Okay, I finished the big job of migrating my blog from it’s old home to my new digs, and I think I have the bugs out, with thanks to the two blogs that linked to my OpenID article, and the two people who let me know that the email was broken (making it impossible for people to register). We’re off to a good start!
I offered some preliminary thoughts and asked a question about OpenID, proposing that, while this is a boon for users, it might have a negative impact on an organization’s ability to coax contact information out of web visitors, as providing personal info will no longer be a requirement for authenticating to a web site.
Johannes Ernst, a man who designs identity management software for a living, responded on his blog with a few counterpoints (which I’ll brutally summarize):
- People often present false information in contact forms anyway;
- “Because users can provide their OpenID that they also have provided to other sites, the site can actually learn more about the user — which other websites they frequent, for example.” Johanne qualifies this one with the rider that people won’t necessarily use their OpenID to share such data.
- With control of their identity, the visitor might feel more confident about sharing information.
- With single sign-on, and easier access to the authentication-required content, visitors might be more compelled to join and share.
Simon Willison, a co-creator of the Django Web framework, anticipated my question and replied on January 10th. Simon makes the clear point that OpenID will only replace the “enter your name and type a password twice” portion of an online registration. It won’t fully replace requests for further data and confirmation, such as the graphical Captchas that we’re all getting so used to. In fact, he proposes, the fact that a user has an open ID doesn’t mean that they aren’t a spammer — we shouldn’t accept it as full authentication, just a convenience for the password tracking part.
Simon has me fairly well sold that this isn’t as big a threat as I thought. But I still have a lot of questions about the idea, and I’m curious as to how it will play out once the standard is established (assuming it will be – I suspect so). if the authentication is as weak for the web service as Simon suggests, will an industry like SSL arise, adding verification to OpenID authentication? And I’m still intrigued as to what conventions will grow out of everyone having a personal web address, which, of course, will lead to some sort of web page.
Johannes made a comment that really intrigued me on his post, when he said:
” Personally, if I have a choice between knowing a URL pointing to your blog, and having the information you typed into a web form that I put up, I take the blog any time. (That might even be true if the form’s data was all correct!) That is not data that your typical CRM system knows how to manage, but as we all know in the blogosphere, extremely valuable to gain some view on the user’s social network and reputation and interests.”
Johannes has a pretty interesting idea for a marketing app there. While he suggests that the data is free-form, I’d counter that – most blogs follow very standard conventions, and many bloggers (hey, me included!) use the standard text that comes with our blogging platform to denote them. So just as HR staff no longer “read” resumes, how far can blog scanning be behind?
