File Under: Other

OpenID Q&A: Plaxo’s Joseph Smarr and John McCrea

After some recent considerable advances in the realm of OpenID, Webmonkey had the chance to chat with two of OpenID’s greatest evangelists and early adopters, Joseph Smarr and John McCrea. Smarr and McCrea are responsible for being among the first to implement OpenID on their online address book site, Plaxo. Together, they try to explain the momentum behind OpenID and how it might lead to even bigger things for the future of the web.

Webmonkey: Studies have shown OpenID’s user experience is really complicated. How is OpenID going to get less complex?

Joseph Smarr: I think there’s sort of two parts. One is, for any given Open ID provider, how does that experience look of signing in. For example, now you can sign into Plaxo using your Google account. That’s a process that’s gotten better over time and is only going to get better.

So when Yahoo announced their OpenID back in January, basically because they really wanted to make sure they didn’t make any security or privacy mistakes, the process was fairly long and cumbersome. But you know, Yahoo has streamlined a lot of that. Google has taken it one step further by actually letting you share information.

Nowhere do you necessarily have to know what OpenID is and what happened. It’s just a standard experience of “Oh, I’m a Gmail user, Plaxo works with that,” Boom, it’s all there.

John McCrea: And worth noting, they didn’t take on the challenge of communicating to the user that there is a URL involved at all, they’re just using their Google account credential.

Smarr: So that’s one area of user experience improvement where we just kinda works for the user and makes sense. Other areas that have been talked about there, one of the things people have been excited about at the UX summit was rather than having a full page redirect, a lot of them are moving to having a lightweight pop-up, kinda how Facebook Connect does it.

Read the full interview.Another area that people are looking at is how do you get the web browser involved. So the web browser knows what sites you use and you can imagine configuring it with one or more identity providers and then when you go to a site, imagine if the browser just popped something up, it’s not phishable and it’s custom to you which says what account do you want to log in with. These are all things that I think can help solve that problem of picking the identity provider that you use.

McCrea: There was one key takeaway from the summit though, which was, where we want to get to is an experience that is materially similar to what we see in Facebook Connect today and to do that, we really need just a few people who are product design savvy and aware of what the technology can do, to sit down, mock it up, and get a general agreement and then go forward. That’s a working group that Joseph is part of, Chris Messina is part of it. So there are a few things that have to get nailed down, but the general direction is quite clear.

Webmonkey: When we talked about the major players of OpenID a couple months ago, we talked about Google, Yahoo, MySpace, but Microsoft never came up in discussion. How much of a surprise was Microsoft’s recent OpenID announcement?

McCrea: I would say not shocking, but it wasn’t one I knew was coming. Typically Plaxo is the launch partner of choice with Joseph Smarr typically debugging into the middle of the night, but when the Microsoft one came, it was a little bit out of left field.

Smarr: But some of those Microsoft people who are involved in that have been coming. Jorgen Thelin, who wrote the blog post for Microsoft’s announcement was at the UX summit. Mike Jones from CardSpace. Angus Logan has been part of this. Those guys have been definitely paying attention. I think as is probably standard for Microsoft, they tend not to discuss future releases much, but they’ve certainly been there and paying attention and asking good questions.

McCrea: Plus they’ve been very active in the portable contacts efforts. Microsoft going open stack is not a surprise, but the timing of the announcement…

Smarr: And natural enough to do it at PDC.

Webmonkey: Is Microsoft’s announcement the tipping point for OpenID?

Smarr: I think this week, the combination of Microsoft and Google, you’d have to argue is a tipping point indeed. And we know that MySpace is waiting in the wings. Also this week we had Yahoo going live with YOS on OpenSocial, you had LinkedIn launching their platform on OpenSocial, I mean it’s like, in a week you can’t even keep track of the number of major sites launching on open stack technology, yeah, clearly we’re at a tipping point here.

Webmonkey: That’s pretty exciting.

Smarr: Yeah, I think (last) week will be looked back on as the week that Open tipped. We’ll have to see, but it very well could be.

McCrea: Yeah, it’s funny but right at the beginning of the year there was the week (in January) when everybody joined the data portability movement but that was really a statement of intent. What you see now, and it’s not even November yet, this stuff is rolling out. You know Facebook Connect might be a couple steps ahead and they might have a couple of implementation out in the wild, but there are still just a couple of them and their real launch isn’t until the end of November. So this open stack too is going to make a lot of progress between now and the end of November.

