Tim Bray has an excellent post entitled OpenID which attempts to separate hype from fact when it comes to the technorati's newest darling, OpenID. He writes

The buzz around OpenID is becoming impossible to ignore. If you don't know why, check out How To Use OpenID, a screencast by Simon Willison. As it's used now (unless I'm missing something) OpenID seems pretty useless, but with only a little work (unless I'm missing something) it could be very useful indeed.

Problem: TLS · The first problem is that OpenID doesn't require the use of TLS (what's behind URIs that begin with https:).
...
Problem: What's It Mean? · Another problem with OpenID is that, well, having one doesn't mean very much; just that you can verify that some server somewhere says it believes that the person operating the browser owns that ID.
...
Problem: Phishing · This is going to be a problem, but I don't think it's fair to hang it on OpenID, because it's going to be equally a problem with any browser-based authentication. Since browser-based authentication is What The People Want, we're just going to have to fight through this with a combination of browser engineering and (more important) educating the general public
...
The Real Problem · Of course, out there in the enterprise space where most of Sun's customers live, they think about identity problems at an entirely different level. Single-sign-on seems like a little and not terribly interesting piece of the problem. They lose sleep at night over "Attribute Exchange";once you have an identity, who is allowed to hold what pieces of information about you, and what are the right protocols by which they may be requested, authorized, and delivered? The technology is tough, but the policy issues are mind-boggling.
So at the moment I suspect that OpenID isn't that interesting to those people.

I've been thinking about OpenID from the context of authorization and sharing across multiple social networks. Until recently I worked on the authorization platform for a lot of MSN Windows Live properites (i.e. the platform that enables setting permissions on who can view your Windows Live Space, MSN Calendar, or Friends list from Windows Live Messenger). One of the problems I see us facing in the future is lack of interoperability across multiple social networks. This is a problem when your users have created their friend lists (i.e. virtual address books) on sites like Facebook, Flickr or MySpace. One of the things you notice about these services is that they all allow you to set permissions on who can view your profile or content.More importantly, if your profile/content is non-public then they all require that the people who can view your profile must have an account with their service. We do the same thing across Windows Live so it isn't a knock on them.

What I find interesting is this; what if on Flickr I could add http://mike.spaces.live.com as a contact then give Mike Torres permission to view my photos without him having to get a Yahoo! account? Sounds interesting doesn't it? Now let's go back to the issues with OpenID raised by Tim Bray.

The first thing to do is to make sure we all have the same general understanding of how OpenID works. It's basically the same model as Microsoft Passport Windows Live ID, Google Account Authentication for Web-Based Applications and Yahoo! Browser Based Authentication. A website redirects you to your identity provider, you authenticate yourself (i.e. login) on your identity providers site and then are redirected back to the referring site along with your authentication ticket. The ticket contains some information about you that can be used to uniquely identify you as well as some user data that may be of interest to the referring site (e.g. username). Now we have a high level understanding of how it all works, we can talk about Tim Bray's criticisms. 

TLS/SSL
On the surface it makes sense that identity providers should use SSL when you login to your account after being redirected there by a service that supports OpenID. However as papers like TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks, SSL/TLS does little to prevent the real security problems on the Web today, namely Web page spoofing (i.e. Phishing) and the large amount of malware on user PCs which could be running key loggers. This isn't to say that using SSL/TLS isn't important, just that it's like putting bars on your windows and leaving the front door open. Thus I can understand why it isn't currently required that identity providers support SSL/TLS. However a little security is better than no security at all. 

What Does It Mean?
I agree with Tim Bray that since OpenID is completely decentralized, websites that support it will likely end up creating whitelists of sites they want to talk to otherwise they risk their systems being polluted by malicious or inconsiderate OpenID providers. See Tim Bray's example of creating http://www.tbray.org/silly-id/ which when queried about any OpenID beginning with that URI instantly provides a positive response without authenticating the user. This allows multiple people to claim http://www.tbray.org/silly-id/BillGates for example. Although this may be valid if one was creating the OpenID version of BugMeNot, it is mostly a nuisance to service providers that want to accept OpenID.

