The Open Government Identity Management Solutions Privacy Workshop is being held in Washington DC to draft a process for certifying existing identity providers for low-security government authentication transactions (so-called NIST level 1). If the plans move forward, we may someday be able to log in to government sites using our favorite OpenID-supporting website credentials. Google, AOL, Yahoo or other commercial accounts could become new keys to a consistent experience around the .gov web.

That draft includes requirements that OpenID or related Info Card identities not be used to authenticate people who are physically present (it's just for remote online access), that they not be used to transmit activity data or anything else beyond what is specifically requested by a government agency and that there be measures taken to continue protecting personal information if the identity provider goes out of business.

Identity providers will be evaluated on factors like an organization's technical implementation of authentication, its reputation and its business stability.

Providers who meet the requirements of the Trust Framework may be chosen to provide low-security authentication for users of government websites.

O'Reilly's Andy Oram posted an in-depth look at some of the issues raised by government support for OpenID last week.

"In considering government adoption," OpenID Foundation board member Chris Messina said of the Framework, "primary among our priorities is the protection of individual privacy while also considering ease of use and convenience. These factors cut to the core of the purpose of Trust Framework and feedback, therefore, is strongly encouraged on the document we've produced so far."

Keep your eyes peeled for an opportunity to comment publicly.

Government validation of federated identity could be a major boost for the ecosystem of the open, distributed web, and thus for innovation online. We hope the people making these plans can get it right and that the relevant government agencies can garner sufficient public support.

The new login method lets users log in to an OpenID supporting site or a traditional username/password site with one or zero clicks. It's a password manager, essentially, but it looks like an especially smooth one from one of the most trusted vendors online. And it syncs with the cloud so you could log in to your browser and then your favorite sites from any computer. It looks real nice.

This is just one more chapter in a much larger story - but look how easy this makes OpenID to use! If you're a user of password management software, we'd love to hear how this interface appears compared to your existing tools. I use Sxipper, which does a good job of managing multiple accounts and will fill out whole forms but has an interface that can be pretty obnoxious sometimes. I would miss the form-filler, though, if I left it for this new Weave functionality.

User credentials are just one little form of data that Weave could help us carry from site to site to site. The browser as an instrument of data portability? Bring it on!

Dan Mills, from Mozilla, offers in depth discussion about the approach in his official blog post and the comments there are good. The answer to the big question - "when can I get this?" Soon, Mills says.

Profile options are already being changed in response to popular requests; a new section of contact information that you can expose only to selected groups of people has just been added, for example. This opportunity to influence how Google describes you via your profile could be a very important one, and it's worth your while to take a look at the discussion and cast some votes for and against ideas. As we write this, only 600 people have so far.

For example, Google Social Graph API creator, Brad Fitzpatrick, posted a request to add rel="me" markup to the profiles so that the smart applications (like this one) can tie together all the accounts from various websites people list on their Profle pages. Several other people asked to have music playlists or GTalk IM status messages included in Google Profiles. Others asked that Google Profiles by tied to Gmail contacts for easy viewing in other applications.

There's a lot of optional fields you can fill out in a Google Profile now. You're asked to list where you work, where you went to school, where you've worked in the past, what your "superpower" is and other information. When Google Profiles got pushed to center stage yesterday, we voiced a concern that most peoples' concerns about what shows up when people search for their name on Google is too much information. Being told that the answer is to give Google even more info about us, in order to have any influence on our public appearance, seems ironic at least.

The Potential For Innovation

The potential for innovators to make use of these profile pages, if they are marked up well and made available, is really incredible. Just imagine: Dear Google, please show my software to all the people you know with Google Profiles who have listed their Delicious accounts, have bookmarked in Delicious more than 10 links around the web with one of 10 common food-related tags, who live in California, Oregon or Washington, and who have YouTube accounts as well. I want to gather a list of the videos that are most popular this week with food lovers on the West Coast.

That might be a pipe dream, but it certainly wouldn't be technically difficult if markup was good, the data was exposed well to developers, and Google Profiles caught on well enough to build a large data set. Imagine the incredible variety of potential permutations of profile fields, cross referenced with data found on linked-to third party websites, that such a scenario would offer.

