professional reflections

OpenID and name authority

In his Science in the Open blog Cameron Neylon has written an interesting post, A Specialist OpenID Service to Provide Unique Researcher IDs? in which he asks:

Good citation practice lies at the core of good science. The value of research data is not so much in the data itself but its context, its connection with other data and ideas. How then is it that we have no way of citing a person?

Cameron suggests that OpenID might offer a solution to this.

I have been very interested in OpenID for some time. I like the relatively agile way in the which the standard has evolved. I like the fact that it has been responsive to the developer community. I agree with Andy Powell when he talks about the importance of the capacity for the delegation of the service providing your OpenID - I've maintained an OpenID for myself at despite having changed the underlying OpenID identity provider service twice. However, I've become frustrated by the way in which OpenID has been deployed and couched almost entirely in terms of it's potential to solve the often-exaggerated problem of users needing to maintain too many user accounts (although I confess that I have contributed to this). Personally I maintain a small handful of username/password combinations for accessing hundreds of web services - it's a minor inconvenience. And as Mike Ellis pointed out in a great post, OpenID: fail:

In a technical sense, OpenID works. But from a usability perspective, it’s absolutely horrible.

I blogged about OpenID a while ago, saying:

I’ve thought for a while that the introduction of URIs for people was the often overlooked yet potentially most interesting aspect of OpenID. In a resource-oriented-architecture, it would seem plausible to suppose that a reliable pointer to a representation of a person would be a useful thing. But when I try to sketch out a useful application for this, I struggle….

The idea of using OpenID as an 'author identifier' in scholarly communications has occurred to me before too - specifically in the context of repositories. I agree it could play a part here. At one level this could be seen as an extension of the ongoing persistent identifier issue in the context of web-resources, being applied to people. However, as an OpenID is a URL, it is open to the same criticisms levelled against the use of URLs for papers in an institutional repository for instance (the delegation feature does mitigate this, albeit only slightly).

One aspect of OpenID, which I think might become relevant if OpenID reaches any kind of critical mass as a public identifier system will be the way in which a given OpenID could gain authority over time. The only thing you can trust about a newly minted OpenID is that you can interrogate the 'user' of the OpenID and verify that they are the agent which 'controls' or 'owns' it. However, an OpenID will rarely be surfaced without other metadata about the agent - there will be a context in which it is used. In a community of researchers for example, as a particular OpenID is used more and more by a researcher in various contexts and systems, a level of trust will build around the association of that OpenID with an actual person.

For a long while I thought that OpenID might be the answer to a problem arising out of the need for a different user-account in every system we use - not the bogus issue of needing to remember lots of passwords, but the fact that this creates an immediate obstacle to joining up those systems at the level of the user. This issue has become more visible with the systems underpinning social networks. I see all kinds of potential in being able to conclude that while I might not know the person identified here in this system, I can be sure that they are the same person in this other system, because they have the same OpenID. Of course there is all kinds of potential for abuse of such join-up, but I would still like to be able to control such arrangements myself.

Increasingly, I'm annoyed by my social-web activities being constrained unnecessarily by really prosaic limitations in the systems I use. As I said in another post back in September 2007:

Now, it’s certainly not unusual to maintain more than one, unconnected circle of contacts. Many people prefer to keep their professional and their social networks separate. But, and this is the important point, I really don’t want my social networks to be constrained by particular software choices. As I can connect resources across the web in a uniform way to form a network of resources, I want to be able to connect people to form my social network. Perhaps OpenID or something similar could provide the solution.

Imagine a Web where everything you did publicly was linked by the very fact that you were represented by a URL exactly like your blog post, or your photo on Flickr, or your post on Twitter, or your correction to that Wikipedia entry, or your research paper in your institutional repository for that matter…. think of the possibilities.


..continued: Or group recently launched a website around the subject of online identity for researchers. You may be interested in some of the scenarios explored there:

Paul. Thanks for an insightful article. I am in fact citing your article in my own forum post here!:

I couldn't agree with you more about the linking-up aspect of things, I am myself very optimistic of OpenID being the big enabler here.

You are right that a lot of the stuff we want to link up is indeed public. BUT, I think one of the commenters above is right in that there are a whole bunch of scenarios where one will want to link together public and private information, and this is exactly what the OpenID+OAuth combination brings to the table:

I think the Google Social Graph API is more concerned with making personal networks sharable - this sort of activity might be one extension of what I'm suggesting. I'm really making a much simpler, less ambitious point about simple, user-controlled identifiers.

Isn't this, essentially, what the Google Social Graph API does?

[…] una, o más, personalidades públicas entonces no hay problemas de privacidad. Paul Walk, Weblog. [Liga] [etiquetas: Twitter, temas de privacidad, OpenID, DNI, cédula, Wikipedia, investigación, […]

Hmm, is it a privacy issue? You could still make use of the Twitter Direct Message facility even if you were using your OpenID. I think it gets back to the age old problem of verification. How do I know which Paul Walk, or which Jack Dee you are?

If I use my OpenID as a common identifier and wish it be associated with me as an author, how and where does a repository or a reader or a publisher gain verification that I am who I say I am, I am the author you think I am, and that author should be associated with that identifier.

I don't actually think these problems are insurmountable, and can think of several ways that verification could happen from lightweight processes to more formal verification. What I struggle with is how to get this adopted both in the very conservative research publishing process and across the myriad of repository approaches that are being adopted.

I do think a user owned personal identifier is much better than other solutions such as a government or institutionally focused approach. I also think it is a good example of the importance of OpenID as an identifier, rather than getting bogged down in its applicability as an authentication device :-)

Thanks Andy - and I understand your point about privacy.

Like you - I've established a string ('paulwalk') as a common identifier in a large number of systems.

I'm going to be controversial here…. I chose my phrasing carefully. I think the best model for the future is the simplest - if it's public, then it's openly linkable, then it might as well be reliably identified. That is to say, 'public' means exactly that. Stuff you restrict or control access to isn't public.

I appreciate that there are many shades of privacy - but 'public' isn't a shade - it's an absolute in my book. If we conflate 'public' with degrees of control of privacy in the same system then we end up with something like Facebook, where OpenID wouldn't make much impact difference as none of the content is publicly accessible.

I don't want to come across as some sort of crusading idealist, so I'll mention that I appreciate systems which have levels of privacy. Twitter is a great example - I use the Twitter direct message facility from time to time - this is a private messaging service and I use it in a private way. The fact that it's in the same system as the public Twitter service is a convenience but there isn't much of a link between these uses in real terms, and OpenID would have little impact here. However, OpenID would be very relevant if directly associated with my public Twitter account.

So, I guess my position would be: if it's public and on the web, then actively help to make it linkable, sit back and enjoy the ride. If you don't want it to be public, then use a system with the appropriate controls. If you want to use OpenID in the private system, then we're talking about convenience again - worthwhile but hardly world-changing!

Somebody disagree with me, please! ;-)

I can imagine people getting ready to play the 'privacy' card as I write this but I totally agree with where you are coming from. As I discussed in my case-study for our recent digital identity workshop, my digital identity is now largely defined by the string 'andypowe11' whereas (in an ideal world) it would be defined by the URL/OpenID

In the interests of keeping privacy concerns to a minimum, I'd re-write the opening sentence of the final para as:

Imagine a Web where everything you did publicly was (optionally and under your control) linked by the very fact that you were represented by a URL…

Leave a comment!

Designed by Paul Walk