· · Identity
· Leica, the German maker of elegant but absurdly-expensive cameras, just released the M11-P. The most interesting thing about it is a capability whose marketing name is “Content Credentials”, based on a tech standard called C2PA (Coalition for Content Provenance and Authenticity), a project of the Content Authenticity Initiative. The camera puts a digital watermark on its pictures, which might turn out to be extremely valuable in this era of disinformation and sketchy AI. Herewith a few words about the camera (Leicas are interesting) but mostly I want to describe what C2PA does and why I think it will work and how it will feel in practice ...
· I’ve been in the conversation around Twitter’s @bluesky project, and last December I posted @bluesky Identity, a proposal for mapping between social-media identities based on public keys and signatures. Recently @bluesky announced the Satellite contest, whose goal is to take identities on three or more online properties and “Link them in a way that anyone can verify you are the author/owner of all.” Which is more or less what @bluesky Identity is all about. So I pulled together a working demo called “Blueskid” (GitHub). This is a quick walk-through of Blueskid ... [1 comment]
· Twitter announced Project @bluesky back in December 2019. I blogged about it supportively then reached out saying I was interested, and was invited to join the conversation; thanks! Several of us offered proposals; this is part of mine, concerned with how identity might work in a world of diverse federated social networks ... [6 comments]
Retina Screen Tab Sweep
· When you’re running your 15" Retina Mac in high-rez mode and you still don’t have room for all your tabs, you probably have a lifestyle problem. One solution is to publish the links, so if your don’t-kill-this-tab instinct turned out to be right, you have Internet Memory on your side ... [1 comment]
OpenID Connect is Here
· Signed, sealed, and delivered as of February 26th. Better than that: In high-volume production at Google and Deutsche Telekom for a while now. Based on OAuth 2, which has been frozen since 2012. Not perfect, but I’d call it one of the safer technology deployment bets you can make right now ... [7 comments]
Nifty Refresh-token Trick
· What happened was, HR wanted to set up a partner to offer benefits for active Googlers only, and thus we discovered an OAuth 2-based trick that I bet will work in lots of other situations too ... [1 comment]
FC9: Social Sign-in
· This term gets bandied about quite a bit in the Federation Conversation. When it comes up, developers tend to strong emotional reactions: On the one hand “We really need social sign-in to make our service work” and on the other “Ewww, no way; I don’t want our users worried about what’s being shared.” I’ve been digging around the subject; sometimes I think there’s no there there ...
· The tabs! They multiply like magnificently miscellaneous maggots! ...
FC8: On Trust
· All these technology and information-flow and money issues in the Federation Conversation are real, they matter. But none of them matter as much as trust. For flavor, here’s commenter Dewald Reynecke: “I don't trust Facebook/Google as far as I can throw them — I simply do not want to outsource my identity to an advertising company.” ... [18 comments]
FC7: Users vs Apps
· When a person signs into an app, that’s a transaction, and value is exchanged. Who comes out ahead on the deal? ... [4 comments]
FC6: Who Are You?
· This is part of the Federation Conversation, where commenter Jashan worried, reasonably enough: “Users tend to forget which of the gazillion available services they have registered at your site with. And then they're too lazy to try all the possibilities. And then they're gone.” Ouch! ... [2 comments]
FC5: Manage Those Passwords!
· Inventing good passwords is hard and so is remembering them, that’s part of the problem. So, how about we get computers to do the tedious stuff for us? Turns out you can, using something called a “Password manager”. Are these things going to end the Federation Conversation? [This piece is part of that conversation.] ... [12 comments]
FC4: Persona Questions
· A couple of episodes back, commenter “tom jones” wrote, urging me to study Mozilla Persona: “it seems all the questions you are discussing have already been solved by them.” Well, then ... [10 comments]
FC3: Who’s Watching You?
· Worried about being watched? Me too. So who’s doing it, and why, and what can they see, and what can you do about it? ... [4 comments]
FC2: Single Point of Failure?