Phishing
Using susceptibility to phishing as an argument not to use OpenID seems like shutting the barn door when the horse has already bolted. The problem is that security conscious folks don't want users getting used to the idea of providing their username and password for one service whenever prompted by another service. After all, the main lesson we've been trying to teach users about preventing phishing is to only enter their username and password to their primary sites when they type them in themselves not when they follow links. OpenID runs counter to this teaching. However the problem with that teaching is that users are already used to doing this several times a day. Here are three situations from this morning where I've been asked to enter  my username and password from one site on another

1. Connected Desktop Apps: Google Toolbar prompts me for my Gmail username and password when I try to view my bookmarks. The goal of the Google Account Authentication is to create a world where random apps asking me for my Gmail username and password by redirecting me to the Google login page is commonplace. The same goes for the the various Flickr uploader tools and Yahoo! Browser Based Authentication
2. Importing Contacts: On Facebook, there is an option to import contacts from Yahoo! Mail, Hotmail, AOL and Gmail which requires me to enter my username and password from these services into their site. Every time I login to Yahoo! Mail there is a notice that asks me to import my contacts from other email services which requires me to give them my credentials from these services as well.
3. Single Sign-On: Whenever I go to the Expedia sign-in page I'm given the option of signing in with my .NET Passport which happens to be the same username and password I use for all Windows Live and MSN services as well as company health site that has information about any medical conditions I may have.
   

Given the proliferation of this technique in various contexts on the Web today, it seems partisan to single out OpenID as having problems with phishing. If anything, THE WEB has a problem with phishing which needs to be solved by the browser vendors and the W3C who got us in this mess in the first place.

Attribute Exchange
This usually goes hand in hand with any sort of decentralized/federated identity play. So let's say I can now use my Windows Live ID to login to Flickr. What information should Flickr be able to find out about me from talking to Windows Live besides my username? Should I be able to control that or should it be something that Flickr and Windows Live agree on as part of their policies? How is the user educated that the information they entered in one context (i.e. in Windows Live) may be used in a totally different context on another site. As Tim Bray mentioned in his post, this is less of a technology issue and more a policy thing that will likely differ for enterprises versus "Web 2.0" sites. That said, I'm glad to see that Dick Hardt of Sxip Identity has submitted a proposal for OpenID Attribute Exchange 1.0 which should handle the technology aspect of the problem.

Disclaimer: This is not an endorsement of OpenID by Microsoft or an indication of the future direction of authentication and authorization in Windows Live. This is me brainstorming some ideas in my blog and seeing whether the smart folks in my reader base think these ideas make sense or not. 

One of the links referenced in my recent posting about Wikipedia led me to reread the Wikipedia entry for "Dare Obasanjo". It seems there is still an outstanding issue with my entry according to folks on the Talk page because there isn't a non-blog source (i.e. mainstream media) that verifies that my dad is Olusegun Obasanjo.

For some reason it irritates me that I have a Wikipedia entry with a giant banner that claims I'm lying about my parenthood.Given that I'll be back home in a few weeks to belatedly celebrate my dad's seventieth birthday, I wonder if any Wikipedia savvy folks can point out what kind of "evidence" usually satisfies the bureaucrats on that site. Will a photograph of us together do the trick (if so I already have a few at home I can scan and upload to Flickr)? Will it have to be a photograph printed in a newspaper? Or is the only way that banner comes off is if there is a Nigerian newspaper webpage on the Internet that says he's my dad.

I need to see what strings I have to pull to get my name cleared.

Yesterday I went shopping and every store had reminders that daylight saving time begins today. Every year before "springing forward" or "falling back" I always double check the current time at time.gov and the US Naval Observatory Master Clock Time . However neither clock has sprung forward. Now I'm not sure if who I can trust to tell me the right time. :(

Update: Looks like I spoke too soon. It seems most of the clocks in the house actually figured out that today was the day to "spring forward" and I had the wrong time. :)

Every once in a while someone asks me about software companies to work for in the Seattle area that aren't Microsoft, Amazon or Google. This is the third in a series of weekly posts about startups in the Seattle area that I often mention to people when they ask me this question.

