Dave Winer has a blog post where he responds to a post entitled SOAP, REST and XML-RPC by Randy Charles Morin. He writes

I wonder if it's be possible for me to disagree with Randy Morin without getting flamed. I never said XML-RPC is better than SOAP or REST, or more perfect or pure, or better documented. I don't care if the others have better websites, or more advocates posting on mail lists. The reason I advise would-be platform developers to support XML-RPC is because at least for some developers (including me) it's so much faster to implement, so we spend less time creating glue and get to building applications sooner. I've learned that the sooner developers get to the fun part, the more likely they are to deploy. And if that's the goal, why not support it? BTW, I never said they shouldn't support SOAP or REST, in fact I often provide multiple interfaces to my would-be platforms, because I've learned that if you want uptake for new ideas, you shouldn't argue over small things like this, you should say yes whenever you can.

I agree 100% with Dave Winer. If you are building a service on the Web, then you shouldn't discriminate against any platform, application or device. This means you can't pick one approach or one technology for building your service because different platforms have different levels of support for various approaches. A developer using Visual Studio will find using SOAP easier then REST or XML-RPC while on the flip side a developer using Python or Perl is likely more at home dealing with XML-RPC than using SOAP. Choosing one technology over the other is choosing to discriminate against one platform or set of developers over the other.

In some cases this is necessary to keep maintenance costs down by supporting a small set of protocols but in general if you are building a service on the Web, you want it to be inclusive not exclusive. Arguments of technological superiority be damned.

The past few days seem to have been quite interesting in the comments section of the the Mini-Microsoft blog. Ex-Microsoft employee, Robert Scoble jumped into some comment threads where some of his former bosses were being criticized (start here) and it quickly devolved into a flame war. In the aftermath of that flame war, Mini posted an entry entitled Bad Mini, Scoble's Exit, and Truthiness - Links which also led to another series of interesting comments from Robert. The most interesting of which seems not to have been posted but is instead referenced in this excerpted comment by Who da'Punk (aka Mini-Microsoft)

Okay, okay, hold on... things are getting heated again. I've got about six posts in the queue, including Mr. Scoble's "Goodbye I won't ever be commenting here again," comment. So, please hold on to your "Grr, Scoble!" comments because he won't be following up, let alone perhaps reading them. You'd be much better served submitting your comments to his blog or writing your own blog entries and linking appropriately.
...
In the meantime, I'm certainly thinking about Scoble's parting strategic comments:

* The Mini-Microsoft blog's impact has come, been done, and is past.

* The blog serves now to harm Microsoft more than help it.

* The blog is, specifically, being used by the anti-Microsoft crowd and competitors to harm Microsoft.

All good points, and some, worth putting up a pivotal post about.

But not today. Go have fun.

I find it hard to disagree with Robert's above points. The Mini-Microsoft blog has served as a place for Microsoft employees to discuss what riles them about the company in an anonymous setting that is free of recrimination. From my perspective, this has been both good and bad. It has been good to have a forum where people can discuss some aspects of the culture that have been taken for granted but were actually harmful such as The Curve without fear of being attacked for questioning the status quo. Although, it would have been better for this discussion to happen internally there are a number of social and technological reasons why this is difficult.

On the flip side, the Mini-Microsoft blog is a forum where disgruntled employees pour out their bile on the fellow employees and the company as a whole. I've seen character assassination, racism, sexism, fear mongering, unfounded allegations of sexual misconduct, information leaking, and more in the comments section of the Mini-Microsoft blog. However you slice it, it reflects badly on Microsoft that the people posting these comments appear to be Microsoft employees. What is even more interesting is when you consider Robert Scoble's allegation below

Anonymous bloggers are never as credible as ones who stick their names on things.

Why does it bother me? Cause Mini is being used by non-Microsoft employees to hurt Microsoft. I've learned that a lot of the posts here that you're reading aren't done by Microsoft employees.

Yet you are taking it on face value that everyone is being straight up with you here. They are not.

I didn't realize this until after I had left Microsoft (it's funny how people tell you stuff when you aren't a Microsoft employee anymore). I'm not willing to expose my source, though. But I believe him.

That competitors would astroturf the Mini-Microsoft blog or use it as a recruiting tool when competing against Microsoft for a candidate doesn't surprise me. The surprise is that both Mini-Microsoft and Robert Scoble seem to be taken aback by this. I guess I'm more cynical than most.

