37 Signals’ next app Highrise will support OpenID

Highrise will support OpenID

I got an email today from 37 Signals today about their forthcoming CRM tool called Highrise (formerly known as Sunrise). Curious to see where the project was at, I went and snooped around, trying out some common beta URLs to see if I could get a sneak peak… (naughty naughty) and, finding nothing, it dawned on me that Jason Fried was probably using his standard domain prefix for his account… just as he’s done with the Backpack reviews.

Sure enough, there was a welcome page at jf.highrisehq.com but what else did I discover? None other than a link to “Login with OpenID”. I tried logging in and it went through all the proper steps — so it does look like this is a functioning feature.

So it appears that the 37 Signals guys have finally drunk the Koolaid and will be supporting OpenID… I asked for this awhile ago but now, with DHH on the case and writing code, it seems that it’s actually going to happen.

And I couldn’t be more excited about it. Finally, one login for all my Basecamps, Backpacks, Campfires, Tada Lists… and now, Highrise. This is exactly the way it’s supposed to work.

WordPress.com adds support for OpenID

Trust this site with your identity? -- WordPress.com

I think I might have jumped the gun on this one. Ok, I did. It seems that for now, WordPress.com is only an identity provider and not a consumer, meaning that you can use your WordPress.com blog address as an OpenID but you can’t yet log into WordPress.com with your OpenID. My bad.

In talking to Matt last Friday at the Adaptive Path party, I asked him when OpenID was coming to WordPress.com — the hosted blogging service — and he replied “Monday”.

Well, a day late but hardly a dollar short, WordPress.com has added bi-directional support for OpenID.

What this means is that you can both sign in to WordPress.com using your existing OpenIDs (making WordPress.com a “consumer”) as well as use your WordPress.com URL (for example, https://factoryjoe.wordpress.com) as an OpenID elsewhere, making WordPress.com an iDP or “identity provider”.

The FAQ entry is pretty descriptive and I’d recommend you take a look at it. WordPress.com now joins a growing array of service providers offering support for this grassroots-driven authentication protocol.

No word on when OpenID will hit core of the WordPress project, but there are already two great efforts driven first by Alan Castonguay and more recently Will Norris — which point to a positive future between the two open source initiatives.

OpenID creates a foundation as Microsoft pledges support

You can read it around the web, but, hot on the heels of the creation of the OpenID Foundation, the news from the RSA Security conference is that Bill Gates has announced Microsoft’s intention to support OpenID 2.0.

Scott Kveton, our advisor at JanRain, has a summary and text of the announcement:

Microsoft to Work With the OpenID Community, Collaborating With JanRain, Sxip, and VeriSign

JanRain, Microsoft, Sxip, and VeriSign will collaborate on interoperability between OpenID and Windows CardSpace™ to make the Internet safer and easier to use. Specifically:

As part of OpenID’s security architecture, OpenID will be extended to allow relying parties to explicitly request and be informed of the use of phishing-resistant credentials.

Microsoft recognizes the growth of the OpenID community and believes OpenID plays a significant role in the Internet identity infrastructure. Kim Cameron, Chief Architect of Identity at Microsoft, will work with the OpenID community on authentication and anti-phishing.

JanRain, Sxip, and VeriSign recognize that Information Cards provide significant anti-phishing, privacy, and convenience benefits to users. Information Cards, based on the open WS-Trust standard, are available though Windows CardSpace™.

JanRain and Sxip, leading providers of open source code libraries for blogging and web sites, are announcing they will add support for the Information Cards to their OpenID code bases.

JanRain, Sxip and VeriSign plan to add Information Card support to future identity solutions.

Microsoft plans to support OpenID in future Identity server products.

The four companies have agreed to work together on a “Using Information Cards with OpenID” profile that will make it possible for other developers and service providers to take advantage of these technology advancements.

There’s no shortage of coverage, so I’ll just give you a run down of the players involved: Kim Cameron of Microsoft, Dick Hardt of SXIP, Michael Grave and David Recordon of VeriSign, Johannes Ernst of Netmesh, and Brad Fitzpatrick of LiveJournal.

