Tag: OpenID

JanRain helps the other side of the OpenID (and OAuth) equation

JanRain RPXIt’s no secret that I fancy Portland the hub of OpenID development. And it’s days like today that I actually sound like I know about that which I am blabbering.

You see, today Portland-based JanRain, one of the old guard in terms of OpenID, unveiled a new service that has the potential to increase OpenID adoption.

How? By focusing not on those people holding an OpenID, but on those who want to allow people to use that OpenID—but simply can’t figure out how.

With this new software-as-a-service solution (that’s a lot of “s”s, isn’t it?), RPX, JanRain has the makings of a service that allows anyone to drop OpenID support—and OAuth support for that matter—into place on their site. Simply and easily.

With RPX you don’t need to become a security expert, a protocol expert, or play through a number of security and data flow problems, RPX handles all of this for you and delivers a simple payload in either JSON or XML.

In my mind, JanRain’s solution has a great deal in common with Will Norris’ brilliant OpenID plugin for WordPress, wp-openid. But for a much larger audience.

With RPX, JanRain has the opportunity to take that same kind of plug-and-play OpenID login concept to the larger Web—beyond blogs—to the companies who could greatly benefit from the technology.

And that’s very cool.

It’s also cool that they could be making some money off of subscription fees to deliver that service.

As an aside, I’m also happy to report that JanRain gains the distinction of being the first Portland company that I got to cover for ReadWriteWeb. And I can’t tell you how great it is to share the amazing tech scene here in Portland on that larger stage.

Well and speaking of that larger stage, JanRain also garnered coverage on a little tech blog of which you may have heard, TechCrunch.

Dare I say “YAY Portland!”? Indeed I do.

Still hungry for more OpenID news? Fear not, gentle reader. A little bird tells me that they’ll be some more cool OpenID stuff being released here in Portland within the next week or so.

Just you wait.

JanRain OpenID could be the key to your health (vault)

myOpenIDIn June, that little software company to the north of us, Microsoft, made news by allowing OpenID logins to its Microsoft Health Vault product.

Problem was—as TechCrunch noted—only two OpenID relying parties were allowed to play:

Over 16 months after first declaring its support for the OpenID authentication platform, Microsoft has finally implemented it for the first time, allowing for OpenID logins on its Health Vault medical site. Unfortunately, Health Vault will only support authentication from two OpenID providers: Trustbearer and Verisign. Whatever happened to the Open in OpenID?

But now, Microsoft has decided to increase the number of relying parties by 50%. To three.

So who was the lucky relying party who made it through the door? Portland-based JanRain‘s myOpenID.

A number of folks—me among them—are surprised it’s taken Microsoft this long to add another relying party. And it seems like the list is still missing a few other obvious and highly secure choices.

But myOpenID is a great place to start:

JanRain’s myOpenID service, the first and most popular independent OpenID service on the Internet, provides consumers with a free, fully featured, reliable, and secure solution for managing their personal online identity. Every myOpenID user receives several choices for secure authentication beyond password. These enhanced security options include: Microsoft InfoCard, Client Certificate, or Phone-based two factor authentication.

For more information on the personal health record service, visit Microsoft Health Vault. For more on JanRain and its OpenID solutions, visit JanRain or myOpenID.

Like WordPress and OpenID? wp-openid 3.0 to launch at Demolicious

I’m always saying that—with companies like Vidoop and JanRain here in town—Portland is the de facto hub for the world of OpenID.

And clearly after last weekend, we’ve got a lot of love for the WordPress platform, as well.

So where better to launch the latest version of the leading OpenID plugin for WordPress—wp-openid—than Portland?

wp-openid launch

Will Norris, the lead developer of the wp-openid plugin, happens to be in town this week. And, as such, he has just announced that he will be launching wp-openid 3.0 this Wednesday at Portland Web InnovatorsDemolicious!“, the new hip spot to unveil cool new tools here in town.

What does wp-openid do?

This plugin allows verified OpenIDs to be linked to existing user accounts for use as an alternative means of authentication. Additionally, commenters may use their OpenID to assure their identity as the author of the comment and provide a framework for future OpenID-based services (reputation and trust, for example).

So, if you’re a WordPress type who’s been using OpenID or who is interested in deploying OpenID on your blog, make sure to attend Demolicious! on Wednesday night at NEMO Design. Even if you’re just OpenID curious, I’d highly encourage you to attend.

Plus, as always, there will be some other cool stuff being demoed there, as well.