The bottom line is that I agree with Robert that in its current incarnation Mini-Microsoft does more harm to Microsoft than good. If anything, it does point out the need for a better internal forums for frank and open discussion but I definitely think it's time is past.   

Mike Arrington of TechCrunch fame has a blog post entitled where he lays out the demographics of the various RSS readers used to subscribe to his feed. Below is an excerpt of his post and a partial screenshot of his FeedBurner statistics showing the top fourteen feed readers used to access the TechCrunch feed

Firefox (including Flock) accounts for 20% of feed readers. Bloglines is in second place with 13%, followed by NewsGator at 12%, Rojo at 8%, FeedReader at 7%, and Netvibes at 7%. Other notables include Pageflakes, Pluck and Attensa. If you add NetNewsWire to the core NewsGator stats, NewsGator is actually bigger than bloglines.
...

The feed reader statistics are surprising to me both for the feed readers that show up in the list and for those that don't. For example, I'm surprised to see FeedReader at #5 yet not see FeedDemon in the top 14. Similarly, the popularity of AJAX home pages like Pageflakes and Netvibes over those from the big 3 (Google/Yahoo/Microsoft) is also unexpected. Of course, these statistics might be skewed because TechCrunch is one of the default feeds in Netvibes. A final surprise is that NewsGator Online is almost as popular as Bloglines among readers of TechCrunch.This seems to mean that the latter is finally getting a lot of cred among the early adopter crowd especially since the former has been slow to update in the past year.

For a completely different set of demographics, here are the top 14 feed readers used to access my RSS feed according to FeedBurner.

I wonder what conclusion you draw from how different the distribution of feed readers is in the above screenshots. For example, I think the fact that a bunch of Microsoft employees and developers on Microsoft's platfoms read my blog explains why there are multiple instances of feed readers based on the .NET Framework in the above list. In addition, I suspect this also explains why there is an entry for the Windows RSS platform in the top 10 applications hitting my feed. 

On the flip side, I have no explanation for why it seems that NewsGator Online is half as popular as Bloglines among the readers of my blog.

Richard MacManus has a blog post entitled Netscape Community Backlash where he writes

I've been tracking the release of the new Digg-style community news site Netscape.com, because there is a lot of backlash within the Netscape community about it. A story called Netscape's Blunder!!! was number 1 on Netscape.com for a while and the latest post on the homepage is entitled A Request by the Netscape Community to Bring Back Our Netscape.com. There's another Netscape story currently on the homepage called Netscape Reborn: Why? Why? Why?. The backlash has presumably led to this message currently on the right of the homepage, from the Netscape team:

"Attention Netscape users Your Netscape mail hasn't gone anywhere, you can find it right here! Also, My.Netscape and your Stock Quotes are still online as well."

There appears to be a genuine feeling of betrayal by the (very large) set of users who have had Netscape.com as their homepage for some time. Indeed I've been getting comments on my own posts and even emails from Netscape users, upset about the change to the Digg style.

All of this shows how passionate people can get about their Web homepage - and they're just as much a 'community' as the Digg.com users are. It's just that they like the old-school Web homepage, not the new Digg style. Also what this tells me is that while a lot of us geeks and 2.0 types are addicted to our own technology (and our own voices, to be honest), it's pretty darn obvious that A LOT of people want to stick with the status quo.

This is one of those reasons why I believe that Danah Boyd's essays should be required reading for anyone interested in building social software. I disagree with Richard MacManus that the problem is that a lot of people want to stick with the status quo. I agree that it plays a part but the real problem is that AOL made a drastic change to software that was an integral part of their users lives in such a draconian manner.

People grow attached to the software they use and the online community that exists around that software. Heck, I've been using My Yahoo! for the past five or six years and have only partially switched to Live.com even though I made a conscious decision to switch*. I'd personally be pretty irritated if one day Yahoo! radically switched things around in a desperate attempt to jump on the Web 2.0 bandwagon and I'm a tech geek.

AOL should have engaged with their community of users before launching the revamped Digg-like version of Netscape. At the very least, the company should have considered using an alternate URL for the site and not the valuable Netscape.com domain or done some A/B testing to see if users liked the switch over or not. It may be that the people complaining are a vocal minority but something tells me that they aren't given how drastic the change to the site has been. Perhaps making Live.com and MSN.com separate sites wasn't such a bad idea after all. :)

* I use Live.com at work and My Yahoo! at home.

