By Eston Bond
September 20, 2007
In my previous article about OpenID, I spent the majority of the time talking about identity providers, the services that maintain OpenID identities for you. While a necessary part of the OpenID paradigm, identity providers have become absolutely ubiquitous due to the ease of implementation (and perhaps a momentum given to OpenID from intra-blogosphere trends). At this stage of OpenID's spread throughout the social web, early adopters probably have more than one OpenID identity provider allowing them to claim their own blogs and other web properties as their internet homes. Thanks to the efforts of OpenID evangelists and companies willing to invest the minimal amount of effort to tie their login services to OpenID identity provision, the provision side of the puzzle is solved well enough at this stage in OpenID's adoption cycle.
Now that you have an OpenID, though, where is there to actually use it? A new authentication mechanism is effectively useless if you can't use your identity in many places, a situation that's doomed most private identity provision systems (known colloquially as "single sign-on services" or "universal logins") such as Microsoft's Windows Live ID (also known previously as Microsoft Passport Network) to vertical use on a specific set of partner sites. While OpenID is immune to the majority of the issues that plague closed systems such as Passport, the issue of saturation on the Web is still a large vulnerability in the service's adoption by mainstream social media users, such as social networking service members or casual, non-techie bloggers that form the majority of the userbases on LiveJournal and Wordpress.com. Even now, some two months after my last article and two years after OpenID's original release, there are roughly 5,000 OpenID relying parties, a stark contrast compared to the nearly 120 million identities currently provided. While this adoption is certainly much greater than that of the private identity predecessors of OpenID, it's still rather disappointing.
The Cost of Reliance
Of course, building relying-party status into a web application comes at a cost that's much greater than that of being an identity provider. Development libraries exist for OpenID identity provision that take near-zero time to set up, and tying OpenID-provided identities to existing login systems takes much less development time than setting up OpenID login on a site that has an existing login system. While some web applications have taken the time to do this, such as social bookmarking site Magnolia, very few sites outside of the realm of the technophile have taken the effort to build the login system into their own web applications. Part of the reason for this is that enabling OpenID logins does require some development effort. For example, there is an ongoing effort at AOL (possibly the biggest OpenID identity provider) to support third-party OpenID logins into AOL web properties. But as of mid-August 2007, AOL still had limited support for OpenID as a relying party, according to OpenAuth developer Praveen Alavilli. Collaborative fiction site ficlets.com and the timeline builder circavie.com site are the only AOL web properties that currently support OpenID logins. The reason, according to Praveen, is that AOL product teams are "as usual, busy implementing cool new features and functionality into their products," so "they haven't yet experimented with OpenID support." Because integrating OpenID login does require site engineering enhancements, OpenID login support does not happen unless it becomes a priority for companies that run websites.
While AOL's size may result in a prolonged process for implementation of OpenID logins across all of its web properties, smaller companies closer to the social media community have also experienced varying degrees of success in implementing relying party status within their products. In May, I had a chat with Anil Dash, a vice president at Six Apart, about the company's adoption of OpenID. At the time, Six Apart's LiveJournal service had already implemented relying party and identity provision services for its LiveJournal service, perhaps one of the most mainstream uses of OpenID given the demographic diversity of LiveJournal. LiveJournal's swift adoption of OpenID shouldn't surprise those intimately connected with either LiveJournal or OpenID; the creator of LiveJournal, Brad Fitzpatrick, was also the inventor of OpenID.
I also asked Anil about Six Apart's other, newer blogging service, the relatively popular Vox, and its current OpenID development status. "We haven't talked publicly about the plan," Dash said in an AIM conversation. "But it's not really secret. Vox is a provider, and will become a [relying party]. Most of the work for [being a relying party] is done technically; I think we're just focused on improving the user experience." Over four months since that conversation, Vox apparently still is simply an identity provider. As of the time of writing this article, Dash had not been available for comment. Another Six Apart blogging service, the hosted Movable Type system TypePad, also does not support commenting via OpenID, although Dash hinted that TypePad's relying party support would "take more time, just for technological reasons."
Movable Type, the standalone blogging software built by Six Apart, recently added full OpenID support in an OpenID framework, something Dash had hinted at in our previous conversation. According to Dash's post on the Movable Type blog, now all Movable Type 4-powered blogs offer both identity provision and OpenID login for commenters, giving one of the better OpenID experiences on the Web. If you're a user of Movable Type, Six Apart has thorough documentation on implementing relying-party status on your own Movable Type-powered blog on their own developer documentation site. (For those who wish to leverage AIM OpenIDs on their blogs, an AIM OpenID connector is also available thanks to a member of Movable Type's development community.)
While Six Apart's own OpenID implementations have suffered from the cost of relying-party implementation, WordPress, blogging's other behemoth, has displayed even less adoption of OpenID. A small bit of fanfare occurred in the blogosphere when Matt Mullenweg and the rest of the Automattic team announced that Wordpress.com, the hosted blogging service powered by WordPress, became an OpenID identity provider; however, little progress has seemingly been made on the relying-party front. When I asked Mullenweg about his feelings toward the OpenID movement, he stated that he "likes the concept tremendously, and [he does] hope it's widely adopted someday." In a contrast to this statement, Mullenweg also stated that OpenID for Wordpress.com "is not on the roadmap at the moment," although he did say that "it makes a lot of sense for [Wordpress.com] to be a [relying party] as well."
