Webstock 2008: OpenID and decentralised social networks

by Luke Wroblewski February 16, 2008

Simon Willison’s OpenID and decentralised social networks talk at Webstock 2008 illustrated OpenID’s user experience, potential issues, and role in building a de-centralized social network online.


  • Enables people to select trusted identity providers and utilize them to securely access and engage with any Web applications that choose to support OpenID.
  • Augments existing account mechanisms. Access providers store OpenID information in their user account table along with application specific data.
  • Can also help people fill in account creation forms. OpenID 2 standard has an attribute exchange that covers any kind of information you may want to pass back and forth between application and identity provider.
  • Is a Web page for machines: has a link page that identifies it as OpenID –to find if someone owns it need to go to specific site and have them authenticate through user name & password, client SSL certificates, SMS, instant messenger, hardware tokens, or image sequences (vidoop.com).
  • About more than single sign-on: If an identity provider incorporates a service like IM, application can send messages from where the user is authenticated.
  • People are likely to have more than one OpenID identity.

Problems with OpenID

  • Usability: first time authenticating with a service using OpenID is more complex than simply registering for the site. Subsequent times, however, only need to use OpenID user name to gain access.
  • Usability: people are unclear on what URL is. Signing in with a URL is pretty foreign to most folks.
  • Security: susceptible to phishing. Rogue sites can mimic design of identity providers. With OpenID an un-trusted site sends you to your trusted provider.
  • Security options: Yahoo! sign-in seal within Flash cookie, Verisign Seatbelt browser extension, or Windows Cardspace desktop solution.
  • Usability issues:

Building a Decentralized Social Network

  • Accumulate profile pages across Web. Can use last.fm music profile on upcoming.org to recommend events.
  • XFN microformat (rel=”me”): having this link allows you to build a bi-directional profile relationship.
  • Decentralized network requires the ability to take friends with us. Google launched social graph API that crawls relationship data and finds your friends.
  • Oauth is an open standard for secure API authentication –same process that Flickr uses to authenticate applications.
  • Components for decentralized social network: Open ID,accumulated profiles (enabled through XFN microformat), friends list, compilation of friends activity (aggregation of vitality).
  • Need a de-centralized vitality feed. This is provided by XMPP protocol.
  • Standards for a de-centralized social network: Open ID, OpenAuth, XFN and FOAF, XMPP