Tuesday, 29 April 2008

Why the Asus Eee is flying off the shelves







In the market for a portable computer?

On the left - a Sony Vaio laptop computer. Yours for only £1599.

On the right - an Asus Eee notebook computer. A penny under £200 (!) - for the 2GB version; the 4GB is a shade under £250.

No wonder Asus can barely make enough Eees to meet the demand...

Wednesday, 23 April 2008

3 mobile broadband: Huawei E169G HDSPA, E220 USB modems review - first impressions






Thanks to 3mobilebuzz I have been testing 3's new Huawei E169G high speed mobile broadband USB dongle for portable computers on a short term free trial of 3's mobile broadband service.

Here's a pic of what you get in the box:



You remove the USIM card (like a SIM card for mobile phones) from the plastic card and bung it into a removable USIM holder in the stick. Remove the end cap and insert the dongle into a spare USB port (there's a short USB cable too if your port's in an awkward place). It installs itself, at least with Windows (XP, Vista, 2000) and it's also meant to be compatible with Mac OS X. With Windows you get some software installed; I'm under some time pressure to get this first post up so I'll try to add screenshots another time.

The specs on the back of the user guide match the Huawei E169 specifications on the Huawei site (except I couldn't see any microSD slot) so it's:
  • HSDPA / UMTS(900/2100MHz)- for non-techies, that's 3G or fast(er) speeds i.e. mobile broadband
  • GSM / GPRS / EDGE(850/900/1800/1900MHz) - that's standard slooowww (or rather, normal) mobile phone speeds.

Pricing, tariffs

This particular model seems already to be available on the Three website (in black or white) for free on a £10 a month 18-month contract. For full details of deals see the 3 mobile broadband dongles page - Lite £10, Plus £15 and Max £25 a month with data allowances of 1, 3 and 7 GB respectively; for a 12-month contract on Lite you'd have to pay £49.99 for the dongle. (I have to say I don't see why anyone would sign up for a 24 month contract when the monthly payment's no less than for the 18-month but you're tied in for longer).

It looks like you can even get the modem on Pay As You Go, in white at least, though then you can't get it free). I don't know if the E169 is available via the shops yet.

Existing 3 mobile phone customers can add mobile broadband on 18 or 24 month contract for half the standard line rental rate, i.e. £5 a month in the above example, and keep paying the half price rate for as long as they have another 3 contract - with the dongle being free if they order before 31 May 2008 (unless Three extend that date of course).

This promotion to existing customers makes a refreshing change from the more usual practice of offering new customers discounts to lure them in, but zip to existing loyal customers (helloooo T-Mobile, the Non-Listening Network? New web n walk Plus or Max customers will get free wifi at T-Mobile hotspots, they announced in Jan 2008, but existing customers won't get that free wifi even if they upgrade to Plus or Max. Or so their customer "services" people, the ones who'd even heard about that offer for new customers anyway, told me after over an hour of waiting on the phone. /rant)

3 do seem to offer that special promotion discount to new customers as well as old (why not make both types of customers happy, eh?) but you'd have to sign up for a 3 mobile phone contract too.

I had in fact signed up for mobile broadband with 3 just a few weeks ago, the full £10 a month deal with free Huawei modem, but then they just had the older Huawei E220 model. Timing 'r' us, not! At least this means I can compare the two Huawei modems for your benefit. (3 also offer another brand of modem, the ZTE - but I'd avoid that if you're ever thinking of using a Linux notebook like the Asus Eee, as I gather you can coax the Huawei into Linux compatibility, which is why I chose it, but I've not heard that you can do that with ZTE. Does anyone else know differently? By the way: the sales people in the 3 Shop didn't even know what Linux was.)

First impressions

By mobile broadband, people mean getting high speed internet access on the move via your laptop or notebook computer or UMPC, rather than your mobile phone. Some people are even opting for "go everywhere" mobile broadband instead of fixed line Net access.