There are simple issues and there are complex ones that come up when public profiles become important on the biggest information discovery site in the world. There are privacy concerns and there are wishes and hopes for data-centric innovation. Who doesn't have thoughts about how they would like to be described to the world? Now's your chance to vote on it.

Today Google released a product, called Google Me, that aims to change all of that. For a price - though not a monetary one.

When someone searches for a name that matches a Google Profile, that profile may now be displayed at the bottom of the search results page.

Google Profiles have a lot of potential as big, standardized online identities. They are tied to online accounts on other websites and they contain lots of interesting information about people. There's a lot of potential for outside developers to build interesting things on top of these profiles. See, for example, Glenn Jones's awesome project Identify, something we wrote about this weekend.

We're a little concerned, though, about yet another way that Google is going to gather more information about us as individuals.

A Deal With the Devil?

Ask almost anyone if they would like to be able to change the Google results for their name and you'll get a hearty "Yes." What would they mean by that? Probably that they would like to have the ability to remove unsavory information about themselves from the Google index.

That is certainly not what Google Me offers! The program offers people control over their search appearance only in as much as they are willing to give Google more information about themselves. Google's Joe Kraus explained to us that up to four Google Profiles will appear at the bottom of a results page. For people with common names, the more information you've filled out in your Google Profile - the more likely your profile will be selected for display.

Thus the offer of more control over your Google persona is an illusion - you only get to hope to influence it by giving up even more information about yourself to Google. "You don't like how much we know about and tell other people about you? Well you can change that...by telling us more about you."

The offer isn't even that exciting so far. By placing the Profiles at the bottom of search results pages Google leaves the primary source of information about us, the top 5 results on the page, unchanged.

We'll probably take this opportunity to spruce up our Google Profiles, in large part in hopes that the data will prove useful for future data-centric innovation. When asked about that, Google's Kraus told us that "Google doesn't do a lot of forward looking things; we serve our users' needs and then we iterate."

We simply don't believe that. We think that a discussion of Google's long-term interests in accessing personal data and our interest in letting them do so would be a good idea.

If it did, that could be a real game changer. We'd love to introduce our smart and sassy readers to each other here and then see them be friends on social networks, mobile sites and all around the web. Just a pipe dream? That's what a brand new identity provider called Cliqset aims to make possible. We believe it's the first identity provider of its type that allows 3rd parties to change user profile information, not just read it.

Cliqset uses the OAuth data standard to do all this, so it doesn't even have to ask for your password to the networks you want to connect.

Who's using Cliqset so far? Unfortunately, the geeks behind Cliqset don't do a very good job explaining what they do and they don't have any examples other than their own site today at launch.

That could change soon, though. The company has released a variety of code libraries for developers to drop Cliqset support into their applications. At launch there are Java, iPhone and .net for Windows Mobile libraries. A PHP library is forthcoming. All the libraries will be open sourced and posted to Google Code.

Facebook Connect lets 3rd parties publish updates to a user's activity stream, but that's about it. We asked a number of hardcore identity geeks whether they had seen anything quite like Cliqset before and no one had. There are OpenID and related specifications aiming to accomplish just this, but nothing in the wild yet, according to the OpenID Foundation and Six Apart's David Recordon.

Recordon is a little concerned about seeing another company release an API to accomplish what Cliqset aims to do. "At first glance, it seems like Cliqset is leaning in the correct direction with their support of OAuth for APIs and OpenID for sign in, but are still creating their own APIs - ala Facebook Connect - when dealing with profiles and activities," he told us. "This is both yet another validation of the work by the wider DiSo community and opportunity to finalize the Portable Contacts and Activity Streams specifications for broad adoption on the social web."

We asked Cliqset specifically about Facebook Connect, whether it wasn't in the company's interest to implement a Read/Write capability in its identity system as well. They said they believed it was but that they expected the giant social network to take much longer to implement this key feature. By offering iPhone and Windows Mobile libraries right out of the gate, we think Cliqset could move quickly in the mobile world as well.

Unfortunately, the company isn't doing a terribly good job of explaining its fundamental value proposition so far. We're not the first site to cover Cliqset today (see PC World's coverage for example) and everyone else is writing up the company as just one more cross-site identity provider. There's more than that going on here, but we'll see if this startup with what it calls "the most robust APIs you'll find anywhere" is able to make the market headway that its innovative vision seems to warrant.

