Skip to main content

Posts

Showing posts from 2007

Singularity to Launch from Adult Chat Room

You heard it here first.  Based on this story about a chatbot passing the Turing Test, clearly the Vingean Singularity is just around the corner.  CyberLover will acquire self-awareness soon after the Russian identity thieves deploy it on existing Russian botnets.  Transcendence, and a technological singularity, is just a short hop and a jump from that point.  Have fun chatting!

Tags: , , ,

OAuth 1.0 Core Released!

December 4, 2007 – The OAuth Working Group is pleased toannounce publication of the OAuth Core 1.0 Specification. OAuth (pronounced"Oh-Auth"), summarized as "your valet key for the web," enables developers ofweb-enabled software to integrate with web services on behalf of a user withoutrequiring the user to share private credentials, such as passwords, betweensites. The specification can be found at http://oauth.net/core/1.0and supporting resources can be found at http://oauth.net.
Tags: ,

IIW2007b Updates

First session set up by Terrell of ClaimID: Open Life Bits, some interesting discussion about how to control one's one data and deal with data about one's self.  The distinction is interesting and useful; every transaction that involves a second party potentially generates data about you controlled by that party, but you do want to be able to deal with that data, correct inaccuracies, etc.  Notes here.

Next session, Joseph Smarr of Plaxo, OpenID user experience.  Good walkthrough of UI issues.  Note that with directed identity in OpenID 2.0, can simply ask to log in a user given their service.  Notes here.  Using an email address is a possibility as well; clicking on a recognizable icon (AIM) to kick of an authentication process is probably the most usable path right now.

Session: OAuth Extensions; notes here

Session: OAuth + OpenID.  Use case:  I have an AOL OpenID.  I go to Plaxo and am offered to (1) create an account using my AOL OpenID and (2) pull in my AOL addressbook, …

Internet Identity Workshop 2007b

I'll be at IIW next week, talking about Blogger, OpenID, OAuth, OpenSocial, and anything else that seems interesting.  I'm anticipating a great event.

Tags: , , , , ,

Internet Identity Workship 2007b

I'll be at IIW next week, talking about Blogger, OpenID, OAuth, OpenSocial, and anything else that seems interesting. I'm anticipating a great event.

OpenID Commenting for Blogger!

We've just enabled OpenID signed comments for Blogger in Draft. There are a few rough edges still (which is why you have to enable it for your blog by going to draft.blogger.com), so we're looking for feedback. We're also working on enabling Blogger as an OpenID Provider, meaning that you can use your blog URL to identify yourself on other services.

What's particularly fun about this is that it's been a very collaborative project, bringing together Blogger engineers, 20% time from a couple of non-Blogger engineers, and last but not least some of the fine open source libraries provided by the OpenID community. Thanks all!

Tags:

OpenID Commenting for Blogger!

We've just enabled OpenID signed comments for Blogger in Draft. There are a few rough edges still (which is why you have to enable it for your blog by going to draft.blogger.com), so we're looking for feedback. We're also working on enabling Blogger as an OpenID Provider, meaning that you can use your blog URL to identify yourself on other services.

What's particularly fun about this is that it's been a very collaborative project, bringing together Blogger engineers, 20% time from a couple of non-Blogger engineers, and last but not least some of the fine open source libraries provided by the OpenID community. Thanks all!

Essential Atom and AtomPub in 30 seconds

Atom is this: You have a bunch of things, or sometimes just one thing.  They always have unique ids, they have timestamps, and tell you who created/is responsible for them.  Oh yeah, if you can, please provide a short snippet of text describing each thing.

AtomPub is how to discover, create, delete, and edit those things.

Everything else is optional and/or extensions.

Tags: ,

OpenSocial Ecosystem

has been... extensively covered in just about all media over the past few days.  The official site is up, and the video from the Campfire 1 announcement as well.

