The 10th Internet Identity Workshop this week had record attendance. Since that first one, five years ago, amazing adoption has happened: pretty much all major technology companies have implemented, more than a billion identities in the market, tens of thousands of sites accept them, more people show up to IIW — it must be the best of times.

But it is also the worst. To quote Phil Windley’s summary (go there, read the whole thing, it’s worthwhile):

InfoCards are largely dormant at this point. Kim Cameron, the father of InfoCards, has abdicated to France…

The only other player, Azigo, isn’t releasing updated selectors either… All of this adds up to a situation where no one would be comfortable adopting InfoCards…

OpenID continues to thrash towards becoming a viable solution. The politics surrounding OpenID are worthy of a soap opera…

If Phil had the harsh words for Cardspace and information cards this week, I guess I had the harsh words for the OpenID camp last week, calling what’s being developed there the Open Pile: turns out not one person (neither on the blog, nor in person) that I talked to this past week disagreed with my diagnosis; most agreed enthusiastically. But then everybody tends to turn around and has great fun adding more overlapping versions of protocols to the pile. Somebody go figure, because I don’t get it. How do we accomplish our vision of portable internet identity if we add more incompatibilities and never remove any?

So where does this leave us? Twelve steps forward and eleven back, taking two detours in the middle. Or something like that. The movement goes on. Thrashing, like a soap opera, as Phil says. There’s a pony in there somewhere waiting to come out, as John Panzer commented. Well, that pony better be patient.

You are not on the bandwagon yet? You are so behind the times! Haven’t you heard that the web is now social, and user-centric, your customers are in charge, they create and remix and share and rate and activity stream and manage you, the vendor, and you still haven’t implemented the Open Pile!

Ehm, I mean the Open Stack, sorry about that, a slip of the tongue here. The community has been working together hand in hand to define these exciting new standards, singing kumbaya all the time, how can you not have implemented them and look your manager into the eye?

So let’s get started right away. You need to implement OpenID for login, with NASCAR buttons so it’s easy for your users, not too many, not too few, and yes, a text field for those other identity providers, with of course a non-Javascript fallback, and information card detection in case somebody runs Vista or is an AAA member, and OAuth, well, there are several incompatible versions just like with OpenID and of course you have to support 2, 3, and I don’t quite remember how many more legs, which should of course do the hybrid with OpenID, rooted in cutting-edge discovery in all the needed ways: just three ways from Yadis, two from OpenID, some new well-known locations with LRDD and sometimes you have to check with Google directly, of course you have to be prepared to accept URLs, e-mail addresses, PPIDs and unreadable URLs as identifiers, claimed and proven, I’m sure your website folks figure out how to map them to their databases in no more than a few weeks, then you automagically (imagine!) get your user’s first and last name and e-mail address via SREG or AX (but there might be incompatible schemas) or Portable Contacts or Microformats, yeah, no provider supports all of those and many don’t support any but that’s just an implementation detail, and boy all the great info you will get via xAuth any time soon now and then you can publish activity streams and you even will make the Salmon run upstream! It’ll be SO GREAT!!

If I knew how to draw cartoons, I’d have a field day here.

No wonder Facebook is winning with a proprietary stack.

As we go into IIW next week, guys, it’s time to get real. It’s either we cut 80%+ off this pile, and make the remainder actually work, or give up. I just hope there won’t be proposals for more protocols next week. What about we all propose which 90% of our favorite pet projects we are willing to kill? The alternative, I’m afraid, is the way UNIX has been going in the face of first NT, and then Linux. “Open” means nothing if it’s just a pile.

P.S. Thanks to Kaliya for encouraging me to get this off my chest and annoy some people if it has to be that way.

Mike Arrington is complaining about fragmentation of his personal media:

Everything is decentralized, and no one is working to centralize stuff. I’ve got photos on Flickr, Posterous and Facebook (and even a few on MySpace), reviews on Yelp (but movie reviews on Flixster), location on Foursquare, Loopt and Gowalla, status updates on Facebook and Twitter, and videos on YouTube. Etc. I’ve got dozens of social graphs on dozens of sites, and trying to remember which friends puts his or her pictures on which site is a huge challenge…

Someone will eventually help us make sense of all these various types of services…

He says the problem is decentralization, but I think he means fragmentation, rather than decentralization. After all, if he didn’t like decentralization he could simply “just do Facebook” (or whatever single site) and there would be no problem. But like most, he doesn’t seem to be interested in picking a single centralized service.

To which Kevin Marks responds:

To solve the social conundrum we need the equivalent - agreed standards in widespread use so that we can generalize across sites. Fortunately, we have these. We have OpenID and OAuth for delegated login; we have XFN, other microformats and Portable Contacts for public and private people connections; we have Feeds and Activity Streams for translating social actions between sites.

This enabling social infrastructure means that we’ll be able to have a new generation of sites that enhance our web experience through social filtering without our connections being centralised in a single company’s database.

Amazing that everybody thinks decentralization is the right approach, and Kevin is certainly right that the continuing adoption of these standards helps de-fragment our fragmented social media universes.

When I disagree is in that I think these standards are necessary, but not at all sufficient. Example in point: OpenID. Just because two sites both implement OpenID, it does not mean that if I log into the first, I’m automatically logged into the second. It does not mean that the GUI looks the same for OpenID at both sites. It certainly does not mean that both sites even know I’m the same person, even if I used the same identity provider. Similar issues arise around all of the other “social connectivity” standards, and even more so when put together.

What Mike Arrington wants, and very reasonably so from the perspective of the user, is massive simplification. We’ve made huge strides in the past 5 or so years in building up a technology stack that begins to address some of these issues, but we are far, far, from being done to get to that simplification Mike asks for. The biggest problem is that nobody can quite articulate how it would look like, other than “simple” in some fashion. Kind of hard to build technology for that kind of specification …

Steven J. Murdoch and Ross Anderson, in the very worthwhile “Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication” assert:

While other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology they got the economics wrong…

To which I can only respond: “you wish. We don’t have any security economics! Not even the wrong ones.”

In the past, every time I brought up this issue in the OpenID community, I got nowhere. (The Information card community has slightly better ones due to the possibility of branding, but it has bigger problems to worry about right now.) But perhaps it is time to try again …

Chris Messina thinks the OpenID brand should come to mean a package of a number of related “Open Stack” technologies, called OpenID Connect, and start to compete with Facebook Connect.

Dare Obasanjo disagrees: he thinks we only need an OpenID Connect if there were multiple incompatible implementations of Facebook Connect-like products from multiple players, to standardize best practice.

Who is right?

Both, I think. They represent two different points of view that I both sympathize with. I like the first better but the second one might be more realistic. I only realized this a few months ago, this is as good a time as any to attempt to explain this:

First I have to make a detour: OpenID (and related “Open Stack” technologies) are fundamentally interoperability standards. If I have a website and you have a website, OpenID enables our mutual customers to do something interesting by “connecting” some pieces of my website to your website. Take authentication performed on my website to your website, for example. Move data, etc. It’s important to realize OpenID doesn’t do anything that can’t be done already by a site by itself, or within a tightly coupled federation of sites. Instead, OpenID is about interoperability between sites managed by different entities that only agree on the OpenID interoperability specification.

How do successful interoperability standards come into being, and how do they continue to evolve?

I’m not a technology historian, but it appears to me that they usually emerge after several companies have implemented similar, proprietary ways of interoperating, and the potential adopters of such proprietary specifications revolted saying something to the effect of “we can’t afford implementing half a dozen different ways of interoperating with you guys, we need to have one way for the whole industry.”

I think that is essentially Dare’s point. He’s asking where everybody else’s (MySpace, Google, etc.) products are that are like Facebook Connect, and finds very little. His conclusion: this is not the right time for an OpenID Connect.

Chris’ point comes from a different perspective, which is: let’s make the web a better place, and collaboratively design a set of new capabilities that help us all. I understand that perspective very well, because I, like many others, was preaching that perspective ever since I got into that digital identity business in the first place. The trouble is: it’s like molasses, and nothing much ever happens. So far, that has been true about an OpenID Connect, too, for which people like Chris and myself have been asking for for at least a year or more.

I wonder what the newly expanded board of the OpenID Foundation thinks of it. There are enough new faces, in particular from non-technology-platform companies on it that the dynamics may be different. Looking forward to seeing what comes to pass or does not.