Automattic's standalone version of Wordpress, available at Wordpress.org, has seen greater movement toward OpenID. There is a myriad of plugins available for WordPress that allow one's blog to be both a relying party and an identity provider, with my favorite plugin being VerseLogic's due to its ease of setup and control options. Using the VerseLogic plugin, anyone with a WordPress-powered website can further relying party adoption of OpenID. While the cost of having to go and get a plugin is greater than that of it being in the core, such as is the case with Movable Type, these integrated solutions are degrees better than that of solutions that existed only three months ago. Thanks to these systems, the cost of being a relying party is much lower for bloggers running their own services than ever before; hopefully this progression continues in the future.
A Call to Arms
While homebrew plugins may be the necessary beginning to a greater relying party adoption curve, one that is certainly accelerating, given the figure at left (see Figure 1). OpenID is still far from being more than a techie's trend. The vast disparity in the IP-to-RP ratio leaves OpenID in a position that keeps it primarily stealthed from even less technology-oriented bloggers, a position that is still more geek hype than legitimate. Adoption will need to spread into a greater sphere, with a much larger quantity of heavily trafficked blogs or social services supporting the authentication system to truly take off. Naturally, such an adoption takes time and has to trickle through the early adopters that are most likely reading this article.
Figure 1. OpenID total relying parties (Source: Scott Kveton, OpenID Foundation. OSCON 2007)
OpenID is a natural step toward building a greater circle of trust into the blogosphere, with OpenID certainly being progress toward greater trust within social media. With OpenID, bloggers have a more solid way of authenticating commenters to their content than is currently available through open registration, at a cost that is minimal for most of those even lightly involved in social media or the technology sphere. In return, those publishing and reading blogs and other content that allows for user participation through OpenID authentication can see an increase in marginal reputability through greater identity authentication, a problem that has reared its head in a few blogosphere scandals. Giving more weight to the identities of blog authors, commenters, and other such participants also further minimizes the lack-of-reputability argument used by those critical of social media and "user-generated" content.
As a counterpoint, we as social media creator-consumers should also not quickly blindfold ourselves and jump headfirst onto the OpenID bandwagon as the magic bullet of social media authentication. While OpenID is certainly a step in the right direction, and given its half-adoption by exceptionally large internet players such as AOL and Microsoft, it is still an imperfect solution. Some critics of OpenID have complained that OpenID's universal login system makes sites more vulnerable to identity theft, and it is certainly not a solution to the spam problem, as OpenID identities are easily created through automated processes or on anonymous public servers. However, the half-adoption of OpenID by truly mainstream players that I've criticized as not fully supporting the OpenID movement is, ironically, OpenID's biggest strength: given greater awareness of what OpenID is among AIM screen name owners and deeper integration into everyday tools such as Windows Vista and its CardSpace application are still very good triggers for greater adoption and momentum in the movement that help OpenID along. OpenID is not the magic solution to the authentication problems on the Web; however, with the decreasing costs associated with implementing it within our own blogs and social media projects, our adoption of the service as relying parties offers more benefit than cost over open registration methods. It is for this reason that we should be implementing OpenID, and it is for this reason that OpenID was created in the first place: while OpenID's adoption by some geeks has been for the hype associated with it, we should be implementing OpenID for the sake of awareness.
As awareness of OpenID relying parties (as well as awareness that yes, you probably have an OpenID identity) propagates, OpenID also offers increasing marginal returns both as an authentication system as well as an even greater increase in user experience. Given greater awareness and adoption, OpenID can successfully do what universal login ventures like Windows Live ID and the now-dead Liberty Alliance project had attempted to do previously, without the corporate motives attached to these previous projects. As with any socially powered project, it is the network that contains the greatest power, and without a strong network, any service is doomed to failure. With OpenID, the blogosphere finally has a chance to strengthen its own network across numerous fronts, and, by doing so with true OpenID implementation as relying parties, it increases both the community's enjoyment and the individual's as the rest of the community adopts OpenID as the standard.
As The OpenID Foundation further solidifies OpenID in the OpenID 2.0 standard, we can expect OpenID to grow continually more robust as a protocol, as well. Given the, well, open nature of OpenID, anyone can contribute to the next version of OpenID just as other open standards allow. A set of mailing lists is available for those who wish to discuss OpenID in any detail, from just general talk to security or user experience facets of OpenID. All of the OpenID committee chairs and board members (available on the OIDF's Wiki) are also open to discussing the future of OpenID. Scott Kveton and others on the OpenID board are well aware of OpenID's current vulnerabilities, and task forces are in place to solve them in further iterations of the OpenID protocol.
At this point, the stars are aligning. As OpenID adoption accelerates, it is up to us as developers and social media enthusiasts to add fuel to the OpenID fire and further adopt relying-party status into our applications. Although the momentum that any one of us creates may be small in comparison to that of corporate social media, the creation of OpenID in itself stands as the example that all of us working together can truly shift technology into a more trustworthy, easy-to-use plane. The tools are in place and the bandwagon has already left town. Now is time for us to abandon the hype and build for ourselves a greater Web, and, if identity provision has been an indicator, the corporate world is listening.
References
- "Securing the Blogosphere through OpenID: an Introduction" by Eston Bond; the first article in this series
- OpenID.net: the OpenID home site.
wordpress
Great news about implementation of OpenId on wordpress!
Bst Rgds,
Michael B.