Obviously this is just a first step.  We're all trying to build a self-sustaining ecosystem, and right now we're bootstrapping.  It's a bit like terraforming:  We just launched the equivalent of space ships carrying algae :).

A key next step is making it easy to create social app containers.  It's not hard to build a web page that can contain Gadgets, though it could be easier.  Adding the social APIs, the personal data stores, social identity, and authentication and authorization makes things a lot more complex.  This is the part I'm working on, along with a lot of other people.  It's a problem space I've been working in forawhileontheside.  Now it's time to achieve 'rough consensus and running code.'



Tags:������������������������������������������������������������������������…

Blogger #1 "Social Networking" Site Worldwide

The folks over at Windows Live Spaces just crunched some ComScore worldwide numbers.  Their headline was "Windows Live Spaces at a Crossroads", but I think my headline fits their graphs better.

According to them, Blogger did140,000,000 worldwide unique visitors in September, and has been on a tear since June.  Nice!  And to all those Blogger users, thank you!

Of course, whether Blogger is a "Social Networking" site depends on your definitions; Dare wants to disqualify the front runner.  Me? I think 140 million people can speak for themselves.

Tags: , ,

Fireblog

The San Diego Union-Tribune has been posting wildfire-related updates in real time to a site, http://fireblog.signonsandiego.com/, but their servers melted under the load, so they moved over to Blogger yesterday, and have been up and running and helping people out since last night. It was great to be able to tell them that load isn't a problem for us :).

Tags: ,

A Four Year Mission... to Boldly Go Where No Protocol has Gone Before

Today's message from the IETF:

The Atom Publishing Format and Protocol WG (atompub) in the Application Area has concluded.

...

The AtomPub WG was chartered to work on two items: the syndication format in RFC4287, and the publishing protocol in RFC5023. Implementations of these specs have been shown to work together and interoperate well to support publishing and syndication of text content and media resources.

Since both documents are now Proposed Standards, the WG has completed its charter and therefore closes as a WG. A mailing list will remain open for further discussion.

Congratulations and thanks to the chairs Tim Bray and Paul Hoffman, to the editors of the two WG RFCs (Mark Nottingham, Robert Sayre, Bill de Hora and Joe Gregorio), and to the many contributors and  implementors.

Tags: , ,

Widget Summit

I'm headed to the Widget Summit tomorrow; let me know if you're going on Monday and want to sync up.  (Unsure whether I can make Tuesday or not yet.) 

Tags: ,

OAuth: Your valet key for the Web

Just published at http://oauth.net/documentation/spec:  Draft 1 of the OAuth specification.  As my day job allows, I've been contributing to the OAuth working group.  We'd love feedback.

What is it?


OAuth is like a valet key for all your web services.  A valet key lets you give a valet the ability to park your car, but not the ability to get into the trunk or drive more than 2 miles or redline the RPMs on your high end German automobile.  In the same way, an OAuth key lets you give a web agent the ability to check your web mail but NOT the ability to pretend to be you and send mail to everybody in your address book.

Today, basically there are two ways to let a web agent check your mail.  You give it your username and password, or it uses a variety of special-purpose proprietary APIs like AuthSub, BBAuth, OpenAuth, Flickr Auth, etc. to send you over to the web mail site and get your permission, then come back.  Except that since mostly they don't implement the proprietary APIs…

"We have lost control of the apparatus" -- Raganwald

Yet another great post from Raganwald: Wehave lost control of the apparatus.
Our users are being exposed to applications we don’tcontrol. And it messes things up. You see, the users get exposed toother ways of doing things, ways that are more convenient for users,ways that make them more productive, and they incorrectly think weought to do things that way for them.
 I sure hope this part is true:
You would things couldn’t get any worse. But they areworse, muchworse. I’ll just say one word. Google. Those bastards are practicallythe home page of the Internet. Which means, to a close approximation,they are the most popular application in the world.

