Eran Hammer-Lahav blogs about an important principle behind OpenID, Yadis, OAuth and a number of related technologies that he calls the "Equal Access Principle". He says the requirements are:

Support large and small providers. Any solution must work for a small hosted website as well as the world largest portal. It must be flexible enough to allow developers with restricted access to the full HTTP protocol (such as limited access to request headers) to be able to both provide and consume …

I call this the Equal Access Principle. The principal, simply put, asks protocol designers not to be snobs. It states that protocols should be able to operate not only on the most powerful frameworks, but within the constraints of the limited frameworks which are part of the web reality. It is a sort of socialism for protocol architecture. We take away some power from the top to make sure those closer to the bottom can also play along.

I like the term, and I particularly like that he’s giving that important architectural principle a name. Obviously, I like the concepts behind it, too Isn’t perhaps the main reason for the phenomenal success of the web exactly that principle, that big guys and little guys can play on a level ground? It’s important to keep that in mind…

For some years now, I’ve heard Kim Cameron and others at Microsoft talk about "how claims will change everything" in so many different presentations, and to be frank, I didn’t get it. Neither the claims, nor the change or the everything part.

So this week, I came across the Microsoft Identity Software and Services Roadmap document, which features the following snippet of code to determine the role of a user with the .NET Geneva framework:

IClaimsIdentity caller = Thread.CurrentPrincipal.Identity
                         as IClaimsIdentity;
string Role = (from c in caller.Claims
               where c.ClaimType == MyClaimTypes.Role
               select c.Value).Single

Let me paraphrase what the paper and the code snippet says:

Dear developer, don’t worry about where identity information comes from to your application, which protocols and formats carried the data, whether passwords or smart cards or other forms of authentication were used.

You don’t need to worry because we give you a very simple API, consisting of: An object that represents the current user of your application. That’s it. You find out all you ever wanted to know about this user simply by iterating over its attributes (aka claims). We do the hard part in moving and converting data around, so it is simply for you.

Now that is a value proposition, particularly to developers. I would have called it "At Microsoft will give you the simplest possible API into identity information that you can think of, so you don’t have to worry about it" instead of "how claims change everything", but regardless, it is now making sense to me!

And admittedly, that is a good API. How long it will take until it is being populated from all these different sources we’ll have to see, but I like the design.

P.S.: I’d love to see that Microsoft also made this work for OpenID, not just for WS-* and SAML. The article implies that eventually they might, but is not very firm on it.

A technology works in theory if you have a piece of software and you can make it do what you want it to do for the purposes of demonstrating it and letting others try it out.

It works in practice if people who utterly don’t care about your technology successfully use it because it makes life easier for them.

Plaxo and Google yesterday reported that they took 1000 random Google users who were interested in signing up at Plaxo, a combination of OpenID, OAuth, and a user interface targeted to this particular situation, and measured how many users would actually manage to sign up via OpenID instead of username and password. No prior OpenID or other knowledge was required. It turns out that 92 percent of those random users managed to sign up a Plaxo.

Does your website manage to register 92 percent of the people who want to, with the supposedly simpler username and password? Didn’t think so either.

That is very impressive. Congratulations to Joseph and Eric and their teams.

It clearly shows where the OpenID user experience needs to go. (Nothing particularly hard there, but a bit against conventional wisdom so far.)

Even more importantly, it proves in practice that the theoretical benefit of "easier sign-up for users" is actually real and can be measured, and beats the state of the art. If your competitor manages to sign up 92 percent of potential customers, and your site remains at, say, 50 percent — do you really think you can survive that for long?