2008/01/30

OpenSocial 0.7 and makeRequest

We're converging towards 1.0! There's one particular thing I want to quickly highlight: makeRequest. This goes beyond the old IG_Fetch API to allow arbitrary HTTP requests to arbitrary URLs, with full use of headers, POST data, response codes, etc. This effectively means that properly installed gadgets can talk any protocol to any server on the Internet. Now that's open.

There are controls of course. The container validates that the request is coming from a properly installed gadget, and poorly behaving gadgets can be rate limited or shut off if necessary.

You can also pass certain headers which are awfully useful. For example...
Authorization: OAuth realm="http://sp.example.com/",
oauth_consumer_key="0685bd9184jfhq22",
oauth_token="ad180jjd733klru7",
oauth_signature_method="HMAC-SHA1",
oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
oauth_timestamp="137131200",
oauth_nonce="4572616e48616d6d65724c61686176",
oauth_version="1.0"
Which would let you do authenticated cross-domain requests.

(This assumes of course that the gadget can securely store a token for later use. Gadgets can store data securely using the OpenSocial APIs, but since the user at the browser ultimately has full control over the client side environment, this is effectively the same as a client without a very secure secret. A server side signing solution is needed if you want to to beyond more than simple scenarios involving a user looking at their own data. We're already using OAuth with an empty token to let gadgets talk to their home servers securely, so adding this won't be difficult.)

OpenID and Friends

Johannes retconned a nice title onto our panel discussion yesterday: OpenID and Friends (where the friends include OAuth, OpenAuth, OpenSocial, etc.) The panel in fact might have been a little too friendly -- maybe we needed somebody (Ben?) debating with us about phishing attacks to shake things up a bit. It was great to talk with Shreyas, Johannes, Nicolas, and George about issues and next steps. We all have a variety of goals, all of which are advanced by OpenID adoption and use.

2008/01/26

It's an Honor Just to be Nominated

Cool: Blogger has been nominated for the "Best Web Application for Weblogs" category in the 2008 Bloggies. Parenthetically, PostSecret has already run away with the "Blog Nominated in the Most Categories" category, which is great because (a) it's awesome and (b) it's on BlogSpot, so if it wins we all bask in reflected glory. Or something.

Microsoft, DataPortability.org, Chalk, and Cheese

It's great to hear that Microsoft is joining DataPortability.org. I think this group has potential; if nothing else, it's a useful forum for interested parties such as Google, Microsoft, and Facebook to openly discuss policies that will benefit all of our users.

I was a bit disturbed to find some spin in Dare Obasanjo's commentary, though. He says:
... The fact that when interoperability happens, it is in back room deals (e.g. Google OpenSocial, Microsoft’s conversations with startups, etc) instead of being open to all using standard and unencumbered protocols is similarly troubling.
Whoa, let's deconstruct. This associates OpenSocial and Microsoft's "strong-arm" tactics by putting them in the same list, trailed by 'etc' to imply that these are just a couple of typical examples. Slap parentheses around it, and label the whole list "back room deals". Maybe no one will notice that you've just conflated chalk and cheese:

The chalk: OpenSocial is comprised of a bunch of companies and individuals all working together on a common set of standards for social networking. There is an open source reference implementation hosted by the Apache Foundation in which anyone can participate. (Dare, if you're not feeling invited, please contact me directly!)

The cheese: Microsoft is sending cease and desist letters to startups who are importing contacts from Hotmail, which are then used as leverage in back room deals to try to get the startups to use Microsoft's Messenger IM service to the exclusion of competing services.

Let's skip that though and talk about open and unencumbered protocols. Dare, I agree with you that we need these. I think that things like OpenID and OAuth are building blocks towards this, and I hope that we can discuss some of the hard issues at Social Graph Foo Camp. In the front room, of course!

2008/01/24

Identity Conflation = Profit!

True story: I was just contacted by a company looking to pay an outstanding invoice to "John Panzer" for consulting work; they had lost the original contact information and found me on the Internet. I hope the John Panzer doing consulting in New York gets paid properly; it sounded like pretty good money!

2008/01/19

OpenID and OAuth at WebGuild's Web 2.0 Conference

On Jan 29 I'll be on an OpenID & OAuth panel at the WebGuild Web 2.0 Conference and Expo in Santa Clara, CA. Shreyas Doshi of Yahoo will be there, which will be a great opportunity to discuss where OpenID is headed. (My former compatriot George Fletcher will be there as well, along with Nico Popp of Verisign, and Johannes Ernst will be moderating.)