And what have they taught our users? Full-text search wins. Please,don’t lecture me, we had this discussion way back when we talked aboutfields. Users know how to use Google. If you give them a search pagewith a field for searching the account number and a field for searchingthe SSN and a field for searching the zip code and a field forsearching …

Do you trust your friends with your URLs?

"Facebook's data feed a data leak?" over at Lawgarithms:

Please correct me if I’m wrong about this; I want to be wrong aboutthis. Or I want to learn that Facebook has already considered and dealtwith the issue and it’s just not readily apparent to me. But I’mthinking that Facebook’s feeds for StatusUpdates, Notes, and PostedItems must in many instances be at odds with privacy settings thatattempt to limit users’ Facebook activities to “friends only” (or areeven more restrictive).

Denise is both right and wrong.  The basic issue is that once you give out a feed URL (which is not guessable) to a friend, they can then give itout to their friends and their friends...ad infinitum.  These people can then get your ongoing updates, without you explicitly adding them.

Of course, this requires your friends to breach the trust you placed in them to guard your bits.  Notice that even without feeds, your friends can easily copy and paste your bits and send them on manually.  It's a …

RESTful partial updates: PATCH+Ranges

Over the past couple of months, there's been a lot of discussion aboutthe problem of partial updates in REST-over-HTTP[1][2][3][4][5].  The problemis harder than it appears at first glance.  The canonical scenario isthat you've justretrieved a complicated resource, like an address book entry, and youdecide you want to update just one small part, like a phone number. The canonical way to do this is to update yourrepresentation of the resource and then PUT the whole thing back,including all of the parts you didn't change.  If you want to avoid thelost update problem,you send back the ETag you got from the GETwith your PUT inside an If-Match: header, so that you know that you'renot overwriting somebody else's change.

This works, but it doesn't scale well to large resources or highupdate rates, where "large" and "high" are relative to your budget forbandwidth and tolerance for latency.  It also means that you can'tsimply and safely say "…

Some thoughts on "Some Thoughts on Open Social Networks"

Dare Obasanjo:
"Content Hosted on the Site Not Viewable By the General Public and not Indexed by Search Engines:  As a user of Facebook, I consider this a feature not a bug."
Dare goes on to make some great points about situations where he's needed to put some access controls in place for some content.  I could equally make some points about situations where exposing certain content as globally as possible has opened up new opportunities and been a very positive thing for me.  After which, I think we'd both agree that it's important to be able to put users in control.
Dare:"Inability to Export My Content from the Social Network: This is something that geeks complain about ... danah boyd has pointed out in her research that many young users of social networking sites consider their profiles to be ephemeral ... For working professionals, things are a little different since they mayhave created content that has value outside the service (e.g.work-related blog pos…

Relationship requires identity

NishantKaushik:
Let's face it, relationship silos are really justextensions of identity silos.  The problem of having to create andre-create my relationships as I go from site to site mirrors my problemof having to create and re-create my identity as I go from site tosite. The Facebook Platform might have one of the better IdentityProvider APIs , but all the applications built on it still have to staywithin Facebook itself.
Yup.  Which is the primary reason that I've been interested in identity-- it's a fundamental building block for social interactions of allkinds.  And think of what could happen if you could use theInternet as your social network as easily as you can use Facebooktoday.  As ScottGilbertson at Wired discovered, it's nothard to replicate most of the functionality; it's the people whoare "on" Facebook which makes it compelling.

Tags:���������������������������������������������������������������������������������������������������������������…

cat Google Spreadsheets | Venus > my.feed

Sam Ruby (prompted by Alf Eaton) combines Google Spreadsheets and Venus to let people manage Venus subscription lists (or whatever) using Spreadsheets.  The lingua franca is of course CSV-over-HTTP.  Like Unix pipes running over Internet, um, pipes.

Note that this requires the data to be publicly readable on the Spreadsheets side, which is fine for this use.  A lot more uses would be enabled with a lingua franca for deputizing services to talk securely to each other.

