The last video interview I did at the Next09 conference in Hamburg that I wanted to feature here on TechCrunch is the conversation I had with mr. Captain Web 2.0 himself, open web advocate Chris Messina. Besides his involvements with Citizen Agency, the DiSo Project and Vidoop, Messina somehow finds the time to also be closely involved with the OpenID Foundation as a board member and persistent evangelist, so we talked about that a little.
As a reminder, OpenID is a decentralized, distributed single sign-on method that allows users to log onto many services with the same digital identity. That identity can be one of your current profiles on the web, in case the company you registered it with is an OpenID provider.
Most of the major players on the Internet are currently providers, including such companies as MySpace, Facebook, Yahoo, Google, Microsoft, PayPal, AOL, and many more, but very few of them have actually become a relying party as well (which would allow someone to log onto Yahoo with their AOL id, for example).
About a year ago, Michael argued that companies who make a lot of noise when they become providers but don’t move (quickly enough) to also become relying parties could be exploiting the project for PR reasons and take the gain without the pain.
And truth be told, not much has changed since then, even if usage seems to be swinging upwards. Most of the big names that are issuing OpenID parties have yet to support the project by allowing users to effectively be able to sign in to their services with third-party digital identities. The big exception – surprisingly – is Facebook, the first big network that will truly embrace OpenID even if it has a service that competes directly with it (Facebook Connect). For more perspective on that, you should go read the guest post Facebook Connect and OpenID Relationship Status: “It’s Complicated”.
Anyway, Messina and I talked about the current state of OpenID, the love from Facebook, how he hopes the government will once become a massive relying party, the challenges ahead and more specifically if OpenID has a chance against Facebook Connect, Google Friend Connect, Twitter Connect, etc.
Very interesting interview here, although i don`t fully agree with him.
JO
GMAIL IS DOWN
WHAT is going on???
techcrunch: investigate!
jj
Relax, it’s back.
G mail sucks
OpenID: a solution in search of a problem.
Anonymous commenters: men or women in search of a life
Techcrunch employees: in search of a spellchecker.
it’s TechCrunch
No, it’s Tech Crunch.
Robin Wauters: hack writer in search of cheap BJs.
What camera is that Robin?
Flip Ultra
Good video! OpenID to combine and connect the “Facebook Connect, Google Friend Connect, Twitter Connect, etc.” ’s in the world?
can open-id for govt be the catalyst for online voting?
GovernmentLocator.com – change yourself
I think the work JainRain has done with RPX helps to make OpenID much more accessible. I think OpenID will out perform login systems like Facebook Connect (good as it is) because it will encompass more people. With our comment system you can log in with the credentials from most of today’s major internet players.
There is never going to be a day when everyone has a facebook account. But already it must be unusual to find people who don’t have at least one account with those providers supported by RPX.
What a stupid idea…OpenID is a bad idea and I will do all I can to make sure it fails….I can’t wait until it gets hacked and it it shown to be a failed concept.
Enjoyed the article and video. However, “That identity can be one of your current profiles on the web, in case the company you registered it with is an OpenID provider” is not quite true.
Our company, Glynx, offers the only OpenID issuing party that enables you to use any verified online ID as an issuing ID regardless of whether the ID provider is an issuing party or not. So you can log onto websites with your GoogleID without requiring Google to be the issuer. A few notes.
* Our solution is stronger in privacy than any other existing OpenID solution. Unlike all other existing OpenID issuer solutions Glynx does not require you to trust private credentials to a third party, such as leaving a copy of your username and password on the issuers servers to check on login. Instead, with Glynx, when you log into an OpenID website, the Glynx OpenID server kicks off a secure P2P transaction that finds your device on the web and pops a message saying to you “someone claiming to be XYZ@ABC.com is seeking to log into http://www.123.com do you give permission Yes/No?”. No private credentials left your device to make the transaction – you should try it sometime
* Currently we are the only issuing party for this. Today all transactions must be mediated through our OpenID server (albeit end-to-end encrypted). Our intention is to opensource the code once we know it is robust and we get the time.
* This, of course has all sorts of implications for things like financial transaction authentication, etc, but more of this in the future.
We like to think “Glynx is for Grown Ups” by which we mean unlike any other Identity solution available today, Glynx enables you to take control of your own identity and control how/what it is used for instead of relying on a third party to conduct transactions on you behalf.
@Malcolm: I’m curious what kind of interest and uptake you’re seeing with Glynx. I hear a lot of folks who are vocal about privacy and wanting to “own their identity”, but when it plays out in the marketplace, I see far fewer people *actually* behave according to the way that they talk.
In other words — and I’m curious about this personally — are people really looking for a solution that they are completely in charge of — or would they prefer to share some of that responsibility with a third party that can, for example, help them recover their password if they forget it, etc?