One of the central features of Chi.mp is that it lets you to assume different personas (public, work, friends). With the current update, Chi.mp, for example, gives you the option publish new blog posts and albums that are either public, or only visible to your work contacts or friends. The new blog editor is basic, but it does the trick. Chi.mp, however, can't yet replace other minimalist blogging services like Tumblr or Posterous.

You can now also set a different theme for each of your personas. Chi.mp gives you 15 default themes and you can also upload your own backgrounds to the service.

The new photo album feature is a bit of a disappointment, however, as it can only handle relatively small images. We couldn't find any exact information about the limits that Chi.mp is enforcing here, but we weren't able to upload any images bigger than two megabytes.

Send Updates to Twitter and Facebook

Maybe the most important update is that Chi.mp can now push status updates to Twitter and Facebook. We assume Chi.mp is using Facebook's new API for publishing these updates.

It's Getting There

With these updates, Chi.mp is inching closer to fulfilling its promise of delivering a centralized hub for your online personas and life-stream.

Until now, we mostly used Chi.mp as an OpenID provider, but thanks to these updates, we will probably start to use it for the rest of its functions as well.

Sadly, Chi.mp is is still invite-only and we haven't heard anything about when it will come out of beta. We have had a grand total of three invites left at this point. Just send an email to chimp AT frederic.otherinbox.com if you want one.

Plaxo and Google have collaborated on an OpenID method that may represent the solution to OpenID's biggest problems: it's too unknown, it's too complicated and it's too arduous. Today at the User Experience Summit, Plaxo announced that early tests of its new OpenID login system had a 92% success rate - unheard of in the industry. OpenID's usability problems appear closer than ever to being solved for good.

Plaxo, primarily known for the noxious flood of spam emails it delivered in its early days, is now an online user activity data stream aggregator owned by telecom giant Comcast. The Plaxo team has been at the forefront of the new Open Web paradigm best known for the OpenID protocol.

The Flow

The method Plaxo has been testing is called an OpenID/OAuth combo, in collaboration with Google. What does that mean, in regular terms? It means that Plaxo told users they could log in with their Gmail accounts as OpenID by clicking a link to open a Gmail window, then Google asked for permission to hand over user contact data using the OAuth standard protocol. Once login was confirmed, whether contact data access was granted to Plaxo or not, the Gmail window closed and users were returned to Plaxo all logged in. No new accounts, no disclosure of Gmail passwords to Plaxo, no risky account scraping and no need to import or find friends on the new service before immediate personalization could be offered.

This is a very different flow than most OpenID "relying parties" have followed before - but it won't be for long.

The Success Rate

Plaxo reported today that it has seen a staggering 92% of users who clicked on the "log-in with Gmail" button come back to Plaxo with permission to authenticate their identities via Gmail granted. Of those who returned, another 92% also granted permission for Plaxo to access their contacts list. Only 8% of the people who clicked to log in with a standards based 3rd party authentication ended up deciding to bail instead. That's the kind of ease-of-use that people presumed only Facebook Connect could provide.

When Plaxo engineers moved to turn off the short-term experiment, the business team said no way.

We expect to see this basic flow get iterated on even further. We hope it will ensure that every OpenID provider has some exposure and not just the big email providers, and we expect the pop-up action to be made increasingly unobtrusive.

This could be the day when OpenID became a far more realistic prospect than it has seemed before.

Granted, this could be another opportunity for us to herald a tipping point for OpenID. But at a time when solutions like OpenID, sign-on services like Facebook Connect, and all-encompassing solutions like JanRain RPX continue to gain traction, we'll settle for noting that the concept of portable digital identities continues to gather momentum - and acceptance.

In conjunction with the PayPal announcement, the Foundation also announced the election of its officers: Brian Kissel of JanRain, Chair; Scott Kveton of Vidoop, Vice-Chair; Mike Jones of Microsoft, Secretary; Raj Mata of Yahoo!, Treasurer, and David Recordon of Six Apart, Committee Liaison. An international liaison is yet to be named.

