Prove ownership of your MyBlogLog profile. Now!

A neat feature of the OpenID technology is that it allows you, the developer, to verify that the user indeed has ownership of a URL endpoint. I had stated earlier that lifestreaming services are going to find this feature very useful. Services like FriendFeed, Plaxo Pulse (and of course, MyBlogLog) can enable users to verify ownership of their various online identities/profiles, thereby promoting more authentic activity feeds and eliminating the impersonation scenarios that will inevitably come up.

More generally, once a user has proved to your service that he owns a particular URL endpoint using OpenID, interesting things can follow. Your service could retrieve (you should do this under user consent and control, of course) user attributes that lie at the verified URL endpoint. The retrieval is significantly easier if the attributes are marked up with the appropriate microformats. I am sure people will come up with many interesting features by combining this simple, yet powerful, capability with technologies like YADIS, FOAF/XFN, MicroID.

Now, for the big news of the day. Today, we rolled out support for MyBlogLog profile URLs as OpenID identifiers (Ian Kennedy's post on the MyBlogLog blog). With this change, we have also eliminated the only-one-custom-OpenID-identifier per-account restriction. This means that you can select both your Flickr photostream AND your MyBlogLog profile URL as your OpenID identifiers, in addition to creating a pretty me.yahoo.com identifier. Simon, we heard you loud and clear. :-) This change is especially exciting because the folks at MyBlogLog have been awesome about implementing support for hcard, XFN, FOAF, in addition to hosting a pretty rich profile complete with the New With Me activity streams feature. We hope that you will find this change useful and that it can act as an enabler for more fun applications of the OpenID technology in the future.

To set your MyBlogLog profile URL as your OpenID identifier, start here (requires logged-in state).

Yahoo! announces plans to adopt OAuth as part of the Yahoo! Open Strategy

If you've been following some of the posts on this blog, you've hopefully drank the kool-aid on the view of identity standards like OpenID and OAuth as the fundamental building blocks for more interesting and interoperable apps on the web. At Yahoo!, we've been thinking hard about the value of adopting open standards instead of pushing proprietary products that have been in existence prior to these standards. We have also been talking to and working with the OAuth and OpenID communities on technical, business, and legal fronts. To put our money where our mouth is, in January 2008, we launched the public beta of the Yahoo! OpenID Provider, with an emphasis on significantly improving the OpenID user experience and allowing users to have the convenience of a single identity without the burden of understanding the technical underpinnings of OpenID.

Today, Ari Balogh (new Yahoo! CTO - see video below) publicly announced the broader Yahoo! Open Strategy at the Web 2.0 Expo keynote session (see Cody Simms' post on the Yahoo! Developer Network blog for the juicy details). A key element of this announcement is that, in the not-too-distant future, we will be supporting OAuth as THE STANDARD for authenticated API access for 3rd party developers that want to innovate on top of Yahoo!'s incredible assets and diverse array of services. This auth mechanism will work with web applications, thick-client (installed) applications, and embedded applications! For those who are not familiar with OAuth, it is a community-driven standard that allows 3rd party developers to securely access APIs that expose user data residing on services like Yahoo!. This is done in a way that:

• the user doesn't have reveal his Yahoo! password to the 3rd party application - A good general practice
  
• the 3rd party application only has access to the stuff that is necessary for its use, and nothing else (eg. only access my Address Book, and not my Mail or my billing information) - Scoped access is better than global, unfettered access to all my data
• the user can easily revoke access if he no longer trusts or uses the 3rd party application - User is always in control

If you are familiar with Yahoo! BBAuth, you can think of OAuth as a standard way of doing what BBAuth enables. As a developer who's building interesting things on top of Yahoo! APIs and APIs of other companies that support OAuth, you will not need to write a whole lot of custom code to integrate with 'N' different authentication APIs which all essentially do the same thing. Besides, you can take advantage of open source client libraries for OAuth to reduce the time to implement the auth component of your service or mashup - instead, you can focus that time on building features that really delight your users.

Our announcement today represents a big win for the OAuth community's efforts and is a harbinger of even more interesting things in the near future. As always, stay tuned for more...

Updates:

Heres a video of Ari's Y!OS announcement:

Techcrunch coverage of The New Yahoo!

See Neal Sample's post on Yodel Anecdotal

Heres Neal's talk at Web 2.0 Expo:

See Charlene Li's write-up of Yahoo!'s Open Strategy announcement

SG Foo Camp 2008 Summary

SG Foo Camp 2008 was useful and fun - much like other un-conferences such as IIW. Scott Kveton has a good summary here.