AgileDelta builds XML platforms for mobile devices that are optimized for low power, low bandwidth devices. They have two main products; Efficient XML and Mobile Information Client. I'm more familiar with the Efficient XML since it has been selected as the basis for the W3C's binary XML format and has been a lynch pin for a lot of the debate around binary XML.  The Efficient XML product is basically a codec which allows you to create and consume XML in their [soon to be formerly] proprietary binary format that makes it more efficient for use in mobile device scenarios. A quick look at their current customer lists indicates that their customer base is mostly military and/or defence contractors. I hadn't realized how popular XML was in military circles.  

AgileDelta was founded by John Schneider and Rich Rollman who are formerly of Crossgain, a company founded by Adam Bosworth which was acquired by BEA. Before that Rich Rollman was at Microsoft and he was one of the key folks behind MSXML and SQLXML. Another familiar XML geek who works there is Derek Denny-Brown who spent over half a decade working as a key developer on the XML parsers at Microsoft.

Press: AgileDelta in PR Newswire

Location: Bellevue, WA

Jobs: careers@agiledelta.com, current open positions are for a Software Engineer, Sales Professional, Technical Writer and Quality Assurance Engineer.

Today I was taking a look at my referer logs and stumbled upon a post entitled TechCrunch Resolution on Wikipedia by Jonathan Stokes which contains the following anecdote

A Brief History

The edit war was prompted by the now famous scandal in which Microsoft paid a Wikipedian to favorably edit Microsoft articles on Wikipedia. Michael Arrington of TechCrunch covered the Microsoft story in a post that was largely sympathetic.

Perceiving unfairness in the issue, Microsoft employee Dare Obasanjo, aka Carnage4Life, retaliated against TechCrunch by adding an extensive criticism section to Wikipedia’s TechCrunch article. He then wrote about his “experiment” on his blog, 25HoursaDay.com.

Ensuing Uproar

Michael Arrington was not happy to be slandered by a Microsoft employee, in response to Microsoft coverage. Obasanjo expressed surprise at Arrington’s response, but did not apologize. I blogged this chapter of the Microsoft controversy.

Judging from his blog comments, Dare does not seem to have a high respect for Wikipedia. He has previously violated Wikipedia rules by anonymously writing his own Dare Obasanjo article on Wikipedia. Humorously, it appears to include inside jokes with other Microsoft employees, such as:

Dare has lunch once a month with Don Box to rinse the SOAP off of Don while Don simultaneously attempts to lather up Dare.

Edit War

With traffic pouring into Wikipeda through TechCrunch and Digg, an all-out edit war ensued between long-time Wikipedians and anonymous vandals. The vandals began attacking the userpages of Wikipedians trying to protect the TechCrunch article. It finally escalated to a point where this anti-TechCrunch user was banned for repeatedly blocking out user pages with disturbing death threats.

Resolution

Wikidemo came to the rescue by establishing a Wikipedia Mediation. She invited all editors involved to the discussion, even going so far as to invite me on this blog, and Dare Obasanjo on his blog.

Anthony cfc handled the mediation. Notably, none of the controversial IP’s showed up to state their case. With help from Anthony cfcComputerjoe, we have now restored the Wikipedia TechCrunch article, and hopefully made a few minor improvements as well. and

In the process, I earned my first Wikipedia Barnstar for Civility from Anthony cfc. Kind of neat to see Wikipedia in action.

Some days the Daily Show just writes itself. I'm crapping myself in amusement at how seriously these people take this nonsense. I am especially amused by all the bits in red font since they are either borderline libel or just straight up hilarious. And I thought Mike Arrington emailing folks at Microsoft trying to get me in trouble after I apologized on his blog was the most absurd turn this story would take.

It's like Nick Carr wrote in his post Essjay's world, Wikipedia seems to be full of the kind of people who used to play Dungeons & Dragons back in the day and now have difficulty separating the real world from the fantasy world they've created in their heads.