For more information on the event or to RSVP, visit Portland Web Innovators Demolicious! on Upcoming. For more information on the current version of the plugin, see wp-openid in the WordPress plugins directory.

The Beauty of EAUT (Email Address to URL Translation)

OpenID, as a concept, holds great promise. And Portland—with OpenID proponents like Vidoop and JanRain—is home to some of the most promising thought in the application of that concept.

But the URL thing still trips folks up.

And that’s a known issue. Not everyone wants to use a URL to identify themselves. An email address makes more sense to some folks.

But there’s a problem. An email address isn’t exactly an “endpoint.” And there’s no way to hang other stuff off of an email address, like identity information or helpful code like XFN.

Still, from a usability standpoint, “using my email address to login” is about as common a practice as any on the Web.

So there needs to be a translation. Something that lets people use the credential they want, but allows folks to have the endpoint credential they need.

Roughly a month ago, Portland-based Vidoop released something designed to solve this problem: Emailtoid, a service that allowed folks to use an email address as their OpenID.

I thought Emailtoid showed a great deal of promise. But apparently, it wasn’t good enough.

Now, Vidoop’s Will Norris and Michael Richardson have helped take the concept of Emailtoid a step further by working on the development of a new spec. It’s a spec that may simplify the issue even further.

Introducing EAUT—pronounced “yute“—a distributed email address to URL translation that allows anyone to take the conversion from email address to OpenID URL and hide it behind the scenes of the transaction. With just a little bit of code.

Or, to let Vidoop explain EAUT more clearly:

In basic terms EAUT makes it easy to take an email address and transform it into an URL, making your email work with services like OpenID. The goal with Emailtoid is to demonstrate the technology and provide a fallback solution for a larger, decentralized network based on the EAUT specification.

What’s more, it’s decentralized. Meaning any email address—any email address—now holds the potential to become an OpenID:

EAUT is designed to work in a distributed fashion, so that no one authority controls it. Every email provider can control how email addresses at their domain are resolved into URLs.

So, now that bright and shiny new Emailtoid—instead of leading the charge—becomes the fallback service should this validation fail. According to plan.

Hopefully, the release of the EAUT spec continues to chip away at the barriers that are preventing major providers—providers that serve as relying parties but don’t allow users to login via OpenID—to move into the realm of becoming full-fledged OpenID supporters.

And in so doing, here’s hoping that EAUT helps accelerate the adoption of OpenID, a concept that today may only save headaches for a handful of geeks with innumerable logins, but which may one day serve as an open foundation for credentials and security on the open Web of the future.

Combining the power of OpenID with the ease of email addresses. And making it open and distributed.

This could be a thing of beauty.

To test drive it, try out the EAUT examples. For more information on the spec, see the Vidoop post or the EAUT site.

OSCON 2008: Sourceforge offers free Open Source tattoos

Open Source tattoosInterested in placing a penguin on your posterior? Or maybe the Debian swirl? Or the Ubuntu circle thingee? Or maybe—just maybe—putting your OpenID somewhere you’re sure to never, ever forget it?

Well, next week at OSCON here in Portland, you may be able to make that dream come true. Because it seems that the nice—or is that sadistic?—folks at Sourceforge are offering to ink you up with your favorite open source icon—for free.

That’s right. Ten lucky winners will get the opportunity to go under the needle to make their ass officially open source. Well, or their arm or leg or what have you:

We are looking for people that are willing to sign up for a tattoo and show it off at the CCA party later on in the week. Only requirements – participants have to be able to meet with Ross Turk, Sourceforge’s Community Manager, at the beginning of the week to get the gift certificate, they have to sign a couple waivers (one for the tattoo parlor and one for Sourceforge), the tattoo has to be open source themed or techy in nature, and they have to show up at the CCA party Thursday night.

I’m not sure exactly which tattoo studio is going to be doing the work, but given that it’s going to be one near the Jupiter Hotel, I’m going to assume that it’s Colorbomb Tattoo with the drawing honors.

Is your interest piqued? You willing to take the pain all for love of open source? Maybe you should contact Ross at Sourceforge and let him know: rturk at corp.sourceforge.com.

And please, oh please, if you’re crazy enough to do this—and (and!) you happen to get picked—do let me know.

What’s that? Tats not your pot of ink? That’s okay, kiddo. There are still plenty of cool things to do in Portland while you’re at OSCON.

Photo credit vonguard used under Creative Commons

Vidoop ImageShield + AOL OpenID = 100 million+ potential Vidoop users

Portland-based Vidoop‘s ImageShield technology has been purported to be one of the most unhackable credential schemes on the market. It’s been tested, time and time again.