Tags: , , ,

Share your dog's name, lose your identity?

From the BBS: Web networkers 'at risk of fraud'.
Credit information group Equifax said members of sites such as MySpace, Bebo and Facebook may be putting too many details about themselves online.It said fraudsters could use these details to steal someone's identity and apply for credit and benefits.So, to protect the credit bureau's business models, we're all supposed to try to hide every mundane details of our lives?  The name of my dog is not a secret; if credit bureaus assume it is, they are making a mistake. 

Here's the solution:  Make the credit bureaus fiscally responsible for identity theft, with penalties for failing to use good security practices.

Tags: , , ,

Open Authorization, Permissions, and Socially Enabled Security

The session I proposed at Mashup Camp, Open Authentication and Authorization for Mashups, went pretty well (though I should have done more marketing).   Unfortunately none of the people on the OAuth group were at Mashup Camp, but perhaps we generated some more interest and use cases for it.

Consider a user navigating web services and granting various levels of permissions to mash-ups; a mash-up might request the right to read someone's location and write to their Twitter stream, for example.  The first time this happens, the user would be asked something like this:

The TwiLoc service is asking to do the following on an ongoing basis:
- Read your current location from AIM, and
- Create messages on your behalf in Twitter.
How does this sound?
[ ] No [ ] Yes [ ] Yes, but only for today


The user would also have a way to see what permissions they've granted, how often they've been used (ideally), and be able to revoke them at any time.

Now, of course, users will just click through and …

At Mashup Camp today and tomorrow

I'm at Mashup Camp IV today and tomorrow.  Ping me if you're around too and want to chat.


Tags: ,

Implications of OpenID, and how it can help with phishing

:Last month, Simon Willison gave a talk at Google (video, slides) which is a good intro and summary of technical implications of OpenID.  He points out a very important point:  OpenID does outsource your security to a third party; so does sending a "forgot your password" email to an arbitrary email address.  All of the attacks that work against OpenID also work against these emails.

So the implication is that the security policies that you currently have around "forgot your password" are a good starting point for thinking about OpenID security.  Specifically phishing vulnerabilities and mitigations are likely to be similar.  However, OpenID also changes the ecosystem by introducing a standard that other solutions can build on (such as Verisign's Seat Belt plugin). 

OpenID really solves only one small problem -- proving that you own a URL.  But by solving this problem in a standard, simple, deployable way, it provides a foundation for other solutions. 

It doesn&#…

Disorder, Delamination, David Weinberger

David Weinberger's presentation in Disorder: Feature or Bug? at Supernova 2007 was like watching a great rock singer deliver a passionate performance you just know is destined to be a classic.  How good was it?   The IRC channel went dead.  That's the conference equivalent of everybody waving their lighters in the air.  Um.  Well, you just had to be there.  I can't find a video.  Anybody have a bootleg?

Anyway.  David's now posted a new essay well worth reading, Delamination Now!. Also, well worth acting on.  Money quote: "[T]he carriers are playing us like a violin." 
Tags: , , , , , ,

There she blows! (The Moby Dick Theory of Big Companies)

Having spent some time in the belly of the whale[1], I can testify that the decision making process of a large company is indeed a chaotic system even when seen from the inside.  The variables that control decisions are very well hidden.

The Pmarca Guide to Startups, part 5: The Moby Dick theory of big companies

[1] In the same whale as pmarca in fact, though in a somewhat different location along the alimentary tract.

Tags: , , , ,

35 views of social networking

Fireworks, Social Compacts, and Emergent Order

Yesterday the family went to see the 4th of July fireworks just outside the Google campus, in Charleston park.  Great park, lots of friendly helpful people, the kid had a blast running in the water fountain, and he saw his first fireworks show.  It was great!

