Let’s Implement the Open Pile! It’ll Be Great!

You are not on the bandwagon yet? You are so behind the times! Haven’t you heard that the web is now social, and user-centric, your customers are in charge, they create and remix and share and rate and activity stream and manage you, the vendor, and you still haven’t implemented the Open Pile!

Ehm, I mean the Open Stack, sorry about that, a slip of the tongue here. The community has been working together hand in hand to define these exciting new standards, singing kumbaya all the time, how can you not have implemented them and look your manager into the eye?

So let’s get started right away. You need to implement OpenID for login, with NASCAR buttons so it’s easy for your users, not too many, not too few, and yes, a text field for those other identity providers, with of course a non-Javascript fallback, and information card detection in case somebody runs Vista or is an AAA member, and OAuth, well, there are several incompatible versions just like with OpenID and of course you have to support 2, 3, and I don’t quite remember how many more legs, which should of course do the hybrid with OpenID, rooted in cutting-edge discovery in all the needed ways: just three ways from Yadis, two from OpenID, some new well-known locations with LRDD and sometimes you have to check with Google directly, of course you have to be prepared to accept URLs, e-mail addresses, PPIDs and unreadable URLs as identifiers, claimed and proven, I’m sure your website folks figure out how to map them to their databases in no more than a few weeks, then you automagically (imagine!) get your user’s first and last name and e-mail address via SREG or AX (but there might be incompatible schemas) or Portable Contacts or Microformats, yeah, no provider supports all of those and many don’t support any but that’s just an implementation detail, and boy all the great info you will get via xAuth any time soon now and then you can publish activity streams and you even will make the Salmon run upstream! It’ll be SO GREAT!!

If I knew how to draw cartoons, I’d have a field day here.

No wonder Facebook is winning with a proprietary stack.

As we go into IIW next week, guys, it’s time to get real. It’s either we cut 80%+ off this pile, and make the remainder actually work, or give up. I just hope there won’t be proposals for more protocols next week. What about we all propose which 90% of our favorite pet projects we are willing to kill? The alternative, I’m afraid, is the way UNIX has been going in the face of first NT, and then Linux. “Open” means nothing if it’s just a pile.

P.S. Thanks to Kaliya for encouraging me to get this off my chest and annoy some people if it has to be that way.

10 responses to “Let’s Implement the Open Pile! It’ll Be Great!”

  1. You see, I always saw OpenID like VISA and Mastercard, everybody knows a credit card is a 16 digit number, but with OpenID the issuing companies are reluctant to declare the brand of the clearing infrastructure – for fear of what exactly?

    If the OIDF members took the view that they were paying into VISA or Mastercard, they’d be happy to show that their cards were accepted, IE at an OpenID enabled Web Site.

    So they would then tell their users that theirs was an OpenID and you could clearly see were you could use it, IE at an OpenID web site displaying the logo.

    Shopping merchants don’t have the Nascar problem, they just have a sign that says, VISA, Mastercard and perhaps AmEx accepted here.

    It’s really weird to have an organization whose members don’t promote the trade organization, in fact it’s very strange is it not?

    FaceBook, Google and Yahoo! etc and in particular FaceBook, don’t mention OpenID on their front page at all.

    So some, or most of the members are happy to just financially support the OIDF, but just don’t want to promote the brand, the question to the Community Members of the OIDF, “Does this house believe that the Corporate Members of the OIDF have the best interests of the OpenID brand at heart?” – I think it would be a landslide victory…

    Therefore long term, the OIDF in it’s current format, surely has a long term viability problem – who is it really representing, and what purpose?

    I really like this guy’s simple approach:


    IE the StackOverFlow example:

    Click your OpenID account provider
    Or, manually enter your OpenID

    I really like the idea of using an OpenID URL for publising web services/discovery, and using an email etc to obtain an OpenID URL just seems plain clumsy to me.

    The thing that really pisses me off about OpenID and it’s “apparent” UI issues, is at the beginning, if we cast our mind back, people had difficultly just realizing what an email address was! The WWW was an even bigger mystery until about 1998 in Britain.

