is also a mailing list that Mozilla set up to capture feedback.

If these ideas interest you, I’d also recommend checking out the Account Manager and Contacts prototypes that Mike Hanson, Dan Mills, Ragavan Srinivasan and the Mozilla Labs team produced.

Also take a look at the rest of my mockups (view as a slideshow) or visited the project overview.

. . .

When was the last time you created a new username and password so that you could make use of some website? Do you remember what username you picked, or which email address you used to sign up? Probably. But what about that support forum that you signed up for a couple weeks ago while you were home for the holidays? Did you write it down somewhere? Or worse: did you just use the same username and password that you use everywhere else?

Spreadsheets, text files, sticky notes, cheat-sheets, software and browser extensions — you name it, people have probably found some way to recruit every kind of notational tool there is to help them remember the countless passwords, PINs, IDs, usernames, and secrets needed to access the apps, websites, and services that they use on a regular basis. But we can do better.

Step 1: Activate

The social agent is designed to unify your online social experience. With that in mind, a social agent must become an extension of you in order to mediate your online interactions.

This is achieved by activating your browser against your preferred account provider when you first begin your online session, just as you activate your mobile phone before being able to make or receive calls. This is how the browser is turned into a social agent.

By activating your browser, you are effectively telling your browser who you are and where to store and access your data online.

Fortunately, you can activate using any account that you already have that supports a Connect API, like Twitter Connect or Facebook Connect (or soon, OpenID Connect). It is also conceivable to use the browser in an anonymous or “incognito mode”.

Step 2: Connect

Once activated, you can visit any site that supports Connect and with the click of a button, sign up and bring your profile, relationships, content, activities, and any other portable data with you. This process is identical to Facebook Connect or Twitter Connect, except that the interaction occurs between your social agent and the site you’re visiting.

What is a Connect API? Writing for the O’Reilly Radar blog in February last year, David Recordon defined the anatomy of “connect” as meeting four criteria:

• Profile: Everything having to do with identity, account management and profile information ranging from sign in to sign out on the site I’m connecting with.
• Relationships: Think social graph. Answers the questions of who do I know, who do I know who’s already here, and how I can invite others.
• Content: Stuff. All of my posts, photos, bookmarks, video, links, etc that I’ve created on the site I’ve connected with.
• Activity: Poked, bought, shared, posted, watched, loved, etc. All of the actions that things like the Activity Streams project are starting to take on.

This is what the verb “connect” means for the social agent. The “connect” button communicates that your browser is going to share some amount of your profile data with the site that you’re connecting with. You’re not just signing in. You’re connecting — and creating a relationship with the site. You can of course change the data that the website gets — even after you’ve signed in — and the benefit of this model is that you have transparency into what data you’re sharing with whom.

Far from making it impossible for you to share your data, your social agent should help you mediate such decisions, guiding you about which sites to connect with, and providing context to help inform you actions.

For this model to work, your connections are actually made between your preferred account provider and the third parties to which you’ve connected. Your account provider, then, acts as a hub for all of your online doings — collecting, maintaining, and mediating your browsing history, relationships and contacts, activities, transactions, content and media, and online profile. This provider should let you selectively configure how much, how little, or how long such your data is made available to third parties — much in the same way that you manage access on Twitter or Facebook today.

For you, this means that you get to pick an account provider of your choice — without needing to worry about remembering or managing passwords or usernames. Instead, you can have any number of accounts that are available to you wherever the web goes.

As a core feature of the social agent, connecting is the action you take whenever you want to establish an enduring an ongoing relationship with a site, service, or individual.

Thus, this is the first of a five part series that re-imagines the browser as a “social agent” — and defines how it can do more to facilitate various social behaviors by supporting three verbs that can “socialize” the browsing experience: Connect, Follow, and Share.

To put the ideas presented here into some context, I will begin with a vignette that describes a future computing scenario, motivated by three emerging conditions:

• online account and data portability
• ubiquitous networked access
• decreasing cost of advanced computing devices

This scenario is intended to provoke us to peek around the corner of today’s browser paradigm. Little that is presented here is entirely novel. Instead, this sketch presupposes that the browser has learned new capabilities that take it from the document-centric era of the web into the age of people-centric web services. This “social agent” knows who you are and facilitates common tasks like connecting to sites, interacting with following people and information, and providing intuitive tools for sharing for than just links.