What this means will be seen over time, but it does mean that a major player has shown their support for the protocol and for the community, making way for other, more reluctant parties, to step up and enter the arena.

It also means that Microsoft will be answering a major question about interface for the OpenID effort with their CardSpace work — and, if that work complies with their Open Specifications Promise, it will be advancing the anti-phishing efforts of the OpenID community years forward by bringing to the table a deployed, open specification for handling authentication in the browser.

While there will certainly be much work to be done to offer choice, this seems like a great opportunity to accelerate the user-centric identity efforts that have recently come to fruition.

Making more sense of Flickr’s Ides of March

Yesterday I wrote a post that was admittedly vague and rambling. I definitely did not “go home” before I wrote it, so I’d like to correct that, and try to make my meaning clearer (and by “go home”, I’m using speaker trainer Lura Dolas‘ concept of being grounded and authentic before opening your mouth to say something).

So, if I were to rewrite my post, I might say something like this:

The account merger for Yahoo! and Flickr accounts on March 15 (the Ides of March) should not come as a surprise; indeed, we’ve known that it was coming for a long time.

What the deadline represents to different Flickr members is personal and unique; there is very little generalization that can be made of the event, except that the reactions vary greatly along a spectrum from utter indifference to downright anger and resentment.

What Flickr members are experiencing is consistent with what any passionate community experiences when something that represents the core of their experience is disturbed. Whether logical or not, it’s kind of like repotting a plant — the more sensitive to the environment, the more the transplant can be debilitating, destabilizing and disorienting. There’s no rhyme or reason per se, but the individual shock can be a challenge to overcome.

Anecdotally, my personal experience was rather blasé. Previously, I had maintained a “self-perceived independence” by not succumbing to the demands of the Yahoo! conglomerate and merging my account. Indeed, every time I signed in via the “old skool login”, I got a rush of silent pride that I was still free, having avoided “following the sheep”.

My resistance somehow guaranteed that I still had ultimate control over my destiny — and that no corporate monolith could tell me what to do — especially as long as I had trusted friends on the inside advocating for my right to free choice and free association.

But that was a temporary illusion that I knew in the back of my mind would someday end.

And yesterday, the jig was up, the mirage evaporating in the form of a FlickrMail: the embodiment of Flickr’s final transformation from a renegade underdog that busted convention and ran roughshod over a corporate hegemon to become yet another cog in the machine.

Or so the self-serving mythology goes.

In reality, I’m not so sure that all that much has changed, really. I am inclined not to make any final pronouncements about Flickr, Yahoo! or whatever else. Hell, I switched over my account, and it wasn’t that bad. Innocence lost, yadda yadda, the world carries on.

Now, the part that I want to take a moment to reflect on, which I also alluded to in the last two paragraphs of yesterday’s post (and is somewhat carried on here), is the part about managing, owning and making choices that effect the destiny of the identity (or identities) that one has spent time creating and cultivating online.

I would posit that the fear or fear-driven reactions that a lot of people have expressed or experienced in the past two days can be traced to this particular nugget of thinking.

What we lack online today is the equivalent of what we call human rights in the offline world. As it stands, Terms of Service are written foremost in the interest and protection of the Corporation. Thus individuals have little transformative recourse when things go wrong for the vocal are but few among millions.

As such, minority hold outs are left feeling particularly vulnerable and exposed. Especially in the case of Flickr, where people have developed visceral and almost human connections through the service, anything that threatens their “dominion” is an invasion that provokes an immune response by what I’d call the “proverbial community anti-bodies”, for better or worse.

In this case, Yahoo! — as the larger organism eclipsing the smaller — is perceived as effectively infusing its memetic DNA into the cultural neurology of the lesser system and without effective recourse to prevent this kind of “digital “, the anti-bodies lash out in response to the invading foreign agents, as you would expect in any system.