My website is going to be down for a few days as I make some changes. While I'm gone you can check out some of these blogs instead

• Jeff Atwood - Programmer Geek
• Omar Shahine - Microsoft Geek
• Danah Boyd - Social Software Geek
• Scott Adams - Funny Geek
• Chris Kelly - Liberal Geek

I'll see y'all this weekend.

It seems just like yesterday when the tech blogosphere was abuzz with news that analyst Michael Gartenberg was leaving Jupiter Research for Microsoft. So you can imagine my surprise to fire up his blog today to find the post And Back to Analyst… where he writes

This is a difficult post to write. But after  much of thought, I have decided not to remain with Microsoft and I am returning to JupiterResearch as of Monday 3/12.

At my core, I am an analyst. It’s what I do and I do it well and after much thought, I realize I’m just not ready to stop doing that job just yet. I believe Jupiter itself is poised for some amazing things in the future and I’ve invested too much in the company to feel good about walking away at this point. Therefore I have decided to return and I am pleased that I have been welcomed back. My thanks to everyone I have worked with at Microsoft.

Wow, that was quick.

Marvel comics has been ticking me off for a few months now with their mediocre Avengers Disassembled, House of M and Civil War trilogy but it looks like they finally found a way to push me over the edge. According to MSNBC in Death to ‘America’: Comic-book hero killed off

Captain America has undertaken his last mission — at least for now. The venerable superhero is killed in the issue of his namesake comic that hit stands Wednesday, the Daily News reported.

On the new edition's pages, a sniper shoots down the shield-wielding hero as he leaves a courthouse, according to the newspaper.
...
In the comic-book universe, death is not always final. But even if Captain America turns out to have met his end in print, he may not disappear entirely: Marvel has said it is developing a Captain America movie.

This reminds me of a headline from the 1990s, Superman killed by falling comic book sales, when DC Comics tried a similar stunt back in the day. The overuse of cross over stories and super hero shockers (like radical changes to a character's history or killing them off) seem to be symptoms of the death of comic books as an entertainment genre. I buy comics from a local comic book store on a monthly basis and I don't think I've ever seen anyone under the age of 25 in the five and a half years that I've been using that store. Well, there was the one time that one of the guys who worked there brought his grandson into work. 

Even though super hero movies featuring A-list and B-list superheroes from Spider-Man to Ghost Rider are making hundreds of millions of dollars at the box office, they are pretty much milking a fan base that grew up with these heroes instead of introducing these characters to a new audience. This is similar to the way that George Lucas milked a fan base that grew up on Star Wars with his series of horrific prequels although in his case I suspect that there probably is a market for Star Wars pre-prequels in another 20 years.

Without a continuous influx of fans who are interested in the source material (i.e. comic books), there won't be a next generation of fans to buy all the overpriced merchandising and special effects laden movies. However I doubt that stunts like this are a good way to get people reading the comic books again, even though it did work when they killed Superman...I was one of the suckers who bought all the books. :)

Although Cap is dead, his memory will live on...on YouTube.

The hottest story on Planet Intertwingly today is Rob Yates' blog post entitled Safe JSON which goes over a number of security issues one can face when exposing services using JSON. He goes ahead to describe the following approaches

Approach 1 - Plain JSON: Simply return JSON

Approach 2 - var assignment: Assign the JSON object to some variable that can then be accessed by the embedding application (not an approach used by Yahoo).

Approach 3 - function callback: When calling the JSON Web Service pass as a parameter a callback function.  The resulting JSON response passes the JSON object as a parameter to this callback function.

There are a number of good responses in the comments. The only thing I wanted to point out is that only Approach 1 can really be called using JSON. The other two are "accepting arbitrary code from a third party and executing it" which is such a ridiculously bad idea that we really need to stop talking about it in civilized company. It seems silly to point out specific security or privacy issues with using that approach when the entire concept of building Web services in that manner is fundamentally insecure and downright dangerous.

PS: It looks like Rob Sayre beat me to saying this. :)

I've been thinking about AJAX a lot recently. Between reviewing a book on the subject, reading some of the comments coming out of the Adobe Engage event and chatting with some coworkers at dinner about WPF/E I've had a lot of food for thought.