. . .

We begin at a conference, somewhere far from home that required air travel, sometime in the near-future. It doesn’t really matter what the subject of the conference is, where it’s happening specifically, or why you’re going. However, a big draw of this event is getting to meet fellow professionals and exchanging tips and experiences, with the outcome of the event some kind of shared digital artifacts that capture the top highlights. There will be ample WiFi at the event and something else: everyone attending the event is given a slate computer to use for the duration of the event.

In fact, this kind of access to computing has become quite common; and with data access and portability vastly improved, the need to carry around personal electronics of any kind has all but gone away. In fact, the very thought of bringing a personal laptop — even a netbook — to the conference — now seems obtuse, as though you were bringing your own rotary phone and Yellow Pages to the conference.

It is also not possible to “install” applications on the device; instead, any application or service you need is available on-demand, available as a zero-footprint web service.

This device is the definition of a web native device; it serves dual purposes: to make computing extremely convenient, and abundant. It omits all the distractions and bells and whistles in favor of a lean, clean user experience, and is designed to augment — rather than replace — human interaction, as a whiteboard or pad of paper might.

The “browser” on this device has been modified to accommodate a new mode of online interaction. While it has retained a number of browser conventions, it introduces new capabilities that enhance personalization, sharing, and collaboration by carving out specific interfaces dedicated to interacting with people and web services.

When you turn on the device for the first time, you’re asked to activate the machine by signing in to your preferred identity service provider. You can either choose from a list of well known providers or supply an OpenID Connect-enabled account address.

Once activated, the device becomes an “extension” of your existing digital identity and any activity that you perform on the device will be attached to that identity. You may activate additional identities in order to assume discreet roles, but most people get by with as few as one or two active digital identities at any given time.

To that point, passwords are a thing of the past. With the advances in data portability and service interoperability, all modern sites and web services accept users from other networks (just as we take for granted the ability to email people from different domains today), making it possible to connect with, follow, and share with people on other networks without needing to create a new account. For most people, you only need one account for all your computing activities.

To better illustrate activation, I’ll draw an analogy to selecting your active gamer profile on an Xbox: once you’ve logged in with your gamertag, all your high scores, achievements, customizations, and social connections get attached to your profile. You don’t create a new gamertag for every game you play, nor for every social network (Facebook, Twitter, Last.fm, etc) that you add to your profile. Instead, your gamertag is like a meta-identity to which you attach services, preferences, and attributes. This gamertag becomes a convenient, reusable identity.

Furthermore, if you visit a friend’s house and sign in to her Xbox with your gamertag, you’ll be able to bring all those preferences, connections, and achievements with you. You would set up and use the account system of this web-based device in the same way. In our future scenario, you would likely activate the same account that you use in your typical computing tasks while at the conference — picking up from where you left off — bringing access to all the resources and services you use, without the hassle of having to bring your own device, or remember more than one password.

During the course of the event, you would be able to make use of the built-in sharing capabilities to trade notes, photos, and videos with attendees co-located and remote. You could also follow those speakers and presenters who you find interesting, again, using the built-in features of the social agent.

On the expo floor, you could use the device to wirelessly connect your account to any of the exhibitors, taking photos, making notes, and swapping contact information or gathering information to read later — which would all be seamlessly and securely synced to your cloud provider.

Best of all, because these activities would be performed under a primary account, it would be easy for you to revisit this experience later — filtering the connections and contacts you made by time, location, or contextual activity (for example, did you meet this person because they were a speaker, or were you introduced to this person through a mutual friend?). You would also have digital receipts of the information that you shared with people, and be able to recall the products and organizations you started following while at the event. In other words, rather than having to perform these different types of common tasks across a number of separate networks after the fact, your social agent would mediate these tasks for you — ultimately freeing you up to focus on the event itself — and the interactions with your fellow attendees.