Then, we left (quickly, to avoid the crowds) and immediately got snarled in traffic.  Of course everyone was leaving at the same time so we expected it to be slow, but we were literally not moving for a quarter of an hour.  After a while we figured out that we couldn't move because other cars kept joining the queue ahead of us from other parking lots.  Around this time, other people started figuring this out too and started going through those same parking lots to jump ahead.  This solution to the prisoner's dilemma took about 30 minutes to really begin to cascade:  Everyone else began to drive through parking lots, under police tape, on the wrong side of the road, cutting ahead wherever they could to avoid being the sucke…

Theory P or Theory D?

Which theory fits the evidence (Raganwald):

Theory P adherents believe that there are lies, damned lies, and software development estimates. ... Theory P adherents believe that the most important element of successful software development is learning.

Maybe I'm an extreme P adherent; I say that learning is everythingin software development.  The results of this learning are captured incode where possible, human minds where not.  Absolutely everything elseassociated with software development can and will be automated away.

Finally:

To date, Theory P is the clear winner on the evidence, and it’s noteven close. Like any reasonable theory, it explains what we haveobserved to date and makes predictions that are tested empiricallyevery day.

Theory D, on the other hand, is the overwhelming winner in themarketplace, and again it’s not even close. The vast majority ofsoftware development projects are managed according to Theory D, withlarge, heavyweight investments in design and planning in adv…

Theory P or theory D?

Whichtheory fits the evidence (Raganwald):

Theory P adherents believe that there are lies, damned lies, andsoftware development estimates. ... Theory P adherents believethat the most important element of successful software development is learning.

Maybe I'm an extreme P adherent; I say that learning is everythingin software development.  The results of this learning are captured incode where possible, human minds where not.  Absolutely everything elseassociated with software development can and will be automated away.

Finally:

To date, Theory P is the clear winner on the evidence, and it’s noteven close. Like any reasonable theory, it explains what we haveobserved to date and makes predictions that are tested empiricallyevery day.

Theory D, on the other hand, is the overwhelming winner in themarketplace, and again it’s not even close. The vast majority ofsoftware development projects are managed according to Theory D, withlarge, heavyweight investments in design and planning in advanc…

Does social software have fangs? And, can it organize itself?

SuwCharman just wrapped up a talk at Google (Scary Monsters: DoesSocial Software Have Fangs?) around the adoption and use of socialsoftware such as wikis and blogs within businesses.  It was a good talkand the on-the-ground experience around corporate adoption wasparticularly valuable for me.

Suw reported that corporate users tend to impose their existingcorporate hierarchy on the flat namespace of their Wikis, which is finebut may not be exploiting the medium to its full potential.  And Wikisearch tends to be at best mediocre.  Has anyone looked at leveraginguser edit histories to infer page clusters?  I could imagine anautogenerated Wiki page which represented a suggested cluster, with away for people to edit the page and add meaningful titles andannotations to help with search, which could serve as an alternativeindex to at least part of a site.



Tags:���������������������������������������������������������������������������������������������������������������������������������������…

Identity Panel at Supernova, or How I Learned to Stop Worrying and Love User Centric Identity

The Identity Panel just wrapped up:
(John Clippinger, Kaliya Hamlin, Reid Hoffman, Marcien Jenckes, Jyri Engestrom)
As our lives increasingly straddle the physical and the virtualworlds, the management of identity becomes increasingly crucial fromboth a business and a social standpoint.  The future of e-commerce anddigital life will require identity mechanisms that are scalable,secure, widely-adopted, user-empowering, and at least as richlytextured as their offline equivalents.  This session will examine howonline identity can foster relationships and deeper value creation.It was interesting to see the reactions from the crowd and on the #supernova backchannel.  There's a lot of reactions of the form "but I want to be anonymous" though what they really mean is psuedoanonymous.  It's not really made clear that OpenID enables all those scenarios.  There were objections to calling things like OpenID "identity" and maybe some people think that's something of …

Will Copyright Kill Social Media? (Supernova)

(Moderator Denise Howell, Ron Dreben, Fred von Lohmann, Mary Hodder, Mark Morril, Zahavah Levine)

The promise of social networks, video sharing, and online communitiesgoes hand-in-hand with the challenge of unauthorized use. Is socialmedia thriving through misappropriation of the creativity of others? Or are the responses to that concern actually the greater problem?

