wkossen’s blog

Just another FSFE Fellowship Blogs weblog

Don’t Lock Me Out

October 6th, 2010

OpenID Closed

ADVANCED WARNING: This post is going to be a bit rant-like… But you may will still like it. There’s some good information, too, that might keep you out of trouble… Another Note, This was originally posted on my personal weblog.

You may already know I’m quite fond of OpenID. In fact, any security system that makes life easier for me is very welcome. For some time however, there’s something going on that makes the OpenID system a bit less attractive. Providers that quit. ‘Quit?’ I hear you ask? Yes, Quit!

And that wouldn’t necessarily be so bad if they told their users with advanced notice they were going to do just that. That’s just not what’s happening. I’ll just list a few of the OpenID providers that aren’t anymore:

  • Technorati Read about that one here
  • Identity.net
  • Yiid.com (which is also Identity.net) I got the mail from them this week telling me they just turned of OpenID. So much for advanced warning…
  • Cliqset.com I don’t even know what happened. It just stopped working.
  • Logmij.in (Dutch OpenID provider) The site doesn’t even exist anymore.
  • If you check each one on the list on this site, you’ll find quite a few more that seam to be terminated…

Just imagine that you’re using an OpenID from one of those providers. They gave you an OpenID which you actually used to log-in to other sites, for instance to update your weblog at LiveJournal. Now the provider quits. How are you going to access the sites you’re a valid┬ámember of? I’ll tell you, you’re not going to access it, and you’re going to have long talks with the helpful support team of those sites (if those even exist) to get your account back.

Since I’ve been fond of OpenID for a long time, I’ve been keeping multiple OpenIDs. That’s a reasonable back-up strategy, but unfortunately not all sites allow you to assign multiple OpenID’s to your account. This really puts you in a tight spot if your provider thinks it’s a good idea to quit. There are some good examples though. Plaxo for instance allows you to add many OpenID’s. What I don’t understand is why they put the management screen hidden as a sub-screen behind a link on the e-mail-addresses-management page, but this post isn’t about Usability…. ­čÖü

Even better as a back-up strategy is the ‘Roll-Your-Own’ method. phpMyID allows you to do just that. Host your own private OpenID provider. It will only quit if you decide it will… I’ve been running mine for a long time and that’s the OpenID I add to a site first. If it’s possible to add more, I’ll do so because my site can be down as well and that would lock me out immediately…

Another (very useful) method is to have your own domain or website delegate to your current provider. If you switch providers, you just delegate to the next one from the same domain or website. That way the OpenID doesn’t change even though the back-end provider does… Delegation is easy to set up if you have access to the HTML source-code of your website. In the <head></head> section, you add the following code:

<link rel="openid.server"
<link rel="openid.delegate"

Naturally, the entry in href=”” changes depending on who serves your OpenID. Your OpenID provider will tell you what settings to implement or with a bit of thinking, you’ll figure it out… Just note that again, if the delegating website is down, or the OpenID behind that is down, you’re still locked out…

There’s a natural trade-off here. You get to use ONE log-in for MANY sites, but if that breaks, your locked out EVERYWHERE. The alternative is remembering all those passwords and user-names on all those sites the way you used to do. I’ll opt for the first strategy and try to alleviate it as much as possible by adding multiples…

Let me end with stating the obvious here:

  1. If you’re providing essential services people rely on like OpenID, don’t just quit,
  2. If you have to quit, tell the customer well in advance,
  3. Give those people options to move their data (it’s theirs in the first place) –> Dataportability,
  4. Assist them in setting up their OpenID elsewhere and tell them how to move their accounts,
  5. Even better, why not maintain their OpenID URL and let the user delegate it towards another OpenID?

It’s like the company that sells you petrol just quit and you come to the station in the middle of nowhere with your empty tank. What are you going to do, Push????

Your comments as always are very welcome below. Thanks for reading!

The Portability Policy

June 7th, 2010

There’s a lot of talk lately about ownership of content, but there isn’t a lot of substance. In this post I want to tell you what providers of Social Media Services should do to make things very, very clear for YOU regarding YOUR content.

It’s called Dataportability, and this is what it means.

Data portability is the ability for people to reuse their data across interoperable applications. The DataPortability Project works to advance this vision by identifying, contextualizing and promoting efforts in the space.

The fun thing about definitions is the fact there usually are many. The one I gave you is the one supported by the Dataportability Project in which I participate.

The key concept here is ‘who owns the data, and what can YOU do with it’. Companies should be perfectly clear in their communication about this so You know what to expect. That’s why we believe that they should have a portabilitypolicy, just as they have a privacy policy. (the privacy policy states what They can and will do with Your data). As an idea, it’s actually quite logical, don’t you think?

And this doesn’t necessarily mean that you should be given any control over your data whatsoever, it just means that you should know what control you have. Then you can make educated choices which companies to be a client of. This, as many other things, is just a matter of selection.

To aid companies in creating these policies there is now a website with example policies for inspiration. There will be services to aid companies further in there efforts to create these policies in the future. This hopefully removes some of the barriers of getting this not only accepted as a good idea, but also implemented as a standard procedure. I guess you head overthere and give us some feedback, either on the dataportability google groups or (my personal preference ­čÖé┬á) here in the comments.

If you’re interested in following this fantastic project, be sure to read the Dataportability Blog.

(originally posted on http://willemkossen.nl/b)

Freedom is Control…

May 21st, 2010

Photo by .faramarz

Freedom means control. control for me, control for the individual, not a large corporation, government institution or any other large body of people with any kind of hierarchical structure. Open means the same thing

Free software is all about freedom and all about control. the individual decides what he does with it, how he uses it, how he changes it and how he shares it. He even decides not to use it if he doesn’t want to for whatever reason. That’s freedom and that’s control. (where i write he, you could easily read she)

Open means the same thing. Open software, open standards, open data. it’s all about putting control where it should be, at the individual level, with the people themselves

I am very much in favour of freedom and open. That doesn’t necessarily mean I’m very much against other ways because sometimes these ways suit some peoples needs, including my own. I would suggest that given the option, you should favour the open and free path over the non-open and non-free.

I recently became a fellow at the Free Software Foundation Europe to support Free and Open. Maybe you should to. My username over there is wkossen.

(this post has originally appeared on willemkossen.nl )