Scott Blomquist

There are just short of 1.3 zillion OpenID concerns out there (no, seriosly–I counted), most of them well-intentioned but overblown. And most of them are just as applicable to username and password. The biggest difference is that everyone has experience with username and password and knows all of the best practices for dealing with them. Unfortunately, OpenID is still young, and so the best practices are still evolving.

Habari developer Owen Winkler over at Asymptomatic describes how after spending months away from Zooomr, he has forgotten which OpenID he used to sign up.

I had the same thing happen to me (maybe even more than once)before I got the hang of the whole OpenID thing. Now that I have the hang, though, I’m far better off because I get to use the same username everywhere instead of discovering that “sblom” is already taken or that they require at least 6 letters and having to choose “sblomqui” or “sblom000″ or something else entirely.

However, there will always be new users on a site who don’t yet have the hang of OpenID, and who haven’t yet settled on a favorite OpenID URL to use everywhere. They’re bound to forget which OpenID they used to sign in from time to time. This is where best practices come in. The OpenID wiki has a good and growing collection of OpenID Relying Party Best Practices, where they mention, among other things, that the right thing to do is to allow users to use the email on file with the Relying Party to change which OpenID account is associated with the account in case the user lost access to their OpenID, or forgot which one was used.

Owen, I’d be happy to help you out by explaining to Zooomr how to behave appropriately as an OpenID RP.

I spent Friday and Saturday at the second annual Tulsa Tech Fest, a gathering of IT & software professionals from Tulsa and the surrounding area.

Overall, it was a good event. Friday’s attendance was incredible, coming in somewhere around 700 attendees according to some reports. I got a chance to meet and talk to a bunch of interesting people. It was great to see evidence of a vibrant tech community here in Tulsa.

More »

Here are the notes from my Tulsa Tech Fest 2007 talk "Developing Software with Security in Mind".

I describe 10 rules that everyone should keep in mind while developign software:

1. Learn about security or it will teach you.
2. Security knowledge goes obsolete quickly.
3. Your team should have a security geek (or more).
4. Befriend the security researchers in your field.
5. Despite knowledge, you will ship security bugs.
6. Have security response plans in place.
7. Security and usability will always be in tension.
8. The perfect is the enemy of the good.
9. Have open conversations about security.
10. Sometimes there is no rule #10.

Updated 2007/10/21: Make link to slides not stop at the sign-in page.

I don’t have a Facebook account. I don’t do social networking today because I refuse to go to the trouble of doing redundant work on the Internet every time the fashion changes. (LinkedIn got the one exemption here, but I don’t recall why.)

All of you who built a list of LiveJournal friends, and then MySpace friends, and now Facebook friends all know what I’m talking about. Don’t you feel silly now that you don’t use your LiveJournal account, and only occasionally use your MySpace account? Don’t you wish that you could carry your work with you from site to site?

Brad Fitzpatrick and David Recordon spent some time thinking about this in their August 2007 paper “Thoughts on the Social Graph”. They discuss that there are a large and growing number of useful and interesting applications that depend on data about relationships (such as “friend” or “coworker”) between people. They argue that we should be able to stash this information in a single location for re-use again everywhere else.

I love their idea for many reasons, not the least of which is that it allows me to not have to do the redundant work that I described above.

Rumors abound that Google may ship the first credible Social Graph API in November. If what they ship makes the time I invest cultivating my friends list on Orkut reusable elsewhere on the web, I’ll be among the first to sign up.

There is, however, one additional condition: they have to allow me to use my OpenID. I not only don’t want to have to build the list 80 different places. I also don’t want to have to answer obnoxious questions about which of my favorite usernames happened to be available on each site that I use. Given that OpenID makes use of a well-established global namespace, it makes this problem easy to solve for me as an OpenID user.

In summary, to get me to use your Social Network app:

1. Publish to, and import from some sort of community social graph; and
2. Allow me to use my OpenID as my account identifier.

There have been some good blog conversations lately about myVidoop.com and Vidoop Secure (over at Judi Sohn’s Web Worker Daily review of myVidoop, or Carleen Hawn’s write-up over at GigaOM for example).

There are several really good questions that get asked often. I figured I’d collect them all here so that I have one place that I can point people toward the next time I encounter similar questions.

What’s the difference between Vidoop, Vidoop Secure, and myVidoop.com?

Vidoop is a Tulsa,-OK-based technology company. (We call Oklahoma the Silicon Prairie. I hear that other people call where they’re from the Silicon Prairie, too. But I think ours is the real one.)

Vidoop Secure is our authentication technology (which is available to license as an easy-to-use, low-cost, authentication technology and can be configured to provide strong two-factor security and can even completely replace passwords).

myVidoop.com is our free consumer Identity service that allows you to test-drive the Vidoop Secure technology and manage your usernames and passwords for the entire internet.

How does Vidoop Secure work?

The core of the Vidoop Secure authentication mechanism is a grid of images where each image is chosen to represent a particular category (for example, “cats” or “telephones” or “food”). When a user signs up for an account, instead of choosing a secret password, he chooses a set of 3-5 secret categories (let’s use “cars”, “boats”, and “flowers”).
More »

I’m seriously having about the best possible week I could have.

It got started on Monday when our Biz Dev Veep and I went on a partner status trip. Our various partners are doing some very exciting things, and it was fun to spend some time with them in their own spaces.

Our mid-September myVidoop.com refresh is getting noticed by many new people every day. Our user count is growing daily, and we’re up to a much higher rate of user activity now that we’ve shipped the password management functionality. Firefox users already love our plug-in, and we’ll very soon be able to share the love with IE users as well. Safari and Opera users also don’t have to be patient much longer.

We’ve had a few good write-ups this week. Especially an article in Financial Week and a review of myVidoop in Web Worker Daily.

This coming weekend is Microsoft Puzzle Hunt 11.0, for which Jennifer and I are travelling back to Redmond and solving with the Mithril Battle Chickens.

And finally, Scott Kveton and David Recordon arrive in Tulsa this weekend to do some collaboration with our web team on the OpenID.net web site refresh. There are all sorts of exciting things coming up soon w.r.t. Identity 2.0 in general and OpenID in particular, and we’re all eager to get OpenID.net into tip top shape.

It almost seems impossible, but I think next week just might be even better than this one.