Standardized legal documents for technical specifications may not seem like the sexiest thing in the the world - but this is actually pretty exciting news. Developments like this could be a key part of the foundation that online service providers need to move forward on a long list of great ideas for ways to serve their users.

People come up with crazy ideas for making the web work better all the time. This agreement aims to provide an easy way to make it safe to implement those ideas. The companies participating have spent large amounts of time and money negotiating the agreement, now anyone can take advantage of the fruits of that labor at no cost.

Existing specifications that will be placed under the Open Web Foundation Agreement, per the announcement today, include:

• Syndicated media delivery spec Media RSS (currently controlled by Yahoo!)


• Secure 3rd party authentication spec OAuth Core and Wrap (from Facebook, Google, Yahoo! and Microsoft)


• Real-time feed protocol PubSubHubbub (Google)


• Comment aggregation protocol Salmon (Google)


• Web Slice Format (Microsoft)


• And several others.

All parties involved in building the spec have signed a covenant of non-assertion, meaning that OAuth can now be safely implemented anywhere without concern about Intellectual Property lawsuits. If you think this is too geeky for you - try out the live demo embedded below.

The parties that contributed to building OAuth and have singed the promise not to sue are: Yahoo, Google, AOL, Twitter, Ma.gnolia, Citizen Agency, Wesabe, Pownce and Six Apart. Also signing as individuals were Eran Hammer-Lahav, Mark Atwood and Blaine Cook.

What is OAuth?

OAuth is a standard protocol for one web site to access user information on another website without asking the user for their password, but accepting confirmation from the 2nd site that the person is in fact who they claim to be. As Eran Hammer-Lahav, Open Web Evangelist at Yahoo! and OAuth point-man, told us tonight: "It is a way to build distributed services across multiple vendors while still keeping your data as private and safe as you would like it to be. You can limit it, for example - for time (like only one day), only read access, photos only and not videos, etc."

Why is this important? This is a key technical step towards making data portability real. It creates a path for users to move data they've created on one service into another service that can then offer new features or personalization based on what the users have exposed to them about themselves from elsewhere. It's a big ingredient in a recipe for innovation, in the form of mashups or otherwise.

How is it different than OpenID? It's a related, but different way to move data around. OpenID got a non-assertion covenant signed almost a year ago and provided, along with the Apache Foundation, the basis for the OAuth covenant. There's a whole lot that can be done with both of these protocols and we look forward to seeing them develop together.

What does OAuth look like in the wild? Below are two examples. The first is a screenshot of Yahoo's location based service Fire Eagle asking a user if they want to grant permission for another app to access their data on Fire Eagle.

Screenshot from Chris Messina.

The second example is a mock live demo of OAuth in an iframe, created by Eran Hammer-Lahav. A detailed explanation of this demo can found here.

Pretty awesome, no? So let's get the safe, granular data porting rolling! We eagerly anticipate a growing ecosystem of apps that do things with user data that were never possible before. As Eran Hammer-Lahav, who's been working on this full time at Yahoo! almost all year, says - the web owes him a beer.

]]>Discuss]]> http://www.readwriteweb.com/archives/oauth_nonassert.php http://www.readwriteweb.com/archives/oauth_nonassert.php News Tue, 26 Aug 2008 17:40:03 -0800 Marshall Kirkpatrick