. . .

Our opportunity, then, is to define how the browser could serve us better if it were recast as a social agent. To begin with, we need to make two assumptions:

• First, there’s no reason why the browser should remain a passive bystander in our online experience. With increasing information abundance, we require smart and sophisticated tools that bring us the information that we need to know, when we need to know it, and that brings back our focus, productivity, and accelerates our understanding of the world around us.
• Second, the social agent serves as an extension of the self into the web. Just as the mouse and keyboard facilitate the interaction between man and machine, the social agent facilitates the interaction between people through the medium of the web. We trust the keyboard to “communicate” our keystrokes to the computer just as we typed them, and expect the browser to help us articulate our connections other people directly. As the trust between the browser and man grows, we are extending ourselves into the digital medium — augmenting our access and ability to manipulate information — and enhancing our ability to connect with others. And yet, the browser is cast in the image of an infovore — and not a social being. Thus the potential to retool the browser as a social agent is huge, and remains largely unexplored territory, especially as we are spending more of our computing time in this application.

As the nexus of all of our online activities the browser is uniquely positioned to provide convenient and consistent access to friends, contacts, documents, and media across networks. And as an extension of man, the social agent is a fulcrum of user-centric computing — turning the individual into the point of integration by rejecting the current rash of fragmented service-centric identities. As far as the individual is concerned, it should be a choice whether one decides to fragment his identity into a thousand partial profiles strewn across the web, rather than a mandate.

From Mozilla’s perspective, the social agent offers dignity to the individual and brings balance to a chaotic ecosystem.

Just as Firefox has brought choice and innovation to a once-monopolistic browser market, the next generation browser must bring choice to the rapidly centralizing world of social networks. To achieve this, we need more than just another social network; we need a vision of the social web that is built on upon technological interoperability that fosters agency for the citizen of the web.

As my contribution to the Mozilla Concept Series on Identity, this series will explore the following hypotheses:

• that people’s experience on the web would be enhanced if the browser offered more compelling, integrated social functionality
• that the browser can be made social, becoming a personal, social agent
• that a social agent can minimize the overhead of participating in the social web and maximize the benefits
• that the architecture of identity in the browser is critical to achieving simplicity and clarifying the experience of social networking
• that a social agent should simplify and reduce the work necessary of web developers to create secure, compelling social applications
• that social functionality must be built into the browser in order to spread the benefits of the social web as wide as possible
• that establishing trust is essential to growing the social web, and that trust can be earned by putting the individual, rather than services, at the center of the personal social web experience

This series of posts will sketch out a vision for the future of social computing, and is intended to provoke discussion, critique, and alternative proposals. In my mockups, I depict three new flows that adding three new verbs (connect, follow, and share) could bring to the browser. Subsequent posts will tackle each of these topics in turn:

• Connect: acting as your social agent, the browser becomes an extension of yourself, making it easier and more secure to participate in the social web
• Follow: as a replacement for the antiquated notion of “subscribing”, “following” becomes the general way to track the activities or feeds associated with a people, brands, celebrities, or social objects.
• Share: as the fundamental activity of the social web, sharing media, content, and information is integrated into the browser and enhanced through making available social connections and publishing services

I’ve been thinking about how we make OpenID both easier and sexier for quite a while now. As frustrating as the answer may be to technologists, the problem is not necessarily one that can be solved with more technology. Instead, at some point, you have to move beyond the original constituents of a solution and start to package up the thing in a way that is less alienating, and less “insider baseball”.

“OpenID Connect”, therefore, is what I’m starting to use in casual conversation as my answer to Twitter and Facebook Connect.

It’s really creative, I know. That’s why they pay me the big bucks.

Seriously though, from a marketing perspective — it’s what I want the OpenID Foundation (and our new board) to offer the world in 2010. Essentially I think it’s time we ditched the “Open Stack” concept and put something out there that can stand up in conversation alongside the likes of Facebook Connect, in all its rich and specific expressiveness.