-- Will Copyright Kill Social Media?
Everyone agreed that copyright won't kill social media, though it will shape it (that which does not kill you makes you stronger?)  Unfortunately we ran out of time before I was able to ask the following, so I'll just blog them instead. 

Mark Morrill was very reasonable for the most part, but made two outrageous claims: That DRM is pro-consumer, and that we should be able to filter on upload for copyright violations.  The first claim is I think simply ridiculous, especially when the architect of the DMCA says that the DRM provisions have failed to achieve their effect and consumer…

In Which I Refute Web3S's Critiques Thusly

So the other shoe has dropped, and Yaron Goland has just given some background on Microsoft's draft Web3S protocol, while Dare comments.  Which seems at first glance kind of interesting and certainly could expand the field of REST based services in a big way.  At the same time, I'm confused by some of the stated rationales for not extending APP the way GData does.  I think there are some straightforward answers to each of the gaps he identifies:

Hierarchy

Turtles all the way down:

<entry>
...
    <content type="application/atom+xml">
        <feed> ... it's turtles all the way down! ... </feed>
     </content>
</entry>  

Merging

I think this is orthogonal, but there's already a proposed extension to APP: Partial Updates.  Which uses (revives?) PATCH rather than inventing a new verb or overloading PUT on the same resource.  I'm neutral on the PATCH vs. POST or PUT thing, except to note that it's useful to be able to 'res…

Social Network Partition

At work we're experimenting with social networks.  It's amusing to note the non-overlap between the Orkut people and the LinkedIn people -- different purposes and different goals.  And the standard wisdom is that Myspace users graduate to Facebook as their social identity evolves.  Is this a function primarily of age?  Once the generation growing up with social networking hits their mid-20s, will they continue to network-hop or will they settle on one?  Or will they, like my office mates, sign up for all the networks any of their friends or colleagues are with?

Tags: , ,

Is the Atom Publishing Protocol the Answer?

Are Atom and APP the answer to everything?  Easy one: No.

Dare Obasanjo raised a few hackles with a provocative post (Why GData/APP Fails as a General Purpose Editing Protocol for the Web).  In a followup (GData isn't a Best Practice Implementation of the Atom Publishing Protocol) he notes that GData != APP.  DeWitt Clinton of Google follows up with a refinement of this equation to GData > APP_t where t < now in On APP and GData.

I hope this clarifies things for everybody.

There seems to be a complaint that outside of the tiny corner of the Web comprised of web pages, news stories, articles, blog posts, comments, lists of links, podcasts, online photo albums, video albums, directory listings, search results, ... Atom doesn't match some data models.  This boils down to two issues, the need to include things you don't need, and the inability of the Atom format to allow physical embedding of hierarchical data.

An atom:entry minimally needs an atom:id, either an atom:lin…

Google += Feedburner

This is  a validation of how important feeds are to the Web ecosystem.  And of course I'm personally happy they're going to Google.  I think they're pretty happy too: The local weather forecast calls for general euphoria with intermittent periods of off-the-rails delight.

Tags: , , , ,

My God, it's full of stars!

Goodbye AOL; Hello Google!

Today is my last day at AOL.  I celebrated my binary millennial in February, and it's time to move on... to some exciting new things over at Google.  I'm going to continue to work in the community/social networking area and I plan to keep gently evangelizing user centric identity, REST, Atom, and feed technologies, among many other things.  And, yes, getting products out the door too.  It'll be fun.