2008/01/18

Blogger now an OpenID Provider


Yesterday, in addition to launching Blogger in three new languages, we pushed out a draft feature: Your blog is your OpenID. Technically, this means that Blogger is both an OP and an RP; we've accepted OpenID signed comments since December.

We've implemented OpenID 1.1 so far, so we should be compatible with all OpenID 1.1 RPs. Please test it out (see instructions for opting in) and let us know if you see problems.

It's also great to see Yahoo announcing that they'll be an OpenID 2.0 Provider. I hope they implement RP support soon too, at least for things like Flickr comments.

2008/01/16

Time to Toss RDBMSes?

The End of an Architectural Era (It's Time for a Complete Rewrite) is a good read. I've certainly gotten immensely frustrated with the inability of RDBMses to actually cache or partition intelligently (memcached is great, but also an indictment of an infrastructure that can't keep up). (Via Joe Gregorio.)

2008/01/15

Going to Social Graph Foo Camp 08

This should be fun. I hope I'll have something interesting to say at Social Graph Foo Camp. I know I'll hear a lot of interesting discussions. Any tips?

(Hmm. Are we really going to camp outside in February in Sebastopol? It's doable I guess but...)

2008/01/12

Episode V: The Writers Strike Back

Striking writers, with plenty of time on their hands, are starting their own companies Silicon Valley-style to bypass old guard distribution networks. It'll be interesting to see how ventures such as Virtual Artists and others (Striking writers to launch online video co.) play out. Most amusingly, since the producers' position is that online media is an "unproven and untested market", they're going to have to publicly pretend that these ventures don't scare the living crap out of them.

2008/01/11

Moving on to abstractioneer.org

I've decided to take the plunge and move on to publishing at http://abstractioneer.org, powered by Blogger.  Since I'm the tech manager for Blogger it seems only fitting, and we've recently been adding a whole host of cool features that make it more and more attractive (OpenID commenting being just the latest). 

I also have a semi-new Feedburner blog feed; some people were already subscribed through this feed, so you may notice no disruption in service as I re-point it at abstractioneer.org... just a moment... there! (http://feeds.feedburner.com/aol/SzHO).  Feel free to re-subscribe there, if you are in the mood.

Warumungu Norms, Privacy, Facebook, and Useful Friction

We could learn something from the Warumungu. Wendy Seltzer's Mukurtu Digital Archiving: digital "restrictions" done right is about DRM, freedom, and controls; I think it's also about privacy. What's private, and what's public, and what's semi-private are culturally determined no less than the Warumungu rules around who is allowed to see what artifacts:
...the Warumungu have a set of protocols around objects and representations of people that restrict access to physical objects and photographs. Only elders may see or authorize viewing of sacred objects; other objects may be restricted by family or gender. Images of the deceased shouldn’t be viewed, and photographs are often physically effaced. When the Warumungu archive objects or images, they want to implement the same sort of restrictions.
With an interesting twist:
People can also print images or burn CDs and thus allow the images to circulate more widely to others who live on outstations or in other areas. In fact, one of the top priorities in Mukurtu’s development was that it needed to allow people to take things with them, printing and burning were necessary to ensure circulation of the materials.
What, then, prevents people from violating these norms?
Because the Murkurtu protocol-restrictions support community norms, rather than oppose them, the system can trust its users to take objects with them. If a member of the community chooses to show a picture to someone the machine would not have, his or her interpretation prevails — the machine doesn’t presume to capture or trump the nuance of the social protocol.
People, relationships, and norms are fuzzy and messy, so maybe it's reasonable that a system to deal with them is fuzzy and messy too. What Murkurtu does is put enough useful friction in the way of disclosure to give community norms a chance to operate. You can't email an image out to a mailing list, but you can print it and show it to a reasonably small number of people at a time. The point is not to control distribution perfectly, but to give human-scale trust mechanisms a chance to operate correctly.

Who owns the data?

L'Affaire Scoble raised the question, who owns relationship data? Dare Obasanjo argues that his contact data is his, not Robert's. And he wants Facebook to enforce this.

I'd argue that we should un-ask the ownership question. As long as we're talking about ownership, we're heading down the road towards DRM that has worked out so well for the music business. I'd like to talk about community norms, and what kind of useful friction we should be thinking about in the pure digital realm to give community norms a chance to operate. Reputation and portable identity is part of this, as are things like limited access (E.g., OAuth), rate limits, soft constraints, and user centric norm enforcement. (What would happen if the people on Robert's friends list were simply informed, in real time, that he was copying their data for an unknown purpose?)

(Nick Carr has a great post on this subject as well.)