If you're interested in hearing more on OpenID directly from the members of the OpenID Foundation, ReadWriteWeb recently had the opportunity to sit down for an OpenID podcast with Kissel, Kveton, Chris Messina, and Recordon to discuss OpenID and its potential.

Portable Identity

Identity and portable identity/data remain hot topics. Luckily, the conference wasn't just another pointless "200x is the year of OpenID" love-fest. There were sessions on OAuth, MySpaceID, and Facebook Connect. At one of the Facebook Garage sessions, Dave Morin dug into the nitty gritty of Facebook Connect and really impressed. OpenID and OAuth remain medium-term goals for many web apps, while Connect has jumped immediately to the front on their development road map. This goes to the core vibe of Le Web 2008, which was all about business benefit.

Improved Search

Despite having nothing earth-shattering to say, Marissa Meyer of Google still captured the attention of the audience. Led by some excellent questions, she covered topics such as temporal search (which gives only results from a certain time period), personal search (if the search engine knows what you searched for and liked before, it can give you better results next time), and local search. Meyer noted that she thinks local search in particular will be a hot feature for 2009. There are many start-ups trying to crack this particular nut, but one can see from Google Maps, and more specifically the latest versions of Google Maps Mobile, that these start-ups should be very afraid and need to create something far better than a Google Maps mashup to succeed.

Cloud Storage

Cloud computing and storage is becoming more mainstream every day. There was nothing particularly new from Werner Vogels at Le Web apart from news that EC2 is now fully available in Europe. Amazon's offerings remain geared more to infrastructure, relying on others, such as PutPlace, JungleDisk, and RightScale, to deliver storage that is easily accessible. This is why people have been paying attention to Microsoft's current direction. Every Live product put out by Microsoft in the past two years has been bettered by the competition. There is one clear exception to this: Live Mesh. This is the first consumer-facing Microsoft web app that nails it. At my home we have it installed on four machines and have a directory tree on each syncing seamlessly no matter where we are. Who needs a home server or home network-attached storage (NAS) when Live Mesh does it all without you having to think?

Video Search

Didier Lombard, the head of France Telecom/Orange, said that the next big thing would be "video search," which initially sounded laughable. Then Google confirmed that it has been studying it for a long time, and then we found out that the start-up competition winner was Viewdle, which does exactly that. Viewdle's reps gave a fantastic overview of the technology, which of course spooked many when it was pointed out that it was originally developed for military applications. Being able to parse faces in video and associate them with specific people is mind-blowing. With $500 dual-core boxes, they can parse in nearly real-time, and with massively parallel NVidia GPUs, they can go far beyond that. Expect an exit here in 2009.

Business as usual

Much of the rest of Le Web was about business (and love!), with many presentations by successful web companies that aren't particularly technically innovative. From travel review websites to website builders to mobile IM, we've seen these before. The difference now is that many of these businesses are making money. Let's hope that 2009 shows more progress in both business and technology.

This was a guest post by Conor O'Neill, CEO, LouderVoice; conference photos courtesy of Flickr.

Google will allow web services to join a limited test of an API based on the OpenID 2.0 protocol that will give Google Account users the option to sign in to websites with their Google credentials and without having to sign up for a new account at those sites.

Don't Mention OpenID

One of the key results of Yahoo's OpenID usability study was that users did not understand OpenID and what its logo stands for. Instead, Yahoo promoted the idea of giving users a sign-in button that simply said "Sign In with a Yahoo! ID" (though Chris Messina argues that this could be detrimental to OpenID in the long run).Google and its partners are taking a similar route and are basically bypassing any mention of OpenID itself in favor of a simple message saying "Sign in with a Google Account."

More to Come

Google also announced that it is looking to combine the OAuth and OpenID protocol so that a service can not only request a user's identity through OpenID, but also "request access to information available via OAuth-enabled APIs such as Google Data APIs as well as standard data formats such as Portable Contacts and OpenSocial REST APIs."

Tipping Point?

Thanks to this announcement, a wide range of some of the web's largest service providers now supports OpenID: Yahoo, Google, Microsoft, MySpace, and AOL.

As John McCrea notes, the result of these announcements from Google and Microsoft this week should be "a massive adoption wave for OpenID all over the web."