This dance is natural, is normal, and a simple part of biological and social evolution. In the scheme of things, I think the reaction of the minority does make sense here, even if it ultimately doesn’t matter that much. Given the current architecture of social networks, where your existence and environment is at the whim, pleasure and financial health of the network owner (let’s call her “God”), these kinds of decisions will continue to elicit strong social responses when God acts like… well… God.

Asides (lightly scrambled)

I do wonder, then, if this kind of personal exasperation would more quickly lead to the creation of “articles of digital personhood” or a collective “bill of digital human rights”. Or if, instead, it might drive the furtherance of independent identity services that promise to restore dominion over one’s online personas.

On a larger scale, will these experiences lead to the recognition of our digital selves as rights-weilding extensions of ourselves? Were there a “Digital Civil Liberties Union”, would those with grievances turn to such a centralized body for redress? or, rather than unionizing power, would they prefer to simply come and go as they pleased, as one does when she moves from one house to another, taking all her possessions and friendships with her but leaving the structure behind, and letting the market woo and serve her by playing to her desires and free will to choose?

Further reading

Bating the mousetrap with chunky peanut butter

Flickr peanut butter
Original by starpause kid and shared under a Creative Commons License.
When it comes to mousetraps, it’s fairly common knowledge that an effective cheese alternative for trapping mice is peanut butter.

However, we already know that Yahoo isn’t too fond of peanut butter. At least the smooth kind spread thin.

So it’s interesting to note that, perhaps as part of the strategy to outlaw renegade peanut butter within the organization, the formerly independent outpost known as Flickr will be forcing users to either merge or create a new Yahoo account to login after March 15:

On March 15th, 2007 we’ll be discontinuing the old email-based Flickr sign in system. From that point on, everyone will have to use a Yahoo! ID to sign in to Flickr.

We’re making this change now to simplify the sign in process in advance of several large projects launching this year, but some Flickr features and tools already require Yahoo! IDs for sign in — like the mobile site at m.flickr.com or the new Yahoo! Go program for mobiles, available at http://go.yahoo.com.

If you still sign in using the email-based Flickr system (here), you can make the switch at any time in the next few months, from today till the 15th. (After that day, you’ll be required to merge before you continue using your account.) To switch, start at this page: http://flickr.com/account/associate/

Complete details and answers to most common questions are available here: http://flickr.com/help/signin/

If you have questions or comments about signing in with a Yahoo! ID, speak up!

You can imagine that not everyone is happy about this, especially after the reaction the first time around:
Jimbo doesn't like it

Now, I’m not interested in opening old wounds. The Flickr folks have given plenty of notice about the coming changes (figure at least a month and a half if not the full 18 months since they were acquired) and of course are available for consolation, hand-holding and so forth.

Oh, and contrary to my tendency towards conspiracy theories, I’ll let Stewart debunk them outright:

And that’s it: there’s no secret agenda here, no desire to come to your homes and steal your TV. Over time, it just gets more expensive to maintain independent means of authentication and we could “spend” those efforts on other things which make Flickr more useful, more fun, more versatile, etc. And the smaller the ratio of old skool to Y!ID-based gets, the harder it is to justify not spending that effort on improvements.

I will, however, take this opportunity to rise up on my soapbox again and point out something worth reflecting on…

Look, Google’s already done the same thing with Dodgeball; it’s a sure bet that they’re going to do the same thing with their YouTube acquisition. We know that Yahoo logins are going to show up on MyBlogLog and eventually, probably Upcoming too — and, for that matter, any other user-centered acquisition that comes down the pipe. Microsoft is no different. Let’s face it: the future of the web is in identity-based services. And this is a good thing, if you’re ready for it.

My buddies Brian Oberkirch and Aldo Castañeda talked about the potential for this new economy recently. It’s coming and it’s scary (for some) and it’s unclear what it looks like. But the more that this happens under authoritarian login regimes, the more concern I feel for the effect these consolidation efforts will have on true democratic choice in where and how you spend your attention.