Cory Doctorow has a blog post up on Boing Boing entitled Mark Pilgrim's list of Ubuntu essentials for ex-Mac users where he writes

Mac guru and software developer Mark Pilgrim recently switched to Ubuntu Linux after becoming fed up with proprietary Mac file-formats and the increasing use of DRM technologies in the MacOS. I've been a Mac user since 1984, and have a Mac tattooed on my right bicep. I've probably personally owned 50 Macs, and I've purchased several hundred while working as an IT manager over the years. I'm about to make the same switch, for much the same reasons.

You could probably write an entire Ph.D dissertation on what would motivate someone to tattoo a corporate logo on their arm. Maybe I should buy a Mac just so I can figure out what all the hype is about.

It seems the Web API authentication discussion has been sparked up all over the Web by the various announcements of Windows Live ID and the Google Account Authentication for Web apps . In his blog post Google's authentication vs. Microsoft's Live ID Eric Norlin writes

Recent announcements of Google's authentication service have prompted comparisons to Passport, and even gotten to Dick Hardt (of "Identity 2.0" fame) to call it the, "deepening of the identity silo." I'd like to contrast Google's work with Microsoft's recent work around Live ID.

Microsoft's Live ID *is* the old Passport — with a few key changes. Kim Cameron's work around the identity metasystem has driven the concept of InfoCards (now called CardSpace) deep inside of Microsoft. In essence, Kim's idea is that there is a "metasystem" which utilizes WS-Trust to translate tokens, so that all identity systems can interact with each other.

Of extreme importance is the fact that Windows Live ID will support WS-Trust, WS-Federation, CardSpace and ADFS (active directory federation server). This means that A) Windows Live ID can interact with other identity metasystem implementations (Open Source versions, for example); B) that your corporate active directory environment can be federated into Windows Live ID; and C) the closed system that was Passport has now effectively been transformed into an open (standards-based) and transparent system that is Live ID.

Contrast all of this with Google's announcement: create Google account, store user information at Google, get authentication from Google — are we sensing a trend? While Microsoft is now making it easy to interact with other (competing) identity systems, Google is making it nearly impossible. All of which leads one to ask - why?

Perhaps it's because there are now so many old-school Microsoft people at Google? ;)

On a more serious note, I suspect that the Google folks simply didn't think about the federation angle when designing the authentication model for their APIs as opposed to this being some 'evil plot' by Google to create an identity silo.

Julien Couvreur has a blog post entitled Web API authentication for mashups where he talks about authentication and Web APIs. This is a topic that is near and dear to my heart since getting this right is very important for the Windows Live developer platform. Julien writes

Authorization techniques:

A number of techniques for controlling access to web APIs are generally used: user authentication cookies, API keys and crossdomain policy files. The problem is that API keys and crossdomain policy files are too restrictive because the service needs to decide which third-parties to let in.

On the other end, access control based on the user authentication cookies are very open to un-planned integration, but also create a huge phishing risk. This is a classic example of the confused deputy problems that appear in principal-based security models.

As a result, most web APIs today don't involve any user data (search, maps, ...) or non sensitive user data.

Yahoo APIs:

Yahoo appears to be tackling the challenge with its announced "browser-based authentication". From the little information I could gather so far, it seems less of an authentication than an authorization system. Unlike cookie based approaches, which give access to any agent presenting user credentials (principal-based security), it appears to follow a capability-based security model, which only grants access if the agent uses the proper "secure handle" or "capability" to call the service. Such capabilities are sufficient to gain access to the service and don't need any additional authentication, they are communicable tokens of authority.

The devil is in the details when talking about authentication, authorization and Web APIs. When I first heard about the Yahoo's proposed authentication model for Web APIs at their ETech 2006 talk entitled Building a Participation Platform: Yahoo! Web Services Past, Present, and Future, I thought it sounded similar to the model used by Passport Windows Live ID. In both approaches instead of applications prompting users for their credentials (username/password combo), the user signs in to the primary service which then returns an opaque token to the target application that identifies the user and gives the application permission to access the user's data. However, having a fine grained access that can give applications access only specific services and can revoke permission given to specific applications seems to be richer than what I've seen offered by  Passport Windows Live ID. This is nice but it's to be seen how easy this will be for users to understand or for applications to manage.