I'd recommend you look at 3's mobile broadband FAQs before you dive in -they're pretty informative. In particular, they say the speed available is "2.8 Mbps in our Turbo coverage areas, and at 384 Kbps in our Video coverage areas." (They split the country into areas; obviously you get higher speeds in a "Turbo" area than in a "Video" area.) You can even check their coverage in your postcode - and you should. Even if you're supposed to be in a Turbo area.

But - it's slower than top ADSL/cable broadband speeds, and you're very dependent on how good the signal is in the EXACT area where you want to use it.

If it's getting fast(er) HSDPA, the modem LED glows blue. Blue is nice. I like blue:


If it can only get an old slow GSM signal, it goes green. Green is not nice:


Even more strongly, I'd recommend that, if you can, you should get the dongle from the 3 website and not from a 3 shop. Why? Because of the much better returns period.

At the time of writing anyway, if you get it from a shop you have only 3 days (including the date of purchase) to try it out in all the places where you might want to use it, especially if you travel a lot. If you order it online, you have 14 days from the date of delivery -but you can't return it if you've used it on more than 3 separate days during those 14 days, so you'll need to plan your trial - use it in place A, drive or train it to place B on the same day and try it there phew, the next day go to place C, try it there, go to place D etc. 3 days only, restrain yourself! Obviously if it works fine everywhere you need it, you don't need to return it and you can use it on as many days as you like.

You can tell I don't think much of that returns policy. The whole point is that 3 should be targeting and marketing mobile broadband to people who are often on the move and need broadband access on their laptop in a number of different locations. Imagine how annoyed and frustrated people will be if they tie themselves into a 12 or 18 month contract, then find they can't get the speed they thought they were paying for.

Isn't it better to give everyone a 14 day returns period, let them try it out as often as they like during that period (as long as they pay for the data used if they end up returning the dongle), and let them return it if it doesn't work where they need it? Then, they'll think "What good customer service and what a customer orientated network, I'll tell my friends, & next time I'll try them again" - rather than "Pah, I now have to pay over the next year for a service I can't use properly, I hate 3". They should be making it easier for people to test it in different places, not hard.

The reason I'm going on at length about trying it out everywhere, or at least the 2 or 3 places where you're most likely to need it, is this: you can't necessarily assume their postcode checker is definitive - coverage isn't as good as I'd hoped, and you need to check it out before you get stuck with a contract for a service that you can't in practice use.

I live in London, pretty centrally. That's Turbo if anywhere is, and so their postcode checker said. But with both the E169G and the E220 modems I'm lucky if I can get 56k (yes, that's dial-up speeds) in my living room, even though T-Mobile's web n walk on my mobile isn't web n crawl (for a change) in the same room. I couldn't go anywhere at 56k on my notebook via the 3 connection, even in the lightning fast Opera browser. Through experimentation, there's only one room where I can get broadband-like speeds, and then only if I'm right by the window. The E169 does maintain broadband speeds if I then move to the next room - but the E220 doesn't.

In my office in the City it's even worse, but then my building seems to be in a mobile black spot anyway (see my BarCamp moan!). Yes their postcode checker had said I'd be OK there, but I wasn't.

Both modems are fine at the South Bank complex however, at least if you're not in a lower ground area - not that I've tried every single lower ground area there, but you get my drift.

I'll be testing it at various other locations as soon as I can, including outside London.

There's meant to be a 3 Web Accelerator to speed up usage for Windows computers Again, I've not had time to download or try it out yet.

So, that's my first impression - how well it works is very, very dependent on the exact few feet (or metres) where you want to use it. So you need to try it out before you buy, in the places where you'll be needing it. Initial niggle - when you remove the end cap which protects the USB connector on the E169G, you have to find somewhere safe to keep the cap, as it won't fit over the other end of the dongle; not very good design, that, it would have been so easy to make it fit.