But today, the real testing begins.

Why? Because today a little online-service provider named AOL just released Vidoop ImageShield technology to each and every one of its users—each of whom have an AOL-based OpenID.

AOL OpenID featuring Vidoop Image Shield

Now, it’s no secret that this has been in the works. AOL has been forthright about the fact that it has been testing the technology. But it’s been a private BETA:

At AOL we had a chance to try out their ‘ImageShield’ technology since last few months. What we did is basically provide our AOL OpenID users (AOL users using their openid.aol.com/) with a way to secure their accounts by binding an ‘ImageShield’ password, so from next time when they try to login with their AOL OpenID at a 3rd party Relying Party site, instead of the traditional ‘password’, they can login securely using the ‘ImageShield’. In that way they can make sure they are always signing in from the secure AOL login page and also make sure they are not giving away their ‘real’ password to any possible attackers. This has been deployed on our closed beta environment as a trial run to see how our beta OpenID users would feel about the overall user experience and of course the security of their accounts.

Not anymore. Now, as the screenshot above illustrates, Vidoop’s technology is accessible to the public.

I hear you. “So what?” Well, the “so what” is this…

For OpenID logins, Vidoop’s ImageShield technology has generally been available to users of myVidoop. And that’s been about it.

And as much as I respect the Vidoop team and their accomplishments, I feel pretty safe saying that the myVidoop user base is slightly less than the AOL user base. Just a smidge.

But now? Now there is no difference.

Now, the Vidoop ImageShield user base is the AOL user base. Because Vidoop ImageShield is accessible to more than 100 million AOL users.

And, if I had to guess, I would say that that potential—the potential to have more than 100 million people using Vidoop technology to log in to OpenID-enabled sites—would make Vidoop ImageShield about the widest deployment of OpenID-based authentication technology on the market.

And that, my friend, is a big win for Vidoop. And for OpenID.

For more information on Vidoop ImageShield, visit Vidoop. For more on AOL and OpenID, visit OpenID Central on the AOL Developer Network.

(And, as always, please feel free to use your myVidoop, AOL, MyOpenID, or other relying party OpenID to comment.)

[Update July 11, 2008] TechCrunch has picked up the Vidoop ImageShield and AOL OpenID story, meaning it might get slightly more pick up now. Great to see Vidoop getting this recognition on a much, much larger stage.

Email to ID: My OpenID is an email address

Email to ID from VidoopOh boy. He’s on that OpenID soapbox again.

Look. You’re in Portland. Arguably the de facto hub of OpenID. So it happens. The OpenID soapbox is literally right here. I can jump on it at practically any time.

So yes, I’m talking about OpenID, again.

But this time, I think even the staunchest critics will find the discussion interesting. Because it solves a very common complaint.

You see, once you get past initial objections surrounding OpenID and the “we should push the value, not the technology” discussion—once you get into actually trying to convince people to use OpenID as a form of credential for online services—one criticism tends to pop up time and time again…

Why is OpenID a url? Why can’t OpenID be an email address?

Why does this complaint come up so much? Because email passes the “mom ‘n’ pop” test. As in mom ‘n’ pop are growing increasingly comfortable with the idea of having an email address. They “get it.” And they’re far more comfortable managing that type of address than they are managing a url.

Long story short, email seems easier to grasp.

And we’ve been so conditioned to plug an email address into the “username” box, that it’s almost becoming second nature.

So the conversation always, always, always comes around to “What if logging in with OpenID were as easy as logging in using your email address?

If only! If only someone, somewhere could put some of the leading minds together with some brilliant developers and get this thing figured out. I mean, maybe like Chris Messina and Will Norris. Maybe get Scott Kveton and Scott Blomquist in there. And that Michael Richardson is a pretty sharp developer.

I mean, if someone could manage to put a team like that together… I’m sorry. What? Really? Really? Vidoop? They all work for Vidoop? Oh. Well. That would probably explain this then….

Enter Email to ID, a new service from the folks at Portland-based Vidoop. (And yes, this is the thing they’ll be demoing at Beer and Blog this evening.)

How does Email to ID work?

The concept is simple. And congruent with current OpenID logins.

One box. One credential to enter. The basic difference being that you’re using an email address instead of url.

So how do you validate that you are who you say you are? Well, there are a couple of ways.

If you don’t have know that you already have an OpenID, you can just use your email address and Email to ID will create an OpenID association for you.

