SXSW: A Critical Look At OpenID

Arguably one of the more interesting panels here at SXSW, A Critical Look at OpenID gave people the chance to ask a lot of question that as a non-developer I found relevant.

The panel opened with a helpful comparison of OpenID to email. Your email address tells people something about you. (@gmail.com tells people you use Gmail, @sun.com tells people you’re a Sun employee.) You can also use external services for email (Hotmail, Gmail, etc.) or you can run your own mail server. Email is also essentially a single-sign on point of failure; if people get access to your email address, the can essentially use “Send a password reminder” emails and get access to your accounts.

There are some business risks around OpenID. People can create a virtually unlimited number of OpenID accounts; the solution seems to be around shared whitelisting. For example, your blog could be set to allow only people with Twitter, Yahoo or AOL OpenID accounts. You would be essentially saying, “I trust only Twitter, Yahoo and AOL logins.” I’m still not sure that this is within the decentralized spirit of the protocol, but it’s a realistic solution.

The sites that will currently benefit from OpenID: smaller sites that don’t want to become trust providers. Smaller companies shouldn’t take on the hassle of being OpenID providers, because of the privacy liabilities that come along with storing people’s information. OpenID makes it simple for people to get started using your application without needing to create yet another login. For instance, let’s say your site gets featured by TechCrunch. Suddenly you’ve got ten thousand people hitting your site. If they have to create an account, they’re probably not going to stick around; but if they can use their OpenID login to start using your application immediately, you’re more likely to get people to stick around.

A good question from the audience: What about revocation? If you give a site the authority to represent you, what happens when you want to revoke that authority? This comes back to the issue of trust. You probably shouldn’t use a fly-by-night organization that may recycle usernames as your OpenID provider.

What’s keeping people in the room from implementing OpenID? David asked for a show of hands: Is it security, familiarity, usability or technology? Most hands raised at usability.

So, the million dollar question for bloggers: Will OpenID help fight comment spam? Yes and no. Spammers can create as many OpenIDs as they want. Shared whitelists of OpenID providers, however, seems to be the best workable solution.

  • posted on 10 March 2008
  • by Jesse

InterAction:

14 March 20081. =nat:

> There are some business risks around OpenID. People can
> create a virtually unlimited number of OpenID accounts;

This is true of email address as well.

> the solution seems to be around shared whitelisting.

Community is revolving idea around reputation.
Whitelisting is an extreme case of the reputation.

31 March 20082. Johnny Castrup Jørgensen:

A very nice, rather consise summary, there is however one thing that worries me (not about this blog post, about the way OpenID implementors are currently headed): Whitelisting.

As you point out yourself whitelisting is not exactly in the spirit of the protocol. I agree - if we end up having 3-4 de facto trusted sites, we might as well have learned to love Microsoft's Passport.
And it's not exactly hard to get hold of a Yahoo! OpenID either.

There is another way of handling the spam problem that draws on the email analogy as well: Bayesian filters and strength in numbers.

Filters are basically the way your email client tries to detect spam for you by spotting suspicious patterns. The reason ISP spam filters are more effective is that they can do the filtering based on a much larger sample.
Some services add value to this spam filter by providing a centralised blacklist of bad email sending servers.

These two strategies have not eliminated the amount of spam that floats around the internet, but they have very successfully limited the amount we get in our inboxes.

I don't think you can keep spambots from having accounts on your system if your userbase is alluring to them without encumbering your userbase overly.

But you can use smart tools to get rid of it - without strangling the child.

YourThoughts?


(Minutia)

This entry was written by Jesse on Monday, March 10, 2008 at 1:46 PM and appears in the Social Networking chapter. The previous article was entitled, "SXSW: The Zuckerberg Interview Fiasco", and the next entry is called, "SXSW: Browser War Panel". Bookmark the permalink, save it to del.icio.us or Digg it.

GetUpdated

ElseWhere

Find me on aim Find me on delicious Find me on digg Find me on linkedin Find me on flickr Find me on pownce Find me on twitter Find me on youtube Find me on skype Find me on facebook Find me on livejournal Find me on msn Find me on vox Find me on technorati Find me on yahoo Find me on dopplr

ActionStream

  • Jesse said, "@mezzoblue » Yeah right." Jesse said, “@mezzoblue » Yeah right.” 2008-05-16T19:54:54Z 2008-05-16T19:54:54Z
  • Jesse said, "Trying to make a mockup look more masculine." Jesse said, “Trying to make a mockup look more masculine.” 2008-05-16T19:54:31Z 2008-05-16T19:54:31Z
  • Jesse said, "Still taking submissions for my six-word contest: http://is.gd/hC2 — Here's an example: He stopped coming home at night." Jesse said, “Still taking submissions for my six-word contest: http://is.gd/hC2 — Here’s an example: He stopped coming home at night.” 2008-05-16T19:15:17Z 2008-05-16T19:15:17Z
  • Jesse said, "Further clarification: Tell me your life's story in exactly six words. I'll send the person with the best submission a t-shirt." Jesse said, “Further clarification: Tell me your life’s story in exactly six words. I’ll send the person with the best submission a t-shirt.” 2008-05-16T14:52:55Z 2008-05-16T14:52:55Z
  • Jesse said, "Hey everyone! A game for a rainy day: in the spirit of smithmag.net, describe your life in six words. Winner gets booty: http://is.gd/hsX" Jesse said, “Hey everyone! A game for a rainy day: in the spirit of smithmag.net, describe your life in six words. Winner gets booty: http://is.gd/hsX” 2008-05-16T14:36:45Z 2008-05-16T14:36:45Z
  • Jesse said, "@zeldman » Gotta hava Excedrine." Jesse said, “@zeldman » Gotta hava Excedrine.” 2008-05-16T12:15:43Z 2008-05-16T12:15:43Z
  • Jesse said, "Twitter isn't just for pansies. http://tinyurl.com/23qgmk" Jesse said, “Twitter isn’t just for pansies. http://tinyurl.com/23qgmk” 2008-05-16T11:25:00Z 2008-05-16T11:25:00Z
  • Jesse said, "Off to bed early." Jesse said, “Off to bed early.” 2008-05-16T02:01:01Z 2008-05-16T02:01:01Z
  • Jesse said, "Working on a song. Comments? Criticisms? http://tinyurl.com/6ne59f" Jesse said, “Working on a song. Comments? Criticisms? http://tinyurl.com/6ne59f” 2008-05-15T20:02:04Z 2008-05-15T20:02:04Z
  • Jesse said, "Composing. For the first time in years." Jesse said, “Composing. For the first time in years.” 2008-05-15T15:29:55Z 2008-05-15T15:29:55Z