When (or rather where) it works, it's good, much better than GSM, though not as fast as wifi. More on the nuts & bolts of 3 mobile broadband in use in my next post.

Full disclosure

3's PR people at 3mobilebuzz have set conditions on lending me this dongle:
  • I can use it free for about 3 months
  • I have to blog about my experiences with the modem - good or bad (which I would do anyway)
  • In my first post I have to drill down into some specifics around the pricing structure and link to their pricing page.
They specifically wanted to know "if, as a blogger, you think their pricing/tariff will make a difference to how, and how much, you blog. Their plan means that, if you use 3 for your phone contract (either as a new or existing customer), you get any of the 18 or 24 month mobile broadband packages half price before the end of April [Imp note: now, end May]. Do you think this would encourage you to blog in a more mobile way? And how important are text plans to you as a blogger - for example, is 3's new unlimited text deal a big hook, so you can feel free to update Twitter or Jaiku as much as you want? Or is the fact you can IM for free on 3 mobiles using MSN and Yahoo! Messenger more important? what you think of the USB stick and whether you think it could make a difference to yourself and your readers. Do you think it could help you as a blogger? Does it make blogging easier while on the move?"

Follow up post - to follow!

Regular readers of ACE and those familiar with my LG posts will be expecting a more detailed, practical post than this.

Well, you'll be getting one. I really don't feel I can review any gear properly without fully testing it, and a week or two just isn't long enough. As I can use the E169 modem for 3 months, or rather less than that at this point, I'll be trying it out at different locations and will report further when I've done so, and I'll also give my views on choosing mobile broadband in the UK generally, and compare the two Huawei modems more fully, plus relate my experiences with trying the 3 Web Accelerator.

If you're impatient and can't wait - go for the E169G, not the E220. Personally I chose 3 for mobile broadband rather than Vodafone or T-Mobile, and I made that decision and signed up for an 18 month contract with 3 before I'd even heard of 3mobilebuzz - I'll explain why in my follow up review, as well as why I chose the particular plan I did.

Also, I am in the queue for an Asus Eee PC 900, the 8 GB version, which I hope to get in May. I'll be testing the E169G with the Eee then, and obviously checking its Linux compatibility and reporting back on that.

In my next post I'll also answer 3mobilebuzz's questions about my views on their pricing, text plans etc and their implications for bloggers - and, I think more relevantly for readers of ACE, people generally, not just bloggers. If you have thoughts on those issues too, do please let me know.

If any Mac users would like to offer their laptops temporarily for a quick trial of the dongles on a Mac (maybe at a London Geek Dinner or coffee?), again please let me know.

Finally, dear readers, where in London would you like me to try it out and report back? Free location tester here, take advantage of me while you can. Within reason... I'm not going to the top of the Millennium Wheel or hanging out of the Tower of London with laptop & the USB stick! Well, not unless someone's willing to pay for m'ticket...

Tuesday, 22 April 2008

Get free online music, references at home by joining library






Maybe I'm behind, but I've just found out that members of certain London libraries, like City of London or City of Westminster, can have free access, for non-commercial use, from any computer - including their home computer (not just library computers) - to a wide range of useful online material or resources which have been subscribed to and paid for by the library / local authority, including:
  • music, which you can select to stream to your browser over the Internet, with player controls (I could only get "near CD" or "FM" quality), from CDs in the Naxos Music Library - not much pop or rock, but fans of classical, opera, music theatre, jazz, blues, folk, world music and older "nostalgia" music (Piaf, Armstrong etc), instrumental and even Chinese music can rejoice! There's lots of recordings from the Naxos label, as you'd expect, but there's also music from other labels too like Chandos and Opera Rara.
  • The Economist, one of my fave reads, all issues from 1843 to 2003, fully searchable
  • The Times digital archive, searchable, though only from 1785-1985, as well as a searchable archive of national and regional UK newspapers and magazines from NewsUK
  • CANS advice notes, billed as practical summaries of UK laws updated daily by qualified lawyers, including on some digital rights issues and consumer rights / consumer protection (both subjects I'm very interested in as regular readers of ACE will know)
  • Grove Art and Grove Music dictionaries
  • many other standard references like Encyclopaedia Britannica, Who's Who, the Oxford English Dictionary and lots of other Oxford University Press references
  • and lots of other searchable reference works, which I won't list here - see the Westminster e-resources and the City of London online resources pages for full details of what's available in each (I think Westminster offers slightly more than the City).