Here are the three things I found most interesting/relevant/useful/cool:

1. Social graph API - Brad Fitzpatrick introduced the Social Graph API on Saturday morning. Check out the resources on the Google code page to learn more about it. My view is that this seems to be going in the right direction thus far, though I'd definitely like to see the rel="me" claims getting verified via OpenID. I'd also like to see applications access non-public friend markups via OAuth.

2. Open Activity Streams - David Recordon led a session on the recent MovableType Action Streams release. I predict that Activity streams (or social event aggregation) will be the next big area for innovation in 2008. The idea is simple - I should be able to view (and eventually, create) all events that are relevant to me in a single place, instead of having to navigate to each and every social network/web application I use. Similarly, my friends should be able to remain updated on my activities across the internet - things that are already visible to them, albeit not without significant work today. I'd like to see standards emerge here around the messaging protocol, data formats, and authentication/authorization mechanisms. Good news is that the open standards on which this could be based already exist - its just a matter of combining what we have in a way that makes the web a more interesting and useful place to be in. See this and this if you want to learn more about Activity Streams.

3. Doing something useful with the OpenID URL - Late on Saturday night, I led a session titled "What can I do with the OpenID URL?" A bunch of us got together to talk about how we'd like to see the OpenID URL used to provide more useful services - both as end users of these technologies and as the people responsible for these products in our respective organizations. To start with, we discussed how having a useful profile on the OpenID URL endpoint would be valuable. We then discussed the potential use of the OpenID URL as an endpoint for permissioned messaging. Imagine that OpenID Relying Parties can contact the user by using the OpenID URL - which the user has proved ownership of - this brings the user back in control of communications - he can turn it off at any time, direct it to his voicemail (text to speech) between 12 pm and 3 pm, etc. etc. We then discussed the general use of the OpenID URL as a service endpoint (or more appropriately, a service discovery endpoint). Heres a picture from this session.

Brian Ellin ran a good session on improving the OpenID login experience. I was also glad to hear that our efforts around making the OpenID login experience easier (by allowing users to simply click a button to login with OpenID or to type in yahoo.com in the OpenID textbox) were generally welcomed by the folks present there. Theres nothing like direct user feedback - and its even better when its so positive!

All in all, this was a weekend well spent - its always enjoyable to meet so many folks committed to making the web a more fun and useful place. Many thanks to Scott, David, Tim O'Reilly, and all others who helped make this event happen.

Yahoo! and other companies join the OpenID Foundation Board

This morning, the OpenID Foundation announced that Yahoo!, along with Google, IBM, Microsoft, and Verisign, will be joining as board members to help further the  marketing, user experience, and adoption efforts around OpenID.

This follows closely on the heels of our product launch last week.

Hasn't this been a great year thus far?!

Related coverage:

Techcrunch
PC Magazine
New York Times
Artur Bergman on the O'Reilly Radar
CNET - Clarification: Unlike what this post suggests, I am *not* the Yahoo! representative on the OpenID Foundation board
Ars Technica

At SG Foocamp this weekend

I will be at SG Foocamp this weekend at O'Reilly's offices in Sebastopol, CA. This is my first Foo camp and I am looking forward to seeing some familiar faces and meeting some new folks. I am primarily interested in topics ranging from proper data portability, to combining OpenID and OAuth, to activity streams standards (my new favorite topic), to how everything ties back to identity!

And so it begins - public beta of the Yahoo! OpenID service

The last 48 hours have been incredibly busy - as we had previously promised, we launched the Yahoo! OpenID Provider service (official blog post) on January 30. Actually, we had quietly launched it one day earlier. ;-)

Mashable has early comments on our implementation

Johannes thinks that this is Day 1 of OpenID being viable for business

Kim Cameron congratulates us

For me, this has been an incredible journey, starting with my first Internet Identity Workshop, to understanding the OpenID 1.1 spec, to thinking through the business case for the project, to working with the community to help fix the security issues my buddy Allen Tom had found in the OpenID 2.0 draft spec, to seeing OpenID 2.0 get finalized, to helping finalize the OpenID Intellectual Property Policy, to watching our product grow over the past few months - and countless other fun things (though they may not have seemed fun at the time) that came up along the way.

In addition to the folks we mentioned in our official blog post, many other people have helped make this happen - so I'd like thank everyone that has provided input, given direction, rallied support, or has been plain excited about what we have been working on. You know who you are!

Time to get some sleep now - 12:21 am.