At some point, I want OpenID Connect to be what Facebook and Google and others implement that becomes the interoperable identity interchange protocol for the social web. But we’re not quite there yet, though all the technology is on the verge of being… ready.

Speaking of, from a technical perspective — I’m really just talking about repackaging OpenID as a profile of OAuth WRAP (credit: Recordon). It would provide relying parties with profile data, relationships, access to content, and activity streams — based on Recordon’s anatomy of connect.

Unlike the current incarnation, it would work in real-time, distributed systems, on the desktop as well as in mobile devices. Huzzah!

We’re not even that far away from such a solution. Since OpenID really just bootstraps identity — we need a way to provide relying parties with all the other stuff they’ve come to expect from the Twitter and Facebook Connect APIs… and that’s where the “connect” in “OpenID Connect” comes in.

So, to summarize:

• for the non-tech, uninitiated audiences: OpenID Connect is a technology that lets you use an account that you already have to sign up, sign in, and bring your profile, contacts, data, and activities with you to any compatible site on the web.
• for techies: OpenID Connect is OpenID rewritten on top of OAuth WRAP using service discovery to advertise Portable Contacts, Activity Streams, and any other well known API endpoints, and a means to automatically bootstrap consumer registration and token issuance.

While you could chalk up the effect of the video to clever editing, I’ve seen similar videos that suggest that the attitudes expressed are probably a pretty accurate portrayal of how some people think (and, for the purposes of this essay, I’m less interested in what they think).

It seems to me that the people in the video largely think with their guts, and not their brains. I’m not making a judgment about their intelligence, only recognizing that they seem to evaluate the world from a different perspective than I do: with less curiosity and apparent skepticism. This approach would explain George W Bush’s appeal as someone who “lead from the gut“. It’s probably also what Al Gore was talking about in his book, Assault on Reason.

Many in my discipline (design) tend to think of the consumers of their products as being rational, thinking beings — not unlike themselves. This seems worse when it comes to engineers and developers, who spend all of their thinking time being mathematically circumspect in their heads. They exhibit a kind of pattern blindness to the notion that some people act completely from gut instinct alone, rarely invoking their higher faculties.

How, then, does this dichotomy impact the utility or usability of products and services, especially those borne of technological innovation, given that designers and engineers tend to work with “information in the mind” while many of the users of their products operate purely on the visceral plane?

In writing about the death of the URL, I wanted to expose some consequences of this division. While the intellectually adventuresome are happy to embrace or create technology to expand and challenge their minds (the popularity and vastness of the web a testament to that fact), anti-intellectuals seem to encounter technology as though it were a form of mysticism. In contrast to the technocratic class, anti-intellectuals on the whole seem less curious about how the technology works, so long as it does. Moreover, for technology to work “well” (or be perceived to work well) it needs to be responsive, quick, and for the most part, completely invisible. A common sentiment I hear is that the less technology intrudes on their lives, the better and happier they believe themselves to be.

So, back to the death of the URL. As has been argued, the URL is ugly, confusing, and opaque. It feels technical and dangerous. And people just don’t get them. This is a sharp edge of the web that seems to demand being sanded off — because the less the inner workings of a technology are exposed in one’s interactions with it, the easier and more pleasurable it will be to operate, within certain limitations, of course. Thus to naively enjoy the web, one needn’t understand servers, DNS, ports, or hypertext — one should just “connect”, pick from a list of known, popular, “destinations”, and then point, click — point, click.

And what’s so wrong with that?

What I find interesting about the social web is not the technology that enables it, but that it bypasses our “central processor” and engages the gut. The single greatest thing about the social web is how it has forced people to overcome their technophobias in order to connect with other humans. I mean, prior to the rise of AOL, being online was something that only nerds did. Few innovations in the past have spread so quickly and irreversibly, and it’s because the benefits of the social web extend beyond the rational mind, and activate our common ancestors’ legacy brain. This widens the potential number of people who can benefit from the technology because rationality is not a requirement for use.