· If you rely on an Identity Provider (“IDP”) to sign into lots of apps, here are two things to worry about: If the IDP gets hacked, do the bad guys get into all your apps? And if you lose your IDP account, are you locked out of all of them? ... [14 comments]
FC 1: Who Learns What
· When you click on the dark-blue button to sign in with Facebook (or bright red for Google) what does Facebook (or Google) learn about you? What does the app you’re signing into learn about you? Uncertainty makes people nervous about federated login ... [13 comments]
· I published Why Federate? last week, arguing that apps should get out of the password business. Ouch! I got ferocious pushback in my comments, on Twitter, and on the accompanying G+ post. Take a minute and read a few. Clearly we need to have a conversation ... [26 comments]
· Part of my job these days is convincing people to get out of the password business and start “Federating”; that is to say, outsource the login mechanics to an “Identity Provider” (IDP) like Facebook or Google or Microsoft or Twitter (and there are lots more). I’ve given the sales pitch quite a few times now; here it is ... [39 comments]
Two Factor, Twice
· One of my jobs is browbeating people to turn on 2-Step Verification, and it’s working; more and more people are. Today I learned that we’ve got some open-source technology you can use to add 2-factor to your own app ... [17 comments]
· What happened was, I got an invite to Poetica, the new startup by Good Internet People Blaine and Maureen. (Poetica has a strong central idea and is aesthetically a treat.) The login experience was unlike anything I’d seen ... [7 comments]
· An OAuth 2 access token is like a hotel-room key card ... [4 comments]
On ID Tokens
· These are a product of the OpenID Connect work, and I think they’re going be super-useful; in fact I keep getting ideas for nifty things you could do with them. So here’s a walk-through on what they are and how they work; maybe you’ll have some ideas too ... [6 comments]
The Tragedy of the Re-Auth
· We’re pushing the notion that sites should do “Federated Identity”; that those “Sign in with Facebook/Google/Twitter/whoever” badges you see everywhere are A Good Thing. And indeed they are. But it’s exposing a subtle problem ... [11 comments]
How to Think About OAuth
· I’m not a deep OAuth 2.0 expert yet; at this point that label is reserved for the (substantial number of) people who wrote the specs. But I’ve worked with a few implementations and talked it over with smart people, and I have opinions. Summary: It’s a framework not a protocol, it has irritating problems, and it’s really very useful ... [8 comments]
· I’m in London next week for the OIDF Workshop. I plan to spend the evening of Tuesday January 22nd with my bum on a seat in The Phoenix and a beer in front of me. Anyone who has an opinion about Identity or Android or Google or photography or Japanese Metal bands, drop by and say hello. [2 comments]
Client + Server - Passwords
· This has been live on our servers for a while, but is now announced and open for general use. Here’s the short version: If you have an Android app and a web-server back-end, you can authenticate the person using the app to your back-end securely, efficiently, and with no prompts or passwords ... [11 comments]
· This isn’t exactly a Google thing, but we’ve been putting a lot of work into it, and now it’s about ready to use. I think lots of sites should. Because it’s easy, private, secure, and reduces login pain ... [15 comments]
Twitter OAuth, Easy
· Back in 2009 I wrote this little Ruby script I run Mondays to grab the last week’s tweets and publish them into the Short-form Fragments stream here on the blog, because who knows when Twitter might make my history vanish? It broke today and I fixed it and had another instructive OAuth experience ... [1 comment]
Help Plan My 2013
· The Identity group where I’m working now is going to be launching some stuff soon, and I want to go out and talk to the world about it. I’m looking for input on good developer-focused meetings and conferences that I should be at to talk and, more important, listen ... [9 comments]
Android OAuth via Google Play services
· It started launching this morning, to every compatible Android device in the world running Froyo or higher. That’s a lot of devices, and even at Google scale it’ll take some time to roll out. This is a subtle but significant change in the ecosystem ... [4 comments]
Less Pain, More Money
· Logging in is annoying and slows you down. My job these days is mostly about reducing that pain, ideally to zero by eliminating it. Google really wants this to happen; here are two reasons why, one general and one specific ... [22 comments]
Now on Identity
· As of July 1, I’m moving from Google’s Android team to our Identity group, to work on OAuth, OpenID, and that sort of stuff. Back to being a full-time Web guy, for a while anyhow ... [24 comments]
Android App Engine Client
· Recently I wrote a scary App-Engine back end for an Android app. I wanted it to be secure, which should be easy because Androids have Google accounts and App Engine knows about those. I got it to work, but the process irritated me enough that I decided to package it up as a public service. So now there’s a little open-source library called App Engine REST Client. It offers GET and POST methods, includes an Authenticator class, and tries to be as simple as possible to use ... [4 comments]
OpenSSO and Enterprisey Open Source
· [This is one of four pieces of Sun news from last week; I actually got to make the announcements at OSCON but was too busy to blog]. A couple of years ago, Sun’s software group launched the OpenSSO project, the open-source version of our big comprehensive suite of identity-management tools. Now, that project is a supported Sun product: OpenSSO Express. I don’t understand the software deeply enough to say anything authoritative about it, but the pricing-and-support model is interesting ... [1 comment]
· One of the most interesting pieces of the new Google App Engine is the identity piece ... [17 comments]
Tab Sweep — Tech
· Today we have Java yielding, thread ranting, REST lecturing, and identity insight ... [6 comments]
OpenID at Work
· On both the Internet and behind the firewall, the identity problem gets uglier every year. How many passwords do you have? If you’re in IT, how much pain do you go through getting your all your apps to share a notion of who someone is? There are a lot of smart people working on these problems, but progress has been crushingly slow. We’re doing a little something with OpenID this week that won’t turn the world inside out but I think shows that progress is possible ... [11 comments]
· The buzz around OpenID is becoming impossible to ignore. If you don’t know why, check out How To Use OpenID, a screencast by Simon Willison. As it’s used now (unless I’m missing something) OpenID seems pretty useless, but with only a little work (unless I’m missing something) it could be very useful indeed ... [31 comments]
· This is going to be big and have month-old news in it; a consequence of the long southern-hemisphere posting interruption. I’ll even group ’em into paragraphs ...
SAML On The March
· I tell people I’m a software generalist, but there are lots of holes in my knowledge. One of them is identity and I really must fix that, because it’s a hot pain point both for businesses and individual people. (How many passwords do you have?) Anyhow, our own Eve Maler is one of the people you want to watch in this space, and she’s pointing us at a bunch of action over in SAML-land, here, here, and here. For my money, the hot story is the Danish requirement that if you want to do federation, you should bloody well use SAML. The Danes have had positive experiences with shared standardized XML vocabularies, having scored a big win with UBL. I can’t imagine anything in the short term that would be of greater benefit for everyone than ubiquitous shareable identity services.
Raining on the Parade
· I guess it’s good that Steve and Scott made nice, and there’s no doubt that when the customers tell you to interoperate, then you bloody well interoperate, so it was a good piece of work (see Pat Patterson’s take in a comment on his own blog). But this glue for linking to Microsoft’s WS-Federation is a second-rate solution at best. Among other reasons, WS-Federation is yet another WS-backroom spec that might change (or go away) any time the people in the backroom want it to; not something I’d advise betting on. If you have products from any two vendors that implement Liberty Alliance specs properly, well, they interoperate. Single sign-on? Yawn. Pretty well everybody is a member, oh except Microsoft. If the customers want single sign-on (and they do want single sign-on), Microsoft should bloody well join Liberty and implement the specs, then they’ll have interoperation with everyone, not just Sun.
By Tim Bray.
The opinions expressed here
are my own, and no other party
necessarily agrees with them.
A full disclosure of my
professional interests is
on the author page.
I’m on Mastodon!