From my perspective there are two primary goals an authentication model for a family of Web APIs must satisfy

1. User credentials are sacred and must be protected at all costs: A security mechanism is only as strong as its weakest link. This means that it is extremely unwise to build an authentication model that has applications built on your APIs to request username/passwords or other credentials from users directly. The last thing you want is for anyone with a copy of Javascript for Dummies to be able to legitimately ask your users for their credentials then store them insecurely. In addition, if users get comfortable with entering their credentials in all sorts of random places then it makes them more susceptible to phishing attacks. This is one of the reasons services like Meebo are worrying to me.

   It should be noted that in certain cases, the information hosted in the service may not be very valuable in which case this tennet can be waived. For example, the NewsGator API expects applications to prompt users for their credentials and then pass those along when interacting with the service. Since the user information hosted in the service is primarily a list of RSS/Atom feeds and their read/unread state, the value to attackers is extremely low and there is little need to build a sophisticated authentication model for this service.

2. Do not discriminate against any platform or any device: In todays world, end users interact with online services using a variety of devices and platforms. Each device and platform has different strengths and limitations but is important in its own right. Online services like email or instant messaging have witnessed the rise of multiple access models from desktop applications running on PCs to applications running on mobile devices, from JavaScript code running clientside in a browser to web service calls being made from one server to another. In many cases, the average user may go back and forth between all these access modes within the course of their normal usage of the service. For example, I check my email using Outlook Web Access, Microsoft Outlook and my Audiovox SMT 5600 during the normal course of my work day. 

Thus far I have not seen any Web API authentication model satisfy both goals. Based on my understanding from the ETech talk, the model proposed by Yahoo! fails to meet the second goal above because it is browser based. Before being accused of bias, I'll also point out that from reading the initial documentation for the Windows Live ID service it also fails to satisfy the second goal because Microsoft has only announced SDKs for server-to-server calls and desktop clients [both of which I assume will only target servers or PCs running varieties of Windows]. 

Providing a comprehensive authentication story for a suite of Web APIs is a hard problem.

The Windows Live Custom Domains team has a post on their blog entitled Bye bye beta….Custom Domains v1 has launched which states

We’re leaving the “Beta tag” blanket at home.  That’s right…thanks to your beta testing and feedback; we’ve now officially launched Windows Live Custom Domains.  Our colleagues over in Messenger kicked off the Windows Live launch season last week.  Along with the launch of OneCare and Live Favorites, we're excited to continue the momentum.  Windows Live is about the Web, the way you want it.  Personalization is a key piece here, and let's face it...your identity online is central to that.  Custom Domains enables people to use all of the Windows Live and MSN services they want with an ID that's as unique to them as they want it to be.

For those who aren’t familiar with Custom Domains, we provide free hosted e-mail for your domain.  Let’s say you own the domain name, “wingtiptoys.com.”   With Custom Domains, you get unlimited, free e-mail accounts at that domain.  You can open accounts for sales@wingtiptoys.com, owner@wingtiptoys.com, etc.  Oh wait, did we mention that it’s free?  This isn’t one of those “free during beta” trial offers.  This is free for life. 

New Feature: Open Membership

We’re jazzed about a new feature we’ve added called Open Membership.  How does this work?  Let’s say you run a website called “soccerfan.com.”  Your users love your site and want an e-mail address @soccerfan.com.  Prior to this launch, each user would have to request an e-mail account from the administrator.  Then, the admin would manually approve and create each account.  We’ve made things much easier all around with this launch...With the Open Membership featured enabled, we provide URL links so users can automatically sign-up for an e-mail account @soccerfan.com.  Admins no longer have to burden with the manual creation of email accounts, and users get accounts immediately.

Congratulations to the team, it's good to see more Windows Live services coming out of beta. I really like this service but I'd love to see it expand to cover other Windows Live properties. For example, will I be able to ever use my own custom domain for my Windows Live Space?

The Windows Live Local/Virtual Earth team has a blog post entitled Free Phone calls at WLL which states

A new release of Live Local went out over the weekend. Mostly minor bug fixes, but a few new features made it in as well. One of the more interesting is the ability to phone any business for free. Using it is easy - do a business search by name or category and in the result panel will be a 'Call for Free' link next to each business listing. Each pushpin popup on the map will also have the Call for free link. When you click it you specify your phone number  -the system will dial both you and the business and connect you. Once you've made your first call, you can rapid dial businesses without having to re-enter your phone number.

Windows Live Local is definitely my favorite online mapping service today and probably the only Windows Live service I can say is head and shoulders above the competition. Kudos to everyone on the team who have built such a killer service in such a short time.