Why would users want that? Because you don't want to sign in to a social network with the same identity card you use to sign in to financial websites. Higgins aims to replace the assorted user names and passwords we all use today with a set of simple, standards-based identifiers that you can take from site to site.

In addition to a browser plug-in for users, there's libraries that site developers can make use of and an API that will let developers make use of the Higgins Global Graph (HGG) and a quite a few other things with even less hospitable acronyms. OpenID is at least intelligible and end users will not run away when they hear it said out loud.

RSS has changed the world because it is simple. OPML is fun to take to parties because anyone can learn the rules in minutes. I understand that security is by necessity more complex, but any party where as many acronyms show up as is the case with Identity (see below, for example) is not a party I look forward to attending.

The Real Value of Identity Diversification

That said, there is some comprehensible stuff here that's clearly worth checking out. You may have stopped by someplace like SpreadOpenID.org and noticed that many OpenID vendors let users expose any of multiple "personas" when logging into a new site. Is that sufficient for security, though? Now that I see the Higgins vision explained, I do think that using one service for everything and trusting that single service to keep personas separated from each other is more trust than I care to put in anyone. To some degree, Higgins is asking you to put your trust in them instead, but the assertion is that you the user are in the driver's seat.

I'm cheering for a clear, simple interface. Hopefully it will arrive sooner than it took the OpenID community to start to move in that direction. That said, I think there's a lot of potential here in addition to the straightforward and compelling value proposition.

Below: The Higgins Interoperability Framework - don't be scared, it's ok.

This is another small but significant step on the way to an open identity system on the Web, something that we here at Read/WriteWeb have been promoting. Incidentally you may be wondering if we will 'eat our own dogfood' and implement OpenID on this blog -- it is in the plan for our big re-design, which is coming very soon!

Thanks David Recordon for the heads up.

This according to Six Apart's David Recordon who blogged and Twittered excitedly from the event. Recordan, an expert in emerging identity issues, says that the move makes France Telecom the world's first major telco to support OpenID.

Recordan reports that the company also discussed allowing access to Orange branded mobile services using external accounts - presumably OpenID. That'll be putting their money where their mouths are - huge companies can offer to authenticate for other sites all day long without significantly changing the game.

Many sites have been waiting for the OpenID 2.0 spec to be finalized before implementing OpenID. Believe it or not, that could happen as early as next week, according to a post on the blog of JanRain, a leading OpenID vendor.

According to Doc, he originally starting thinking about the idea after a conversation with his wife discussing why she couldn't "take her shopping cart with her across different sites." While at first this seems like an odd request, because we're used to thinking about the site driving the transaction, interestingly when the transaction drives the site it becomes a provocative question. This is why VRM is often characterized as conceptually the inverse of CRM systems.

Leading to the Intention Economy

A lot of the theory builds and complements Attention Trust's work (see Alex's post on the Attention Economy.) However, rather than focus on all online digital attention, this is much more focused on supporting and build an economy around a subset of all attention - that part which is a user declaring their intention.

A common use case discussed throughout the presentations was around booking online travel. The current behavior of many users on the web was going to multiple online properties, as an example Expedia and Kayak for flights and then Priceline and Hertz for rental cars (some of these being meta-sites and others being run by specific travel vendors.) Instead of the current behavior, the desired use case would be that a user would issue a "personal RFP" about the trip they want to take. Then the user would be able to travel from site to site and the relevant information would persistently be delivered directly to the user based on their intentions.

Status of Project

The project is clearly still early in development and very conceptual. But a thought leader like Doc simply giving these concepts a name (VRM) and meeting with others to discuss it regularly, is an important early step. However, it definitely is early and won't change how we behave online in the next 6 months. A crucial next step currently being focused on is developing a set of laws or principals around which solutions and use cases can be tested to determine if they qualify as a VRM solution. This certainly helped the user centric identity community clarify authentication, when Kim Cameron from Microsoft published the Laws of Identity. Hopefully, similar principals or laws from the VRM project will serve to clarify the concept; and then protocols and software can begin to be evolve.