Insomuch as humans have cultivated a sophisticated sociality over millennia, the act of socializing itself largely takes place in the “gut”. That’s not to say that there aren’t higher order cognitive faculties involved in “being social”, but when you interact with someone, especially for the first time, no matter what your brain says, you still rely a great deal on what your gut “tells you” — and that’s not a bad thing. However, when it comes to socializing on sites like Twitter and Facebook, we’re necessarily engaging more of our prefrontal cortex to interpret our experience because digital environments lack the circumstantial information that our senses use to inform our behavior. To make up for the lack of sensory information, we tend to scan pages all at once, rather than read every word from top to bottom, looking for cues or familiar handholds that will guide us forward. Facebook (by name and design) uses the familiarity of our friends’ faces to help us navigate and cope with what is otherwise typically an information-poor environment that we are ill-equipped to evaluate on our own (hence the success of social engineering schemes and phishing).

As we redesign more of our technologies to provide social functionality, we should not proceed with mistaken assumption that users of social technologies are rational, thinking, deliberative actors. Nor should we be under the illusion that those who use these features will care more about neat tricks that add social functionality than the socialization experience itself. That is, technology that shrinks the perceived distance between one person’s gut and another’s and simply gets out of the way, wins. If critical thinking or evaluation is required in order to take advantage of social functionality, the experience will feel, and thus be perceived, as being frustrating and obtuse, leading to avoidance or disuse.

Given this, no where is the recognition of the gut more important than in the design and execution of identity technologies. And this, ultimately, is why I’m writing this essay.

It might seems strange (or somewhat obsessive), but as I watched the Sarah Palin video above, I thought about how I would talk to these people about OpenID. No doubt we would use very different words to describe the same things — and I bet their mental model of the web, Facebook, Yahoo, and Google would differ greatly from mine — but we would find common goals or use cases that would unite us. For example, I’m sure that they keep in touch with their friends and family online. Or they discover or share information — again, even if they do it differently than me or my friends do. Though we may engage with the world very differently — at root we both begin with some kind of conception of our “self” that we “extend” into the network when we go online and connect with other people.

The foundation of those connections is what I’m interested in, and why I think designing for the gut is something that technocrats must consider carefully. Specifically, when I read posts like Jesse Stay’s concept of a future without a login button, or evaluate the mockups for an “active identity client” based on information cards or consider Aza and Alex’s sketches for what identity in the browser could look like, I try to involve my gut in that “thought” process.

Now, I’m not just talking about intuition (though that’s a part of it). I’m talking about why some people feel “safer” experiencing the web with companies like Google or Facebook or Yahoo! at their side, or how frightening the web must seem when everyone seems to need you to keep a secret with them in order to do business (i.e. create a password).

I think the web must seem incredibly scary if you’re also one of those people that’s had a virus destroy your files, or use a computer that’s still infected and runs really slow. For people with that kind of experience as the norm, computers must seem untrustworthy or suspicious. Rationally you could try to explain to them what happened, or how the social web can be safe, but their “gut has already been made up.” It’s not a rational perception that they have of computers, it’s an instinctual one — and one that is not soon overcome.

Thus, when it comes to designing identity technologies, it’s very important that we involve the gut as a constituent of our work. Overloading the log in or registration experience with choice is an engineer’s solution that I’ve come to accept is bound to fail. Instead, the act of selecting an identity to “perform as” must happen early in one’s online session — at a point in time equivalent to waking up in the morning and deciding whether to wear sweatpants or a suit and tie depending on whatever is planned for the rest of the day.

Such an approach is a closer approximation to how people conduct themselves today — in the real world and from the gut — and must inform the next generation of social technologies.

At one point in our discussion, I suggested that an HTML tag for a person might make sense — with the ability to include a person’s face or list of friends — without the need for services like Facebook or Twitter. This idea was inspired by Mark Pilgrim’s retelling of the origin story of the <img> tag and conversations I’ve had recently with Michael Hanson of Mozilla (who wrote up a concept for supporting WebFinger in the browser after discussions at IIW).

Our conversation goes on around 15 minutes but does a decent job of capturing my current thinking on the social web.

I’d also like to point out that an OpenWebCampHelsinki is happening this weekend, in case anyone happens to be passing through Finland!