What is wrong with this picture?

% dig myspace.com
...
;; QUESTION SECTION:
;myspace.com.                   IN      A

;; ANSWER SECTION:
myspace.com.            85833   IN      A       216.178.32.50
myspace.com.            85833   IN      A       216.178.32.51
myspace.com.            85833   IN      A       127.0.0.1
myspace.com.            85833   IN      A       216.178.32.48
myspace.com.            85833   IN      A       216.178.32.49

I tried from a couple of points on the internet, and I’m getting the same result. Sounds like somebody managed to insert themselves between a hapless user and MySpace. One can guess what they are up to …

This is the kind of attack we’ll have to watch out for around OpenID.

I hope you meant that, Eric, because I’m about to quote you! In a ZDnet post titled "A tipping point?" he comments on Technorati’s adoption of OpenID, and almost casually, he says:

Note: "internet identity" is now called "URL-based identity," or even more broadly and less accurately "user-centric identity".

This is quite remarkable. As far as I recall (and Google seems to recall), the very term "URL-based identity" is only about a year old. There have been and are and probably will be for a long time, many other approaches to identity. And Eric, one of the definitive opinion leaders in this industry, is now equating URL-based identity with the internet-scale identity.

I should quote more of his reasoning:

Way back in the early mists of identity time, I was speaking with Bryan Field-Elliott (then CTO of Ping Identity) about the earliest drafts of the Liberty Alliance protocols, and whether or not they could be used for what we then called “internet identity.” … Bryan told me that while SAML or Liberty *could* be used for “internet identity” (theoretically), they never would be. They never would be because web developers are their own breed — they don’t gather at hotels, “spec out” requirements, and engage architects to build an elegant solution. Instead, web developers stumble upon something that excites them, pull in disparate pieces, kludge something together, get a big guy or two to buy in, and start using it.

Bryan was, of course, right.

I got to take exception to the "kludge something together" because OpenID so far isn’t, and I’m hopefully it will stay that way, too. But describes the dynamics very accurately, and apparently, it’s working!

We’ve come a long way since that late-night joke between my wife and me about solving the identity problem by "giving everybody a URL and be done with it"…

If you and I met for the first time yesterday, we spent some time to learn about each other, and you see me crossing the street today, you will recognize me. Recognizing others is a fundamental human ability, and crucial for society to function. (Imagine if we didn’t.) It used to be that way at the store, sometimes it still is, and when it isn’t, companies often go through considerable expense trying to create the same illusion (look for "Ritz-Carlton" in this often-repeated story).

When I’m a visitor to your website, spend some time on it, and tomorrow, I come by again, what should happen? Unfortunately, opinions are divided on that one:

• In the state of the art on the web, many sites use tracking cookies, so your site will recognize me — actually, my browser, not me — on the second visit, and I have little choice in the matter.
• Privacy advocates often argue that the default should be anonymity under virtually all circumstances; unlike in the physical world.
• And everything in between.

At NetMesh, we think that the user should be in control and have the option of either: if I decide to "log off" from your site, this should mean that I want you to stop tracking me, because I said so through the act of logging off. If I don’t, by all means, please recognize me when I come again, so you we can continue our conversation where we left off when I had to leave yesterday. Just like you and I can continue yesterday’s conversation today in the physical world.

Our LID / OpenID default Relying Party implementation at NetMesh follows this principle. When you first authenticate at a site that uses our relying party code, it sets two cookies:

1. a long-term cookie that holds your identity URL or XRI (that you used to authenticate)
2. a short-term cookie that contains a session token. It is short-term to causes session revalidation from the identity host on a regular basis.

For example, if I go to, say, to osis.netmesh.org (a MediaWiki that is LID/OpenID enabled) today and authenticate as mylid.net/jernst, it stores that mylid.net/jernst in a long-term cookie, and my session handle for only about 10 minutes until the site will re-authenticate my session with the identity host (that 10 minutes a configurable parameter).

When I return to any of the pages on that wiki tomorrow, it transparently validates my claimed identity (from the cookie) with my identity host, and I have to do nothing for the site to recognize me, and for my identity host to cryptographically assert to the site that it is indeed me. Which is exactly what I want! It’s a wiki: chances are that if I did some editing there yesterday, I will want to do some more editing with the same identity today.

If I didn’t want that and wanted to be anonymous instead, all I have to do is click a single button on the page (bottom-right corner) as a result of which the two cookies are removed, and I’m as anonymous as before again. We figure this is a good compromise between modeling human behavior (recognition on subsequent encounters), privacy (one click and you are anonymous again) and ease of use (no clicks necessary on subsequent visits to log on or anything of that nature, unless I want to change my privacy preferences).

[I was just asked what exactly happens in our InfoGrid LID implementation, and figured I might as well blog it. One of the nice things of this is that you can bookmark at will, del.icio.us and what have you, and sites still recognize you with zero effort on your part; if you want to, only, of course.]

If you want to try it, grab any LID or OpenID identity from any provider (URL or XRI, either are fine), and go to our test site firstsso.netmesh.org, for example. If you need an identity, go sign up at mylid.net.

In this article, Internet News’ Clint Boulton quotes Peter Sondergaard, Gartner’s head of global research, as having said during the Gartner Symposium ITxpro 2006’s keynote:

Changes in consumer behavior and preferences will trigger a power reversal in business models… Consumer-to-business will replace the predominant business-to-consumer model.

If I recall correctly, it was Drummond Reed who coined the term "Company Relationship Management" (with the customer being in control, rather than the company, as in case of traditional "Customer Relationship Management"). And Doc Searls has been tireless in explaining how the world changes when that happens.

Well, not only is it happening all around us (the growth of RSS is exhibit A) now even Gartner is talking about it. It surely must mean that the concept will be getting a lot more attention going forward.

I just found out that the term "Social Commerce" was coined by Mary Ruddy in a conversation with Paul Trevithick. Mary first used the term publicly in a podcast from IIW 2005.

Since, Yahoo picked up the term, assorted startups use it and many people blog about it all the time as it seems.

Score one for Paul and Mary for anticipating yet another important new trend … currently, they are most visible as leading the Higgins digital identity open-source project to which they have attracted heavyweights IBM, Novell and others.