Conclusion

Beyond serving as a valuable example of what can be built on top of authentication, I believe it is a very powerful concept. About a year ago, there was a popular meme that emerged on the the web via Fred Wilson and Caterina Fake called Business Development 2.0. The concept behind Biz Dev 2.0 is that instead of distribution deals being done by professionals in conference rooms (1.0), it can be done more efficiently by programmers leveraging other systems APIs. While not how the project group characterized it, I found myself afterward wondering if this is the next logical evolutionary step in this transition of business development. In other words, if VRM does get traction, business development 3.0 will be about users being in charge of generating their own synergies across sites, to generate value.

]]> Sponsor

In this post I will walk through the information covered, because it has served as a useful framework as I've thought about the issues - and I believe will also be useful to the R/WW community.

3 Major Systems

Working from left to right on the diagram and to establish the basics, fundamentally decentralized identity systems involve three major systems / components for a user to establish their online identity:

• Identity Provider: the site / service that issues and authorizes a user is who they say they are
• Relying Party: the site / service that accepts an identity provider's credentials to authorize a user
• User / Client: the individual (typically via browser or other client) trying to authenticate with a relying party

Suites / Frameworks

There are four suites that have been established to communicate authenticated attributes across the different 3 systems (ID provider, Relying Party and User/Client) using appropriate protocols. These include:

• Open ID
• SAML
• Microsoft Windows CardSpace
• Liberty Alliance Specifications

Open ID

The OpenID framework has established itself as the leading framework for providing online decentralized authentication. Currently, more than 90 million Open ID accounts have been created, using various identity providers. This includes AOL announcing they had setup an Identity Provider server internally, enabling every AOL account (screen name) to be used as a user's OpenID account. This resulted in 63 million new Open ID accounts. (However, I'm sure many AOL users still need to learn what that means for them.) In addition to the progress getting companies to setup servers operating as identity providers, there are now over 2500 sites on the web that operate as relying parties to accept Open ID authorization. The growth of relying parties that accept OpenID has been tremendous over the last six months, as shown in the graph below from the OpenID foundation's presentation at IIW.

Microsoft Windows Card Space

Microsoft has been a involved in the online identity space for some time, starting with Microsoft Passport. And they have learned from that early experience. Their new framework is called Microsoft Windows Card Space (formerly 'InfoCard'). The idea is that users are able to select one of any number of digital identities (cards), which the end-user can choose from when asked for their identity from a relying party. In a paper introducing CardSpace and describing the Identity Metasystem Landscape, it was interesting to read the conclusion:

"Microsoft is doing its part by providing software for Windows, but it can't unilaterally make the identity metasystem vision successful. Others must also understand the benefits they will derive from more effective use of digital identities, and they must choose to participate."

After digesting this vision, I was interested in reading the following recent announcement that the CardSpace framework now works easily within the OpenID framework.

Other Frameworks

The OASIS (Organization for the Advancement of Structured Information Standards) has developed SAML (Security Assertion Markup Language) and the Liberty Alliance has developed sets of specifications.

Protocols and Attributes / Tokens

There are a number protocols which have been established for delivering attributes or tokens between each of the three systems (ID Provider, Relying Party and Client). Typically, the different frameworks try to establish a common interface to the variety of protocols and attributes a system would need to work with. While this certainly provides a flexible system, the vocabulary can get confusing - because the name of a suite is often shared by a specific protocol and attribute spec. However, that same suite can often work across additional protocols and attributes beyond the one they share a name with.

The best example of this seems to be Open ID. On the specifications page, there are both specs on the overall suite (or framework) as well as specs for attributes that can be exchanged. However,the OpenID framework works effectively to exchange attributes beyond the specified OpenID attributes. While this serves to be a very flexible architecture, as already mentioned it does sometimes make the conversation confusing.

Conclusion

While the user centric identity space is evolving, the landscape appears to be coming into focus. It seems like the major challenge in the next year will be working on simple explanations for end users to better understand how these components fit together. Hopefully as this happens, the conversation can shift away from protocols and standards and towards applications that are built on these frameworks. If this happens, I would imagine at some point we'll be interacting with the suites and frameworks on a regular basis. However, we'll be as likely to refer to them by their specific names, as we are today to talk about SMTP/POP3 when discussing our email. With that caution, I hope this was a valuable overview of the fundamentals.