Webmonkey: If every major internet destination, like Yahoo, AOL, Google and Microsoft are OpenID providers but none of them accept logins by other OpenID providers, what’s the point?

Smarr: Some people have raised the concern that there’s all these people being OpenID providers and fewer being relying parties, but actually I think it’s just fine — it’s a natural part of the evolution of adoption. You know, you’ve got this chicken and the egg problem with new technology, which is, will sites go to the trouble of accepting OpenID if most of the sites don’t have OpenID.

You can make the case that every mainstream internet user has an OpenID, and now that some of those providers are putting real data behind those OpenIDs so that it is not just about single sign-on, but it’s about getting the linkage to share the data between the sites. That’s exactly the critical mass that is necessary to see this really take off and I would expect to see a lot of parties be a relying party in the future. So I think it is healthy part of the evolution that you had to get that critical mass before people could really say being a relying party is kinda a no-brainer.

McCrea: I can’t speak to the explicit details of any of the big providers, but at this point they just dropped the first shoe, and I think that it’s pretty darn likely they will all become relying partners in the next 12 months.

McCrea: You know Plaxo became a relying party in August of last year and we did that not because we thought it would immediately improve user experience but we knew it was necessary for someone of some heft to go out there and become a highly visible proving ground through all of this. So our mission now is to show over the next 8 months, that these second-generation OpenID implementations actually do improve on-boarding in ways that affects our bottom-line very positively.

Webmonkey: Now adoption isn’t a problem, what are you going to focus on next?

Smarr: We’re really moving into phase two of open stack adoption across the web now. We’ve got phase one accomplished which is you can at least get in with pretty much any big provider. Phase two now is streamline the UX and start sharing user data. I expect that to happen at an accelerated pace now.

Webmonkey: Dave Winer (the web guru behind RSS) recently suggested in response to OpenID, that it is difficult to get participating partners of these big companies interested in open technology beyond a point where it would benefit their personal careers. That doesn’t seem to be the case here, when in 11 months all of these implementations are being rolled out at an unprecedented pace. Is Winer wrong?

Smarr: I think the point here is that a lot of these guys at these companies have seen this movie before and they already know how it ends. Cause we had the web take off with these open standards and rapid innovation. I think these companies are getting smarter and being less resistant in thinking that they can bend this stuff to their will. I think they’re also just realizing increasingly that you don’t have to do everything under the sun in order to benefit from it. In fact, if other people can build and evagelize and maintain all of this authentication code and all of this stuff, it just works for you.

Google and Yahoo and Facebook and Microsoft and everyone else, they have all built their own proprietary delegated authentication systems. They’re all kind of pain points for their developers, and they’re all kind of different, and they might not have great library support. It’s just a tax. It’s not like Amazon’s particular cryptographic signing mechanism is like their secret sauce. It’s just something some engineer just had to whip up so that people could use their technology.

That’s why they were all so happy to move over to OAuth, because it was like “Oh, OK. This is basically just as good as what we came up with but a whole bunch of other people are going to make sure that it stays good and has good support and good tutorials. It’ll be that much easier for people to get up and running with our stuff.”

I know Dave Winer has been around for a long time and he’s seen what industry tries to do with open standards and it hasn’t always been a pretty picture. Maybe I’m naive and optimistic but I do think that they are kinda catching on and that’s why things are getting a bit easier and a bit less convuluted this time around.

Webmonkey: Any last comments before we sign off?

Smarr: It’s pretty hard to underestimate the impact of this follow-on of big providers really shipping code and not just what they’re shipping today but what they are all professing their intention to really embrace the full open stack with OpenID and OAuth and portable contacts. OpenID 2.0 is less than a year old. OpenSocial is less than a year old. Portable contacts is less than six months old. OAuth less than a year old. To see this kind of mainstream adoption by these major consumer properties, it’s just pretty amazing to see how fast that’s been going, and it still feels like we ain’t seen nothing yet. We’re just getting started and just getting geared up. I just think this is just going to be such an exciting time and any remaining skepticism people have about whether this is real or whether its happening hopefully now has been pretty clearly answered.

McCrea: …and if it hasn’t been clear until now, it should now be obvious that the curve is accelerating. If you are out there sitting on your hands and thinking is this OpenID thing, is this open thing, something I should be doing with, you’re going to be getting further and further behind relative to your competitors if you don’t act soon. Now is the time to think “How do I become an OpenID relying partner? How do I take advantage of the biggest sea change of the web since the birth of the web.

Read our full feature on OpenID’s attempts to overcome its usability hurdles on Webmonkey.