Scott Blomquist

Selection paralysis

I got to thinking lately about how I wish I had a wiki on my personal web site, because I want to do some quick’n’dirty semi-structured and richly linked writing to share with others so I can get feedback and input. I spent some time catching up on what wiki systems are best at what, and discovered I was completely daunted by how many different choices there were.

I eventually whittled the list of candidates down to just short of 10 different packages, and then got stuck again. What happens if I pick one today and invest considerable time in it only to discover that a different one fits better with what I’m using it for? Is there any way to migrate the data to a different wiki package at or near full-fidelity?

More »

Marshall Kirkpatrick’s claim that Vidoop is “a company made up largely of engineers with military backgrounds” makes for a great thriller plot, especially in the context of his National ID discussion over at ReadWriteWeb. That description, however, doesn’t reflect the Vidoop that I know. One of our developers was a civilian researcher at the Naval Research Labs for a couple of years, and one of our developers was in the Army long enough to spend some time in Afghanistan. That’s the extent of our military ties.

That said, there are some very interesting things to think about elsewhere in Marshall’s post. Like him, I’m not excited about being issued a National ID, let alone the prospect of having my OpenID inseparably tied to it. That just doesn’t make sense. I shouldn’t need a National ID to have a flickr account, and any such ID shouldn’t be associated with my search engine use.

But there are scenarios where being able to convey certain institutionally-verified claims about my identity online would be useful. For example, I miss certain wines from Washington State’s wine country because the State of Oklahoma won’t let me have wine shipped here. Perhaps it’s because they don’t want minors to have access to alcohol through the mail, or more likely it’s because they don’t want alcohol in the state for which they didn’t get their tax money. Either way, being able to prove that I’m old enough or that I paid appropriate taxes on the transaction are things that technology could enable in the near future, and there’s absolutely no reason that OpenID couldn’t be one of the protocols involved at the time I prove such things.

Remember that OpenID is all about putting control of your online identity in your very own hands, and there are built-in controls to make sure it will always continue to be that way. (The strongest such control is that anyone who doesn’t like the way the current Identity Providers work can always run their own Provider.)

Your identity shouldn’t do things that you don’t want it to do, but it should certainly be able to do all of the things that you do want it to do. And with OpenID each of us has the ability to want our OpenID to do different things.

One thing that concerns many people about OpenID is what happens if their provider goes out of business or if they want to switch to another provider for some other reason.

At Vidoop, we believe that users deserve to always be in control of their online identity, even if it means that they’d like to switch away. We’ll let them keep their URL and change to another provider.

We recently shipped a feature that allows a user to go to the Account/Advanced tab on our site and delegate their myVidoop.com OpenID URL to the OpenID provider of their choice. For example, right now, if you type sblom.myvidoop.com in to one of your favorite OpenID relying party’s web site, you’ll see that you’re redirected to openid.xmpp.za.net.

All OpenID users should expect their OpenID providers to do the same. Please ask them to do so–even if you’re happy with them now. What if they go out of business, or if you decide that you like another provider better?

There are just short of 1.3 zillion OpenID concerns out there (no, seriosly–I counted), most of them well-intentioned but overblown. And most of them are just as applicable to username and password. The biggest difference is that everyone has experience with username and password and knows all of the best practices for dealing with them. Unfortunately, OpenID is still young, and so the best practices are still evolving.

Habari developer Owen Winkler over at Asymptomatic describes how after spending months away from Zooomr, he has forgotten which OpenID he used to sign up.

I had the same thing happen to me (maybe even more than once)before I got the hang of the whole OpenID thing. Now that I have the hang, though, I’m far better off because I get to use the same username everywhere instead of discovering that “sblom” is already taken or that they require at least 6 letters and having to choose “sblomqui” or “sblom000″ or something else entirely.

However, there will always be new users on a site who don’t yet have the hang of OpenID, and who haven’t yet settled on a favorite OpenID URL to use everywhere. They’re bound to forget which OpenID they used to sign in from time to time. This is where best practices come in. The OpenID wiki has a good and growing collection of OpenID Relying Party Best Practices, where they mention, among other things, that the right thing to do is to allow users to use the email on file with the Relying Party to change which OpenID account is associated with the account in case the user lost access to their OpenID, or forgot which one was used.

Owen, I’d be happy to help you out by explaining to Zooomr how to behave appropriately as an OpenID RP.