OpenID and VRM - can you be bothered?
Apr 29th, 2008 by handolio
I’ve been writing a How it Works on OpenID. For those of you who don’t know, it’s a decentralised ID system that stops the user having to remember and provide separate login credentials for every online service. Instead, you assert ownership of a URI which becomes your OpenID login.
Eyes glazing over? Therein lies the problem.
I’m an enthusiastic supporter of the principle behind OpenID, don’t get me
wrong. Apart from reducing login clutter, it gives a user control over their online identity. Taken to its logical conclusion, it (or a descendent) will be central to the idea of vendor relationship management (VRM) - very much TLA Of The Moment at iCrossing.
VRM, VRM!
VRM’s big idea is that you’ll control a single instance of your identity and personal data, and have full say over who has access to it. As it was explained to me, if you control a central repository containing information about your house, car and life, you won’t need to keep typing it in every time you want an insurance quote and so-on.
Sounds great, but the reality is that there’s a hell of a lot to do if OpenID or VRM are ever to be adopted wholesale. OpenID’s core appeal is that it removes control of our identity from countless web services, and places it in our hands. At the moment, though, the only easy way to get an OpenID is via a third-party identity provider: you’ve probably already got one.
I tried the alternative, which is to host your own on a domain you control - in this case Hackbash. I’m not a web über user, but I do have some technical nouse. I mean no disrespect to CJ Niemira who coded phpMyID and made it freely available, but after spending an hour working through its config instructions, I discovered that our web hosts are running the wrong flavour of PHP. The workaround took me out of my depth and I gave up.
Still here?
Hands up who’s still with me? I’ve done my best to make this lively, but I’ll wager that fewer than half of you will get this far. And that’s exactly my point. Although, dear reader, I have the highest respect for your intellect, it’s not you I’m worried about.
Cory Doctorow’s Metacrap (written about the Semantic Web) lists among the flaws in these kind of data visions: “People are lazy” and “People are stupid”. I’m afraid that, in my experience, he’s right. If a user like me who’s not afraid to pillock around with web servers can’t become his own identity provider, it might as well not be part of the specification. That leaves everyone with a third-party provider, which solves only half of the problem.
I’m pretty sure that OpenID and VRM will ultimately triumph, and help to usher in the decentralised web utopia we’re all banging on about. But it strikes me that while visionaries understand the need for them, and techies understand the implementation of them, dummies won’t give a shit until you make them easier to understand than just creating yet another login, or filling out yet another car insurance application.
It’s not exactly right that “VRM’s big idea is that you’ll control a single instance of your identity and personal data, and have full say over who has access to it.” Because VRM is not just about identity. it’s about providing individuals with tools for both independence and engagement. Identity tools are part of that. Necessary, but insufficient.
So, while I’m curious to see if OpenID passes muster with VRM ideals (a challenge I hadn’t considered yet), I don’t expect VRM as a concept to stand or fall based on what OpenID does. OpenID is one tool. Identity is one problem to solve. And it’s still early — for both OpenID and VRM.
And, at this early stage, you nail the challenge for “the decentralised web utopia we’re all banging on about.” Indeed, “while visionaries understand the need for them, and techies understand the implementation of them, dummies won’t give a shit until you make them easier to understand than just creating yet another login…”
It has to be as easy to understand as pulling out a credit card and using it.
We need code for that. And lots of clever thinking about how to make using it easy.
Actually, VRM anticipates you having any number of datastores under your (identity-mediated) control. They could be anywhere, providing any number of services. Also, OpenID is just one approach to user-centric identity, one that has a certain elegance and certain problems, including those you mention: user complexity.
In contrast, Information Cards, as implemented in CardSpace and Higgins, significantly streamline the identity process. I think that’s a step in the right direction.
Frankly, VRM and Identity is at about the same stage as the web was in 1992 or 1993. We have a working protocol and format (mostly) but we don’t yet have an accessible mainstream product to demonstrate the potential. In the next year or two, keep an eye open for the equivalent of Mosaic and/or Netscape. And then start looking for the Yahoo!s, Amazons, and Googles.
That’s when things will get really interesting.
Thanks both for your comments.
@Doc - “It has to be as easy to understand as pulling out a credit card and using it.” Totally agree. I know it’s early days for both concepts (Joe’s comment sums it up well), and I’m relieved to see this is what you’re aiming for.
I’m fairly confident you’ll get there. I think one of the biggest challenges will be getting public understanding of what VRM aims to do. The closer you get to making it reality, the more demand there’ll be for it.
On the subject of public understanding and what VRM aims to do, I’m surprised you hadn’t considered OpenID against the ideals of VRM. I’ve got a lot of reading still to do (on both, evidently!), but although they’re separate projects they seem to be part of the same bigger picture - decentralising the web (identity, commerce, user data), for want of a better simplification?
@Joe - thanks for the clarification. It’s a good point about information cards, and obvious, in retrospect. If my argument is that new identity and data systems won’t catch on until they’re easy to use, then not talking about CardSpace is an oversight. Hadn’t come across Higgins - thanks for the pointer.