Those are the only libraries I know about or have looked into, but given the similarities in the resources offered I bet lots of other libraries in the UK will also have similar schemes (though perhaps more limited, I suspect, as Westminster and the City of London are wealthier councils and can probably afford to subscribe to more services). Just try your local library's website and see.

The good news is, at least if you live in London, it's free to join Westminster Library or join the City of London Library if you have proof of your address - you don't even have to live or work in those areas; I'm a member of both libraries, myself, as their range of material and opening hours are much better than my local library's.

I'm assuming, though I haven't researched the point, that the sources (like Naxos) either get paid a flat subscription rate or get paid a percentage whenever they are downloaded or their music is streamed, just as with authors get paid under the Public Lending Right when their books are borrowed from UK lending libraries.

Now this is what I call bringing libraries (and record labels) into the 21st century!

Monday, 21 April 2008

BarCamp London dim sum challenge






Are you going to be poised at your computer at 11 am on Thursday 24 April?

If so, please do me a favour - sign me up for BarCampLondon4, and I'll not only be eternally grateful but I'll also buy you a dim sum or other lunch, tea & cakes, or drinks, as you prefer. (My name you know, my email you'll know from my sidebar.) The downside - it'll have to be with me. But I think you already knew that...

Is this against the rules? I don't know, but what I do know is that for popular BarCamps like this one, it's virtually impossible to get a place unless you're ready at the right nanosecond at a computer with a decent speed connection (or can write a script to do the sign up for you, of course). If you work and are in a meeting at that time, tough luck.

It's even worse if the sign up slots are scheduled, as GCap Media (who are organising this BarCamp) have done, for exactly the same time on exactly the same day of the week. I was in a conference call for the first wave. For the second wave I tried using my Nokia N95 but with T-Mobile's web n crawl, I only got in just short of 11.02 am and it said that the tickets were all gone. In less than 2 minutes.

At least for BarCampLondon3 the sign ups waves were scheduled for different times of the day, on different days of the week (including weekends as I recall). So I think I managed to sign up for that during a midnight wave.

The way things are going, I haven't much hope that I'll be able to sign up this Thursday, especially as I'll only be able to try signing up via a slow mobile phone connection again.

BarCamp sign up systems - is there another way?

As you can tell, I don't think the sign up system used for London BarCamps is very fair. What would be fairer is - something else.

What do I suggest? A longer sign up period rather than a few waves. Say, an opening and closing time and date - precise time/date for both - ranging over a period of about a month.

Announce those times well in advance, all over the place.

People indicate their interest during the sign up month (or week, or fortnight, if the organisers prefer - as long as there's plenty of advance notice so people know when the period will be).

After the sign up period closes, do a random selection or ballot out of those who've given their details during the sign up period (I'm sure an electronic random "pick the names out of a hat" can be done; someone can whip up software to do that surely, if it's not already been produced).

That would be the fairest way to choose attendees, I think. Or at least vary the times and days for the sign up waves.

And for the next BarCamp with the same theme in the same place, get the system to weight the draw a little in favour of those who missed out in the last draw - so that the more times you were unlucky and missed out in a row, the higher the weighting in your favour.

That's my thoughts anyway. Otherwise, the only people who'll attend are those who can be poised at their computers at exactly the right time - maybe the organisers want to only let in people who are that keen, but real life just isn't like that, I'm keen but my work has to take priority.