The first time you sign into a new site, Email to ID will send a validation code to that email account. (Much in the same way CAN-SPAM encourages people to confirm their membership on email lists.) Using the code, you can validate that the email address is, in fact, yours and that you are who you say you are.

If you’re already a typical OpenID user, you can associate your existing OpenID(s) and relying parties with an email address. This allows you to use the inherent security features of your relying party instead of having to check your inbox every time you want log into a new site.

Technically, what’s Email to ID doing?

Okay. I can see you geekily salivating over there. But I’m not going to try to explain it. Instead, I’ll let the people doing the work explain that:

Emailtoid is a simply a mapping service – we take a GET request to our mapper ( eg, http://emailtoid.net/mapper?email=jane@example.com ) and return an HTTP redirect (a 302) to an OpenID. If the email address is not in our system, we create an OpenID account for the user on the fly. The user logs into the OpenID account by verifying his or her email address through a one time URL or confirmation code sent to that email address. The RP (relying party, the site that originally sent the request) then has the user returned to it.

Get it? Good. Explain it to me sometime.

All I care about is that it works. And it does. Quite gracefully. And that is technology as it should be.

So is OpenID “mainstream” now?

I don’t know that making OpenID mainstream should even be a goal. But I do know that making services and technologies more useful to the general populous should.

“Basically, OpenID is great, it’s a wonderful technology, but it can be a bit confusing to the end users,” said Richardson, lead developer for Email to ID. “Users are already trained to use email as an identifier, so this bridges the gap between email and OpenID.

“Ideally, this service will go away as all top level domains will implement their own mapping. But until that time, we provide a way for sites to have people to use OpenID through their email address. The barrier of entry into OpenID is significantly lower.”

Conceptually, this service marks a huge step forward for “bending the OpenID technology to the needs of the common user.” And as such, it could definitely be one avenue for introducing a new way of logging-in to a wider group of people.

But, whether the term or concept “OpenID” needs to travel along with that form of credentialing is still a matter of debate.

To paraphrase something that Kveton, who in addition to efforts at Vidoop happens to chair of the OpenID Foundation, often says, “My mom doesn’t says she’s going to go establish an SMTP connection. She says she’s going to go check her email.” Or to put it another way, “Sell the sizzle, not the steak—or Gardenburger, as the case may be.”

Make no mistake, this is progress for OpenID and its potential. And progress very much in the right direction for a very fledgling technology with a number of benefits.

I, for one, feel that—with Email to ID—one of the major gripes against OpenID is now a thing of the past.

And that means, it’s time to attack the next one. What’s next?

For more information or to set up your own email-based OpenID, visit Email to ID. Interested in implementing this service? See the Email to ID developers area and follow Email to ID on Get Satisfaction. Of course, if you’re lucky enough to be in Portland, today, swing on by Beer and Blog to talk to Email to ID developer Michael Richardson about this new service.

CallVerifID: Hi, it’s your OpenID account calling

CallVerifIDPortland-based JanRain, arguably the leading developer for OpenID solutions, is on a roll. It seems like they just released ID Selector, and now they’ve come forward with another OpenID solution: CallVerfID.

CallVerfID allows OpenID users who login with an *.myopenid.com identity to take an extra security precaution with their login: getting a phone call.

And here’s the best part: it’s on any phone. Well, okay, any phone with buttons.

Instantly receive a call when signing into myOpenID. Simply answer and press # to authenticate. No certificates or text messages. Use any phone.

My point was: it’s not SMS messaging. It’s an actual phone call.

I even tried it with Skype and it worked flawlessly.

Since I’m always one to try to shoehorn an analogy into any situation, I’d say that CallVerifID is akin to your credit card company calling you when a strange charge request is made. It’s simply an added precaution to ensure that your credentials are being used by you, and only you.

So, why the added precaution? Do I really want to get called every time I post a blog comment?

No, of course not. But as OpenID begins to take hold, and more and more personal and business applications become available, this type of multi-factor authentication is going to become necessary. Because, at some point, there’s going to be some fairly sensitive information and access rights tied to that OpenID. Banking, travel, and shopping just to name a few.

JanRain’s solution is quite simple and elegant. And it’s easy to adopt, no matter what your technical expertise. I, for one, think this is a step in the right direction.

For more, visit JanRain’s myOpenID to learn about CallVerifID.

One OpenID gets you 30+ different Silicon Forest sites

Last week, after reading Aaron Hockley’s call to implement OpenID, it got me to thinking: How many sites in Portland—arguably the de facto leader in OpenID development—and the Silicon Forest have actually implemented OpenID?