I'll start with an excerpt from Ted Leung's post entitled Adobe wants to be the Microsoft of the Web

The problem as I see it
I think that a lot (but not all) apps will become RIA’s, and the base platform technology for RIA’s is very important. Too important to be controlled, or designed by any single party. The current vogue toolchain, AJAX, has this property. It also has the property of being a cross platform development nightmare. On the desktop, you commit yourself to a single cross platform library/technology, and then you spend the rest of your time wrestling with it. In AJAX, you have multiple browsers on each platform that you want to support. Not only that, you have multiple versions of each browser.
...
Flash/Flex
Enter Flash/Flex. Flash has a great cross platform story. One runtime, any platform. Penetration of the Flash Player is basically the same as penetration of browsers capable of supporting big AJAX apps. There are nice development tools. This is highly appealing.

What is not appealing is going back to a technology which is single sourced and controlled by a single vendor. If web applications liberated us from the domination of a single company on the desktop, why would we be eager to be dominated by a different company on the web?

Most people who've done significant AJAX development will admit that the development story is a mess. I personally don't mind the the Javascript language but I'm appalled that the most state of the art development process I've found is to use Emacs to edit my code, Firebug to debug in Firefox and attaching Visual Studio to the Internet Explorer processes to debug in IE. This seems like a joke when compared to developing Java apps in Eclipse or .NET applications in Visual Studio. Given how hypercompetitive the "Web 2.0" world is, I doubt that this state of affairs will last much longer. There is too much pressure on Web companies to improve their productivity and stand out in a world full of derivative YouTube/MySpace/Flickr knock offs. If one company finds a way to be more productive and/or build richer Web applications the rest of the industry will follow. This is pretty much what happened with Google and AJAX as well as with YouTube and Flash Video. Once those companies showed how much value they were getting from technologies which were once passe, everyone jumped on the bandwagon. This means that it is inevitable that Rich Internet Applications will eventually be built on a platform that provides a better development experience than AJAX does today. The only questions are how quickly will this happen and which technology will replace AJAX?

Ted Leung mentions two contenders for the throne; Flash/Flex and OpenLaszlo. I'll add a third entry to that list, Windows Presention Foundation/Everywhere (WPF/E). Before discussing what it will take for one of these contenders to displace AJAX, I should point out that being "open" has nothing to do with it. Openness is not a recipe for success when it comes to development platforms. According to TIOBE Java is the most popular programming language today and it was a proprietary language tightly controlled by Sun Microsystems. Before that, it was commonly stated that Visual Basic was the most popular programming language and it was a proprietary language controlled by Microsoft. I believe these count as existence proofs that a popular development platform can rise to the top while being controlled by a single vendor. 

So what will it take for an RIA platform to displace the popularity of AJAX besides being able to build richer user interfaces?

1. Ubiquity: Over 95% of the Web users are using an AJAX capable browser. Any replacement for AJAX must have similar penetration or it's dead in the water. No one wants to turn away customers especialy when it's competitors aren't doing anything that stupid. 
   

2. Debug Once, Run Anywhere: The biggest problem with AJAX is that it isn't a single development platform. Being able to write an application and debug it once instead of having a different debugging and runtime experience for Internet Explorer, Firefox and Safari is the killer productivity enhancer. Of course, there will always be differences between environments but if we can move to a world where RIA development is more like cross-platform Java development as opposed to cross-platform C++ development (yes, I know that's an oxymoron) then we all win.

3. Continuoum of Development Tools: I don't need expensive development tools to become an AJAX developer, however if I feel that I need heavy duty tooling I can buy Visual Studio 2005 then download ASP.NET AJAX to get a fancy integrated development environment. Any platform that expects to replace AJAX  needs to have a continuoum with high quality, free & Open Source tools on one end and expensive, proprietary and "rich" tools at the other. The Java world with it's culture of Open Source tools like Eclipse, JBoss and Hibernate coexisting with overpriced tools from big vendors like IBM WebSphere and BEA WebLogic is the best example of this to date. That way the hackers are happy and the suits are happy as well. 

So far Adobe seems closer than anyone in getting the trifecta. In a year or two, things might look different.