#futureofwebapps

The team at Carson Systems have a pretty quick turnaround on their podcasts; they've had full recordings of every speaker up for a few days now. I spent a bunch of time over the weekend splicing the recording of my talk together with my slides, and the result is now available at The Future of OpenID (a slidecast).

I managed to crunch it down to a 41.2 MB H.264 MPEG file; there is also a Flash video version are available on the Internet Archive.

I've posted the slides from my Future of Web Apps talk on OpenID, minus the demo videos. I'm planning to put together a video that combines the slides, demos and audio once the official podcasts have been published.

Apart from explaining what OpenID is and how it works, the key point I was trying to get across in the talk was that OpenID is a simple piece of infrastructure on which smart applications can be built - applications that may not have been possible prior to the adoption of OpenID. This is due to two important characteristics of OpenID. The first is that OpenID significantly lowers the effort needed in creating an account, to the point that people might sign up for accounts with services that they otherwise would not have used. The second is that OpenID provides a globally unique identifier that can be used to correlate information across multiple services.

Light-weight accounts

Vanilla OpenID gives almost no useful information about a user and provides no defence against spammers; for many applications it makes sense to couple OpenID logins to a one-time account creation process, requesting additional details and using e-mail verification and CAPTCHAs to deter automated scripts.

There are plenty of services for which this is not an issue. One neat use-case for OpenID is as a simple tool for extending the lifetime of session cookies, or sharing those sessions between different machines. If your site offers simple customisation features that are only of interest to the user (and hence have no value to spammers) you can use OpenID to persist their preferences. All you need is a way for a user to prove that they're still the same person they were yesterday.

Pre-approved accounts

OpenID lets you create accounts for people without e-mailing them a password, or even talking to them before you sign them up. There are lots of useful things you can do with this ability:

Let your trusted friends delete spam comments from your blog, or fix your typos.

Invite a selected group of people to contribute to your new collaborative weblog, without having to create new accounts for it or deal with yet another password.

Invite friends to view a private document or photo gallery, pre-approving their public OpenIDs as able to authenticate with your site.

Restricted SSO

Once more of the popular open-source applications start supporting OpenID, I can see it really taking off as a simple SSO standard behind the corporate firewall. Create an OpenID for everyone in your organisation of the form username.internal.example.org, then configure your internal applications (MediaWiki, phpBB, WordPress etc) to only accept OpenIDs that match that format.

Site-specific hacks

Lots of sites are setting themselves up as OpenID providers, leading to many users having multiple OpenIDs; I have OpenIDs from Vox, LiveJournal and AOL, all of which were created as a side-effect of me using those services.

I don't see this as being a problem. As a user, I can pick which is my "primary" OpenID (and use delegation so I can switch providers if I change my mind). Those other OpenIDs can still be useful though, because they let us build functionality that takes the providing site in to account. Here are a few examples:

"Log in with your LiveJournal OpenID and we'll import your LJ contacts using your FOAF file" (doxory.com does something along these lines).

"Log in with your AOL OpenID and we'll send you status updates over AIM."

"Log in with your Last.fm OpenID and we'll add events from bands you like to your calendar."

Sites that offer APIs should start thinking about how they can use OpenID as a simple vector for pushing data out to third party applications.

Social whitelists

I've talked about these previously; Tom Coates has further thoughts. By sharing whitelists we can use OpenID to build a simple trust network.

A similar concept is that of publishing groups. Jyte offers a simple API to export the members of a Jyte group. Not only does this make groups portable to other services, it also lets you build an authentication mechanism for a site that only allows members of a specific published group to log in to a service.

Decentralised social networks

The problem with social networks is that you end up with profiles scattered across multiple different sites, and friend relationships that are duplicated in multiple places. The globally unique identifier offered by OpenID offers the basis for a decentralised social network, with profiles tied together across multiple sites and relationships easily portable between services.

Just a quick update to say that I'll be speaking at the Future of Web Apps conference in London on February the 21st, talking about OpenID. I really enjoyed last year's event and feel honored to be included in such an exciting schedule.

I'm at the Carson Workshops Future of Web Apps Summit today. It's been a great set of talks, and some frantic SubEthaEdit action to capture the salient points. Here are the notes I've gathered over the course of the day (with help from various contributors; credits at the bottom of each file).

Joshua Schachter

Cal Henderson

Tom Coates

David Heinemeier Hansson

Shaun Inman

Andrew Shorten (the Adobe Flex pitch)

Ryan Carson