Well, thanks to Kevin Fox at Vidoop/ConfIdent and a number of other folks chiming in, we were able to gather the following list of 23 30+ velvet ropes behind which your OpenID will let you.

(NOTE: The list is by no means exhaustive. So if your site is missing, please comment, and I’ll add it.)

AboutUs
“We connect businesses and websites with each other and their customers using a wiki-based resource of millions of editable pages of information.”

GreenRenter
“Find a green place to live or work. Discover green buildings in your neighborhood. Get recognized for your sustainability efforts.”

ICANNWiki
“ICANNWiki is a wiki whose goal is to create a free, valuable and ‘community’ neutral, global Internet resource containing information for all aspects of the ICANN ‘community.'”

Jyte
“Claim anything! Yes, anything. If you have something to say, then make a claim and let the community vote on it. Make claims about yourself, friends, and family. Put your stake in the ground and see where the votes go.”

Kumquat
“It’s your career. You need to take responsibility for it. That’s why we built Kumquat. To help make it easier to get the feedback you deserve. Whenever and however often you want it.”

Pibb
“Pibb combines the best features of instant messenger, chat, email, and bulletin boards.”

Portland Small Business
“PortlandSmallBusiness.com is a collaborative website, where members of the Portland small business community can go for peer advice and networking.”

Portland Web Innovators
“Portland Web Innovators is a technology-agnostic group where you can meet like-minded web people without the excuse of a networking-only event.”

Treasurelicious
“WTF is Treasurelicious? It’s a widget to show off what you treasure.”

Tweetpeek
“Using Twitter followers, Tweetpeek is designed to help anyone build a pulse-of-anything widget in a few easy steps.”

twurl
“So what is twurl designed to do? Well, at the very most basic level, twurl is a URL shortener that allows you to track clicks.”

Velog
“Velog is a simple place to log your bicycle rides and connect with others in the cycling community.”

Blogs supporting OpenID for comments

Need an OpenID?

If you haven’t had a chance to use your OpenID (it’s highly likely that you already have one) or aren’t quite sure how to get started, you might want to visit Portland’s own myVidoop or MyOpenID to get going. A few short steps and you’ll have access to all of the sites above.

Just like that.

OpenID: Aaron Hockley takes a stand and you benefit

Vancouver’s Aaron Hockley is fed up.

I’m going to take a bit of a stand. Effective immediately, I will no longer comment on tech blogs that don’t support OpenID for comment authentication.

And I, for one, really respect his taking this stance. I think it’s these small, self-admittedly “mostly insignificant” kinds of actions that make things happen. The journey of 1000 miles and whatnot.

Aaron makes a strong argument for every blog pursuing its own OpenID login for comments:

OpenID is a win-win for blog comments. It’s a win for the comment author, since it means less info to type. It’s a win for the blog owner, since it means the comments have a “real” identity behind them.

I mean, if you really want to be part of the conversation, shouldn’t you make it as easy as possible for others to join in the conversation?

Of course you should. And OpenID can help you do that.

And you—as a Portlander or Silicon Forester—should be more than embracing OpenID. You should be singing its praises from the rooftops, if only to support great companies like Vidoop, ConfIdent, and JanRain who are the forefront of OpenID development.

OpenID is like the Portland Trail Blazers of technology around here. Only better. Like the ’76-’77 Blazers. That’s right. You know what I’m talking about. The plucky young upstarts who win despite all odds.

And OpenID has more than a fighting chance. But it still needs the support of each and every one of us.

But what if it’s a technical issue that’s preventing your adoption? (Like me, for instance. I wrangled my OpenID WordPress implementation for hours before Chris O’Rourke was able to pinpoint the issue and help me resolve the problem.)

Well, you don’t have that excuse anymore. Because Aaron has offered to help:

And I’ll put my time where my mouth is: I’ll help you. If you follow those links above, and can’t figure it out, or you try it and it doesn’t work. I’ll help. Send me an e-mail. I want you to have OpenID.

I’m looking forward to using my OpenID to comment on your blog the next time I swing by.

So where’s that benefit for you? Right here, tiger

In fact, how about this? Let’s round up a list of all the Silicon Forest based blogs and services that support OpenID.

If you’re one of them, use your OpenID to comment below.

I’ll work on gathering a comprehensive list for posting. And then we’ll work on promoting your blog or service for being one of the ones who’s supporting OpenID.

Just as a way—albeit minor—of saying “Thank you for using OpenID.”

%d bloggers like this: