Facebook exists because a simple usable federated identity system doesn’t. Wired’s challenge to tear down the social networking silos seems easier to solve if we had such an identity system and I would think that the openid community would take up the reins and lead the charge.
I was therefore somewhat aghast when I saw the original mr. openid and the current mr. openid trying to solve the problem without actually building atop openid. Why? Have they abandoned their offspring? Or is Openid just not the right foundation and in need of a reboot?
The wired article points out that it’s pretty trivial to assemble facebook as long as you don’t mind the entire world seeing what you are doing, your "friends" can even receive event notifications via feedreaders, but then so can the rest of the world. Facebook’s real value, therefore, is an easy to use access control system, limiting who can view your photos, view your posts and get alerts. This access control system, dubbed the "social graph", is embodied as "friends" in facebook and "connections" in linkedin.
So why can’t openid enable this in a distributed fashion? Surely openid should be the basis of any distributed access control system. Why can’t I, who chooses to be hosted on facebook, befriend you on myspace. Why can’t I receive notifications of your recent actions? and why can’t you view my profile? and why can’t all this happen without the prying eyes of the rest of the world? These seem like the problems that openid should be helping solve. So why didn’t Brad and David choose to build atop it? instead making it’s use optional?
I have to admit to worrying a little about openid’s direction. It can’t get close to the challenge thrown down by Wired and instead of trying to address these very real problems in version 2.0 it has instead chosen to focus on incorporating an obscure naming scheme, which IMHO has introduced unnecessary complexity. So what could it do? Could the Wired challenge be solved with openid as the base? I believe the openid community could choose to solve these problems and FWIW, here’s my list of to do’s.
- Adopt the world’s most popular naming scheme for individuals. Yes I know there are privacy issues with using an e-mail address identifier and yes I know there are advantages to http based URI’s, but there is a reason why it is facebook’s primary identifier. Ignoring it presents real usability and adoption challenges.
- Have openid work for REST based web services e.g. feed readers. The only way that friends can keep track of my latest posts / photos etc. in a distributed fashion is through feeds and if I want to limit who can see them then the feed readers need to authenticate with my service. Unfortunately openid is designed for interactive user agents and feed readers are anything but that. So please can we have openid designed to work with any http client and not just the "interactive" ones.
- Define the "befriend" protocol. This would be the mechanism that establishes and terminates the relationship between two identities, so they can view each others stuff. Instant messaging has this same problem i.e. establishing who can view my current presence and so there are places to look for inspiration.
Am sure there’s more details e.g. how the "roster" of friends gets sent to the different services but that also sounds familiar. It just seems to me that Brad and David are applying a band aid with their proposal and I’d much prefer they go back to open heart surgery and fix this thing once and for all.
p.s. I don’t buy Dave Winer’s economic roadblocks to distributed social networks. The same argument could be applied to AOL’s and Delphi’s email "walled gardens" prior to 1993.