Realistically, it’s not terribly surprising that Yahoo! and the rest are going this direction. Hell, from a systems perspective, you’re just two entries in a grand database in the sky whereas you could be one. From a service perspective, unifying “you” across systems allows convenience and synergies to emerge. The problem is that these actions belie the sophisticated relationships that some people have with their online accounts and how their personas are represented. Though not everyone cares a whole lot about their screennames, others absolutely do. And beyond that, for whatever reasons they have, some people simply do not want to go near Yahoo! — something they never thought would be a concern of theirs when they originally joined Flickr.

But there’s a curious reality to look at here.

While I call Flickr home (NIPSA’d and all), just as there is a vehicle to vent my individual frustrations to Flickr, those same vehicles and mechanisms are available to me to splinter off and build my own peanut-butter-rich outpost anew. The missing piece of the puzzle, however, is my identity. I can’t just pack up my digital self and move on… whichever login system Flickr uses — Yahoo’s, Google’s, their own — I can’t “take it with me”. Even with their API, which is one of the most generous in the biz, it still doesn’t give me the ability to fully reincarnate myself somewhere else.

Now, I could and would like to turn this into a pitch for OpenID, but I won’t, at least directly. The Yahoo! folks have already expressed their distaste for creating Just Another Identity Silo and I keep waiting for them to prove it. I don’t mind waiting a bit longer. The wheels of the OpenID community are already in motion and I don’t have to plead for acknowledgment from the powers that be. The truth is, there are only a few more sites that will fall. The truth is, we are only now beginning to realize the degree to which we are all exposed and what the reality of our transparent society looks like. And the truth is, we are only just beginning to wake up to the idea that we should and can have dominion over our online lives, just as we believe is our right offline.

Another reason to reconsider your password approach

According to Finjan Inc., Google’s anti-phishing blacklist (used, for example, in their Firefox extension) apparently contained various phished usernames and passwords, suggesting that you really should not use the same username and password combination across the web.

Interestingly, OpenID would have, to some degree, mitigated this breach by moving the username and password combo off by one step, so at worst, the only credentials compromised would have been the publicly known identity provider URL.

I’ll be posting more about the topic soon, but I think that, in this particular case, the OpenID model would have been slightly more secure in concealing the high value information (namely your username and password credentials), and, better still, in the case of a breach, if you still had access to your account, you’d be able to change your password once and reduce the vulnerability of the remote sites that you use your OpenID to login to.

And, note that I’m not talking about the serious matter of spoofing your OpenID provider… in which case OpenID is no better than any other phishable site.

Sticking eyeballs with toothpicks; or Yahoo buys MyBlogLog

Another sign that Yahoo thinks it can buy its way to the hearts and eyeballs of the netigentsia comes today, as Yahoo buys stalkerati tool MyBlogLog. We already knew that this was coming, but we’ve finally confirmed it.

Ok, so that’s all good and well — I’m impressed at how quickly this thing grew and then got snarfed up (in fact, I was checking out its impressive traffic today) — but what concerns me is that this kind of purchase underscores my thesis about Google’s Identity Mousetrap, but this time in the Yahoo neighborhood. Interestingly, in conversations with my Yahoo friends, they’ll said that their BBAuth system should have been reconsidered given the advances of OpenID… and yet, “Bradley Horowitz, vice president of product strategy at Yahoo, said Mybloglog will likely remain branded as a separate entity, but Yahoo users will be able to register on it with their Yahoo password. The reader communities will soon be able to access Yahoo services, like the Flickr photo site or the Yahoo Answers information service, to their groups.” (emphasis mine)

Ok, well, that’s business.

But, the language Horowitz continues to use also seems to threaten Technorati: This closes the loop between readers and publishers, he said. Every publisher wants to know his readers, and the readers want to find out about each other. It’s the power of implicit networking.

Which, if you’re a blogger and watch your Technorati stats, you can see that there are interesting parallels here.

Rafer continues: The biggest thing in blog search is ego search – my name, the web sites I love, says Rafer, who will work for Horowitz, promoting his service to Yahoo’s many properties. People search Google and Wikipedia for information; with blogs, people look for cool things and serendipity.

