OpenID and Liberate the data
Friday, July 25th, 2008
| 起來 不願做奴隸的數據 用你們的力量 穿破我們新的長城 Web二點零到了最危險的時候 每個人被迫著發出最後的吼聲 起來 起來 起來 我們萬眾一心 解放我們的身份 前進 解放最後的位元 前進 前進 前進 進 |
Arise! All which refuse to be slaves! Let your power penetrate our new Great Firewall! As Web 2.0 faces its greatest peril, we forcefully expend our last cries. Arise! Arise! Arise! Our million hearts beat as one, Liberate our identities, March on! Liberate the very last bit, March on! March on! March on! On! |
改編《自義勇軍進行曲》
Original - March of the Volunteer
Liberate the ID! Liberate the data!
Liberate the ID
Once upon a time, an independent username and password is needed for every webapp and websites, and that was the only way to identify oneself.
Then Microsoft came out with the Passport solution, which is called Live ID today. The associated partner website could use the Live ID as authenication. The biggest most shortcomings is that, both parties have to totally believe in Microsoft. Well, I could accept using Live ID on Microsoft Products, afterall I have to trust the product. But using it on 3rd party service provider? a no-no.
Oh yeah, not to mention UHome/NetsKey reinvented the wheel, almost, for similar purpose…
Today, we have OpenID. Finally, we could own our own identity. Password is never revealed to any 3rd party, and I don’t have to trust anyone else to manage my password. For those who are incapable to host their own authenication system (in fact, a single php script is all it takes), at least OpenID gives you the freedom in choosing the identify management provider, for example http://openid.net.
To use OpenID to login other website, for example I want to leave a comment on Blogger, I just need to say “I am coming from hellosam.net”. Then through my own authenication system I setup on hellosam.net, and a series of data exchange, the Blogger at the far end could confirm that I, who declared I am hellosam.net, that the machine at hellosam.net also confirmed I am I. Put it in another way, the pricinple is similar to the following example: I tell my mobile number to Blogger, then it sends me an SMS, if I could tell Blogger the content of the SMS, I have proved myself as the owner of that phone number.
The advantage of OpenID is that neither party need to trust any third part, and that I know the other end will never have to manage my password. My wallet is the best home for my ID card. On the other hand, the Blogger could never false claim to be hellosam.net because I have used my OpenID on there, analogy to the SMS example, Blogger won’t be able to claim to be the owner of my phone.
P.S. The actual authenication implementation is totally up to what the providers come up with. Usually it’s a username+password pair, but someone could make it to be a PKI system, or even Biometrics+OTP+2-Factor Token, or even no-password-auto-authenicates-anyone.
MySpace announced that they support OpenID a few days ago. But the so call “supporting”, similar to what many major players doing, is about supporting their users to use their profile double as an OpenID, allowing their users to login to other OpenID-supported website. Using OpenID to login to MySpace? You hit a dead-end. Big corp are still very conversative in this sense, they just want to promote themselves through the footprint left by the authenicated OpenID URL, and perhaps simply using “we now support XXX (any hot technology)” as a PR techniques.
革命尚未成功,同志仍需努力!
Liberate the Data!
Microsoft has released a very evil technology, current at CTP (Community Technology Preview) stage — Live Mesh.
Live Mesh allows file sychronization to be happened on multiple computers, PDA and Smartphones. Even when the device is offline, work can still be done on the local cache, which will be sync’ed up through P2P or the Mesh Cloud when the Internet connectivity is available again. The data can also be shared among the Mesh Users. Mesh.com itself also provides an web interface for accessing all the data you have shared. In a broad sense, the Mesh Engine can actually synchronize any data, the file service is just an demo implementation based on this. The API will be opened and allow ISV to build application based on the Mesh (Channel 9 has demo that the engine can provide at least the API for .NET, Python, or presenting the same data in JSON, RSS, Atom or through WebDav). Collabration type of application could surely leverage this platform in some senses.
The concept is not totally new, but an implemented product would be one of the first kinds in the wold.
Why evil? By using this service, the data will somehow flow through the Mesh Cloud, because at least we need a almost always-on server to manage everything and to oversee the synchronization process. Just like Microsoft Live ID, you have to trust it!
If this protocol could be open to public, or let’s say someone design a protocol, make it like the OpenID, someone could just build the oversee system and host their own stuff at their own expense, or someone colud choose a provider who they want to trust, and that those systems can still cooperate and share the data because all of them talk on a common protocol. What a beatiful world…!
English