    I used to print a published listing of UK web sites that was distributed as a magazine, so trust me – people struggled with http://www.company.com/ – “Where does it go? It’s making my head hurt…” But strangely enough broadband uptake in the UK is 60% of households. So I guess with education – they “got it” in the end. Oh and I sold 10,000 copies a month, so it did take time for the users to suss URLs – or they won’t have bought my magazine…

    So I just REFUSE to buy into the myth of “OpenID’s as URLs are too difficult for the end users”

    For the first 2/3 years ahead if the StackOverFlow model was “mandatory” to membership and we just get the 6 Nascars or so appearing, but then within time users would realize that their “major web publisher credential” is an OpenID.

    Therefore it then reduces down to two boxes, the site’s native login or OpenID, in a year 3+ period.

    This should be a requirement of Foundation members if they are relying parties shouldn’t it?

    Then by defacto the people are educated by drip feed.

    If Foundation members don’t offer the StackOverFlow style – their membership is discussed…

    Thus in 3 years – the public are educated into understanding an OpenID is a URL or their IDP’s credential system; email etc.

    In fact could OpenID Foundation Membership rules create a situation which would allow the technocrats Community Members like me to force this vote through?

    It’s the “Click your OpenID account provider” phrase that does the education bit for me. In every language on the planet. Every time.

    The OIDF is in current format is basically out to promote the interests of it’s members and NOT the technology / or the BRAND – It’s not like any other “normal” trade association I know of?

    OpenID providers can perhaps be drawn into three camps (++government issued two-factor):

    Those that can/could provide two-factor authentification SSO sign-on to a level that users would actually trust their Identity Provider with private meta data (Banks and mobile phone companies) French Telecom, NNT Domoco etc

    Those that you would not trust with your private meta data (The major web publishers) FaceBook, Microsoft etc
    They don’t really have a relationship with you, and have major issues providing a secure token reset, they don’t even know if the account given to “Alice” is even “Alice” or a bot!

    Because of the work being down with OpenID in countries outside North America, I believe the branding issue will be steam rolled by the telcos and banks.

    Identity is the new money – a lot is at stake

    Example, where telcos have adopted OpenID, they don’t seem to have a problem using the logo, thus creating a good brand message.

    So the tier one providers, will commonly promote the OpenID logo in association with two-factor, so the end users will associate OpenIDs supplied by tier one providers, as being secure and “having value” or “perceived value”.

    As OpenID is being linked to National ID cards in several countries and is being evaluated by the US National Institutes of Health, either the OIDF in it’s current format will “have to” change, I would have thought?

    I propose that if it doesn’t, it will be surpassed by other steering commitees, which morph the OIDF into a new inclusive organization caused by a grassroots revolt, as the views of the wider OpenID Community have to be heard for reasons that Johannes is making abundantly clear – those views are here with us now.

    If we think of people like David Recordon and Chris Messina, we don’t need to ask their views, they’d all be singing from the same hymn sheet to support Johnannes frustration.

    Let’s not forget the OpenID Hitlist or was isn’t it called the shitlist…

    I think we just have a new direction for a shitlist. It’s a great shame Chris couldn’t mount the attack now.

    If the OIDF don’t yield to the community views on this issue, they will ultimately loose out to the tier one providers creating the brand for them, because from my views around the net, the tier one providers already understood several years back, the need to promote the OpenID logo like VISA and Mastercard, for a reason I cannot quite figure out. However their “corporate think tanks” – just got it(tm).

    My question is, “when” will the OIDF start encouraging their members to behave like they are members of a Foundation and not a purey a lobby group?

    As Cilla Black, a game show host in the UK during the ’80s catchphrase went

    “The choice is yours…”


    (PS This posting was severely edited and had breakfast before posting it.)

  2. Johannes for lord high emperor of the universe! Right on.

    One of my particular frustrations is that I’ve built an OpenID login system that works on some OpenID systems, and not others, and nobody seemed interested in helping me figure out why. So I’ve got a delegate from my OpenID URL off to someone else who now owns at least that small fraction of my identity.

    And, geez, SREG and AX are yet more formats that the *other* microformat people I talk to regularly didn’t know about when I asked “how should I publish my identity information” (I have FOAF and vCard as “link rel=meta” and “rel=alternate” in my headers, because I found those recommendations somewhere, not that anyone is doing anything with them).