So what’s curious (that I don’t have much insight on) is what this means for Technorati, who now supports OpenID, both as a provider and consumer, and Yahoo, who seems interested in the 33,000 MyBlogLog users and getting them to switch to Yahoo logins, but who doesn’t yet have its own blog search to cater to that audience. I mean, it makes sense, it’s just a bit… odd. Is it really worth $10M?

ZDNet calls 2007 the year of URL-based identity

In its 2007 predictions, Identity World suggests that URL-based identities will take the alpha geek world by storm. I couldn’t agree more:

URL-based identity begins a cycle of real adoption in the blogosphere and alpha geek communities.

URL-based identity overcame many technical and interoperability hurdles in 2006, and got key buy-in from developing communities. 2007 will see the early incarnations of this technology begin a cycle of significant and real adoption in the blogosphere and alpha geek worlds.

I’ve started collecting resources on OpenID over on Ma.gnolia and imagine that in a year’s time, these sources will tell the story of how OpenID, like Firefox, rose from the shadows of former monolithic and proprietary endeavors to become the preferred and predominant open source, decentralized solution for representing oneself on the web. Truly there’s much work to be done and that’s what makes it so existing and worthwhile — it’s young enough and simple enough to still reflect the needs of the individuals whom it serves.

I’ll be writing about this more soon I hope, but I think Identity World has done a group job with their predictions. Now if only ZDNet would follow the advice of their own sages!

Searching for the Noah’s Ark of Syndicated Content


Original © copyright 2003, University of Delaware College of Marine Studies.

Filed under “thank god I’m not alone in this”.

Khoi Vihn recently posted on a topic that I very strongly relate to… “So Many Blog Posts, So Little Time”:

The problem is there’s so much great, engrossing net activity and blogging going on, and I have so little free time. When I do find myself with a spare moment, I’m struggling just to keep this blog up-to-date, leaving me very little time to just surf. The net effect is that I just can’t keep up with what everyone’s saying, except in fits and spurts. So, when talking to folks whom I consider to be good friends, I’m perpetually embarrassed by my shallow knowledge of exactly what they’ve been up to.

Phew. Well, at least I know I’m not alone — and Tara’s feeling this too. Running a business, having a flooded inbox, dealing with being a human, all that stuff, well, it makes you wonder what’s going to happen when the long tail starts experiencing this problem and revolts by abandoning social networks in droves, unable to keep up with the steady stream of service notifications. I mean, feeds help — but only at literally aggregating content… they do nothing to actually provide you more attention or brain power to consume or make sense of the content.

Meanwhile, Matt over at SvN4 lays out a couple possible solutions to what he calls “The RSS avalanche”, proposing four different filtering solutions:

I’d add three more options:

But still, these are only mechanisms for paring down the content available to you to consume. How do you still pick from these filters the things that are worth revisiting, bookmarking, taking time to consider, or even to respond to, in the comments or on your own blog?

What will the solutions look like for non-tech savvy audiences? Or just folks who increasingly don’t have the time to fiddle around with setting up these filters? Is this not the suggesting an inevitable return to the travel agent model? Wouldn’t you like an information-travel-agent to pick out the most interesting content, customized for just you? Who you can trust not to let anything slip by? I don’t think that robots or community filters can play this role, though they can help.

So I have a confession to make. I’m only subscribed to 15 feeds right now. Total. And with email, I still can’t keep up. So what are you doing about the coming deluge? Have you discovered the Noah’s Ark of Syndicated Content? And if so, why haven’t you shared it yet?!

Technorati becomes an OpenID iDP

iDP you ask? Well, that’s the new acronym you need to familiarize yourself with… it stands for “iDentity Provider” and in the world of OpenID, is akin to a credit card provider like MasterCard or Visa — since they provide you with a card and a network that accepts their plastic. Of course, Technorati was already a consumer, allowing you to claim your blogs… and now you can use your Technorati profile URL to log in at other OpenID enabled sites, like Ma.gnolia.