I don't know yet if I'll continue using this blog; but regardless, http://abstractioneer.org will always resolve to where I'm blogging (anything can be solved with one level of indirection).  And =john.panzer will always reach me.

Tags: , , , , , ,

Iiw2007 wrap

New Journals features: Video, pictures, mobile... and Atom!

The team just added some cool features to Journals last night.  There's a new button that lets you easily add pictures from various Flickr, your computer, AOL Pictures, or an arbitrary URL.  There's a video button that lets you upload a video to embed in your entry or About Me, or record directly from your webcam.  The latter uses the Userplane video recorder widget, which was a breeze to integrate with.  We're also highlighting our mobile posting feature at http://journals.aol.com, which lets you post via your cell phone (or email!) including pictures or video.  Here's a quick trick:  You can use this feature to integrate iPhoto with your blog; just choose to Share via email and put in your blog's email address.

We've also made some changes to our Atom API to bring it more into line with the draft APP standard; it's not 100% there yet but it's close and certainly usable.

Tags:�������������������������������������������������������������������������������…

At iiw2007a: Concordia (Eve Maler)

Eve draws up a diagram showing how 'bootstrapping' works in SAML/Liberty WS.  Discussion ensues with many queries about Condordia.  More questions than answers, but I think that people have a lot of related/interlocking problems that need solving.Starting from OpenID, it sounds to me like all these cases are a subset of the "access a service on behalf of a user" use case; hopefully solving either one will help with the other.

Tags: , , , ,

At IIW2007

I'm at IIW right now and also hacking away on OpenAuth and Blogs.  Which does make sense since the people I need to talk to about how it should work are mostly here, with the exception of Praveen, who for some inexplicable reason prefers France.

So far so good; this curl command posts a blog entry on my Atom blog service:

curl -k -v -sS --include --location-trusted --request POST --url'https://monotreme:4279/_atom/collection/blogssmoketester' --data@/tmp/ieRN0zhgh6 --header 'Content-Type: application/atom+xml;charset=utf-8' --header 'Authorization: OpenAuthtoken="%2FwEAAAAABYgbMtk4J7Zwqd8WHKjNF6fgJSYe4RhTuitkNyip%2BEru%2FY43vaGyE2fTlxKPAEkBC%2Bf5lhWg18CE2gaQtTVQy0rpillqtUVOOtrf1%2BLzE%2BNTcBuFJuLssU%2B6sc0%3D"devid="co1dDRMvlgZJXvWK"'

Note that the token, which gives authorization and authentication, is obtained with a separate login call to an internal OpenAuth server.  It looks like I need both the token and the devid; the devid essential…

Sun += OpenID

Tim Bray just bloggedabout openid.sun.com, which is an identity provider for Sunemployees only.  Interesting!  Though technically one would like to beable to do independent assertions about user centric identities ("worksfor Sun" being a reasonable assertion one could make about anyidentity).  I suppose though that someone could use OP delegation topoint http://me.example.org to openid.sun.com and achieve part of thesame effect.  And in the end you'll need to rely on something likeopenid.sun.com to validate assertions presumably.


AOL OpenAuth and Atom Publishing Protocol

I'm looking to see how best to implement Atom-compatibleauthentication for AOL's OpenAuth service. The service provides ways for users to authenticate themselves and togrant permissions to services to do things such as read buddy lists onbehalf of a user.  These permissions are encapsulated in a portabletoken which can be passed around.  The primary use cases for thisinvolve pure web based AJAX applications, so making this something thata generic application can deal with isn't fully specified.

So, here are my thoughts.  Let's say the client has a token stringwhich encapsulates authentication and authorization.  They need to sendthis along with an Atom Publishing Protocol (APP) request. 

Windows Live and GData both implement custom RFC 2617 WWW-Authenticate:headerschemes.  Unfortunately they don't follow exactly the same pattern,or I'd just copy it.  But using RFC 2617 is clearly the right approachif the server can support it.  So here's a proposal:

If a cl…