  3. Crazy. I left a comment here, but now it’s disappeared, and I can’t login to the account I created. I hope you didn’t take offense to the post, as it definitely wasn’t directed at you, but rather the insane position that we as web developers find ourselves in trying to build real systems for real people.

    I’ve posted the comment on my blog since I thought it was a worthwhile case-study: http://blog.romeda.org/2010/05/comment-republished-here-for-posterity.html

  4. It feels very true but realistic and sad. I wonder if there is a nice list of all the technologies together with a matrix how existing implementations apply them and in which order, to ease the process of choosing the redundant stuff.

  5. You’re absolutely right. Try, as a new commenter, to leave a comment on your blog. Seriously. It’s horrendous. Here’s my approach:

    Act 1: First, I saw the WordPress logo. So I tried to enter my WordPress username and password. Oops, I guess I shouldn’t have told you that, since now you can dig into your logs and pretend to be me on WordPress.com hosted blogs. When that didn’t work, I thought, well, maybe I’ve forgotten my login info. So, I tried a few other options, none of which worked. I guess you could probably log into a few more sites as me now, assuming you’ve been keeping careful logs…

    Act 2: Giving up on the username / password option, but not wanting to go through the login dance for what was now clearly “just your blog,” I tried to use my OpenID login, which Google has chosen a not-totally-unreasonable URL for: http://google.com/profiles/romeda – but, of course, that didn’t work. So I tried again, this time using my experience as a web developer to change the URL to http://www.google.com/profiles/romeda, just in case http://www.google.com was returning something more useful than google.com, or in case your OpenID library wasn’t following a redirect or something. Fail.

    Act 3: Now, since I *really* wanted to leave a comment on your blog, I clicked the dreaded “register” button. And, to my delight, I saw that it wanted a username and an email address. Right, because I’m going to remember my username for the WordPress install at netmesh.info/jernst. Ha! Thankfully, I got my first choice. I guess the kids haven’t started lining up around the block…

    Act 4: Being a good piece of software, WordPress did not ask for my password. So, off I go to my inbox to retrieve the password, which thankfully is sitting right there. It’s a horrendous mess (“*QOj9rc8D$%X” fwiw) and Chrome doesn’t like the idea of neatly selecting it, because it’s not really a word, y’know? I manage nevertheless, and go back to the other tab (whatever did we do before tabs?!).

    Act 5: Now I enter my password, eager to make my blog post. Click enter, and *bam*, I’m pushed face-first into my brand-new netmesh.info/jernst WordPress profile page. W00t!


    Oh, right. I was trying to make a blog post.

    Act 6: So, back I go to netmesh.info to find the post that I wanted to comment on. No, wait, wrong page. Rewind. Back I got to netmesh.info/jernst to find the post that I wanted to comment on. The post footer says I’m logged in as romeda (oh, wait, I guess I didn’t get my first choice – why did I use “romeda” instead of “blaine”? D’Oh!), so I click on the textarea, and away I go!

    Now, Umm, What was I going to say?

    Oh, yeah:

    Facebook Connect is the best experience for both parties, because chances are the commenter has a Facebook account (and if they don’t, do you really want to hear from them?) so that’s good for the site, and it’s really just one click on that pretty blue Facebook Connect button and then one click to approve the connection (nevermind the privacy implications, pshaw), so that’s great for the user.

    But that only works if you trust Facebook. You Dumb Fuck.

    So, if you’re like me, and try not to be a Dumb Fuck, you should just skip all the bullshit and use email addresses. That do automagical discovery. It’s called Webfinger. Which is a shitty name, but do you have a better idea? (no really, if you do, PLEASE tell me) Tantek’s called it RelMeAuth. Whatever happens under the covers doesn’t fucking matter one iota. You start from the user experience and then, as web developers, we make it work. Period.

    So to say it again, you’re absolutely right. The Open Pile is a totally useless heap of marketing buzzwords. The only thing that matters is user experience (well, the experience of developers building this stuff matters, too, but it’s a secondary concern. We wouldn’t be in this business if we didn’t enjoy at least a little pain). Except that the Open Pile has some real gems in it, and I very much look forward to mining for them with you next week!