@ Chris: Of course due to our architecture we can only use indirect methods to infer an approximation of usage. For example we measure downloads from our site but for Glynx to work you don’t need to get it from us. We think we have several groups of government users for whom this is attractive but we have no direct knowledge of this. I estimate our user numbers are similar to other second tier startup identity platforms. At this stage our focus is not on consumer numbers (although that would be nice) but on having visibility with commentators in the field so they understand that it is not a requirement of the web that users lose control.
Glynx is an experiment. The truth is a few commentators are interacting with us who are interested in this line of thinking but no-one is prepared to say true privacy/control offers a superior paradigm. I would agree with you that our feedback is that “user owned identity”, “user centric identity” misses the consumer mark. Only specialists (most of whom assist web-server businesses) understand the significance of these terms.
The benefits of a benevolent Big Brother web-server business are compelling. However, as you know, the friction costs these businesses impose are immense. These costs are incurred because server based businesses need visibility and control of their user directories to function. As a simple example you have pointed out that the major of identity providers generally only act as OpenID Issuers. Eventually they may act as Relying parties too but in the meantime there is significant consumer inconvenience.
The point of Glynx is that you can start from the opposite premise; that user’s can have absolute control. We don’t restrict or observe the identities or associated information that users publish, search, associate and exchange. Ask that of any web-server. What is the cost of that censorship?
The web is still very young. As the web matures, users will increasingly grow intolerant of costs imposed on them by the client-cloud architecture because the same benefits can be achieved in other ways without incurring the costs. Just like a child yearns for their first Driver’s License ID, users will want the same benefits of direct Identity exchange, with its greater freedom and flexibility (along with greater responsibility).
There is enormous untapped value in private data, particularly Identity. Glynx lets users extract that value without compromising their privacy. A good example of this is medical records. You may be aware of the very expensive UK attempts at a client-cloud electronic medical records architecture that utterly failed due to the fundamental lack of privacy inherent in client-cloud. We are only just beginning the journey to a time when the internet is no longer a novelty. At that time today’s concerns will seem insignificant and people can focus on fulfilling their potential.
Yeah, I’m with you. So… in your model, does Glynx really need to exist? If not, then in what way could the technology fail?
Furthermore, I presume that, since everything is encrypted, if I forget my keys to my account… I’m screwed? Is that also a byproduct of having the user in total control?
I guess I’m also trying to understand how this model deals with the imperfection and unreliability in human behavior. Computers are good at remembering and always doing the same thing; humans, not so much. Identity systems, therefore, I think need to be forgiving to work at scale.
The cases you bring up around health care and the need for privacy in those cases are interesting, but point to the miserable way in which healthcare is deployed today — where the model is actually the avoidance of providing caring health services! In other words, if I put, say, chronic health conditions on my homepage for the world to see — why don’t I get better care? That seems to be a flaw in the system, and should be orthogonal to the way identity systems are built.
Perhaps that’s a tangential topic, and I agree that we need solutions sooner than later, but I’m just trying to get my head around how Glynx might actually work in the real world! Thanks for humoring me.
Great interview. btw,…you can see more NEXT09 Videos here:
http://de.seven...e_9511_next_bl1
Cheers from germany,
Caro
@Chris. Good questions…
There are three areas where privacy ultimately matters:
* Do you mind all correspondence being viewed by others (your certs are part of your identity and frankly the current way this is managed on the web is a mess)?
* How do you manage your own social graph (many contacts are given on trust so handing them all to a ‘benevolent’ third party is no solution)?
* How do you manage multiple online identities (the average net user maintains something like six distinct web personas and one can envisage this trending upwards not downwards)?
Glynx can also be a complement to web experience of yellow pages and digest, by providing a private overlay to these services but we don’t see this as central.
There are three challenges for our business model.
* The “value denials” above cannot be managed any other way. But a superior solution may appear for these questions (or we are not able to be compelling in our answer).
* The key question is about “trust”. Only a private interaction can be trusted to have true fidelity. Our core implementation needs to continue to be robust.
* If we stray too much into “Yellow Page” type transactions we will be challenged.
Yep – all interactions are encrypted to current strong standards (different methods for different bits). There are other ways (apart from decryption) to destroy trust and we have spent years thinking through/implementing these. New threats may emerge and we need to be vigilant to keep up on this front.
We are not worried about the password lost problem – nice little feature to put into the product though. Of course database backup is also required. Both could be handled by a web service company (so long as they are physically and logically separated) to take care of personal “disaster recovery”.
As for human fallibility, if you have a choice between predictability and serendipity, always bank on serendipity. Part of the human condition is we are risk averse.
A question for you – does anyone else have a framework for managing user Identity with integrity (i.e. promises don’t count so mediated services are out)?