So, what do you think would be the fairest way to allocate places for popular BarCamps? Or a fairer way than now, at least?

And would you be willing to take up the Improbulus dim sum challenge?

Sunday, 20 April 2008

Other people's feeds, YOUR liability risk; and linking risks






If you show content from other sites' feeds in the body or sidebar of your blog or website, you could get sued for their content, at least in France. A recent case there is, it seems, the first ever instance in the world of a court holding a site responsible for someone else's RSS feed content.

This is a seriously bad development in my view. Lots of people display content from other sites' RSS feeds on their own web sites, for interest or for convenience, or because they think it's helpful for their readers, and of course that content will automatically be updated as the feed updates. It's dead simple to do this, e.g. see below where I show BBC News content by using RSS2JS and the BBC's feed URL, then pasting the resulting Javascript code into the body of my post (if you try this, in Blogger make sure you get rid of the new lines / carriage returns so that the code just follows on in a row; other tools to generate the script, in a more customisable way, include Feedo Style):


Blogger bloggers can, even more easily, display snippets from others' feeds in their sidebar etc using Layouts, Add a page element, and just pasting in the newsfeed URL - see e.g. this example blog with the BBC news feed contents in its sidebar.

People who do this know that their website or sidebar will just rotate through the latest content that's in the feed of the source website which they chose. (If you're new to news feeds, see my detailed practical introduction to feeds and how to publish and publicise your own feed.)

Now, you can pick the sites whose feed contents you want to show on your own blog or site - that's clearly entirely your choice, and within your control - but you can't possibly control what that third party source blog or site decides to say on its own site / feed. You just can't do that - it's their feed, not yours; their content, not yours. You've only selected the source sites; you have no say in their content, only in the selection of the base source site. One would have thought that would be obvious.

Unfortunately, in March 2008 a French court Tribunal De Grande Instance De Nanterre thought that choosing to display the feed of a source site (Gala.fr) on their own websites was enough to make 3 websites (Planete Soft, Aadsoft and LesPipoles) responsible for the content published by the base source site, IT law news site Out-Law recently reported.

In this case Olivier Dahan, director of Oscar-winning movie La Vie En Rose, complained that an article in Gala.fr about him and actress Sharon Stone was an invasion of his privacy, which is a breach of French law: France is very protective of the right to a private life. He sued - and won against - not only the original publisher of the article, Gala.fr, but also the 3 sites that had published Gala's RSS feed on their own sites, which were ordered to pay between €500 and €800 plus €1,000 costs each. It would have been more, but the judge noted that not many people had viewed the material.

Even though the sites made the point that they had no editorial role in those particular articles, according to Out-law's translation of the Tribunal's ruling the French court said (my emphasis):
"The RSS feeds in question took in effect the essential features of the article at gala.fr, i.e. the rumour of the relationship between the pursuer and the American actress Sharon Stone... The defender has, in signing up to the order and organising them according to their themes, acted as an editor and must therefore assume responsibility for the information which is displayed on his own site... In this particular case the RSS reader displayed information not only made up of a simple link but both the title and the snippet of the information appeared: 'Sharon Stone and Olivier Dahan, the star has a romantic embrace with the director'. This was sufficient to constitute an attack on his private life."

Out-law thought that this decision could totally change the nature of RSS in France. French bloggers / websites may not want to display any third party feeds on their own sites, because it's impossible for them to check every single item that appears via those feeds, so it would be safer for them to stop showing other feeds completely.

That's not good at all. I don't think it's right that merely choosing to display someone else's feed on your own blog should make you liable for their specific content. I could understand the result if those sites had chosen to show the feed of a tabloid-like source site known for publishing privacy-invading material, like The Sun (and I have no idea whether Gala.fr is that kind of site). Maybe then they could be taken to have known that there was a risk of privacy-invading material being displayed via the feed.

But if you decide to select the feed of a respectable site like the BBC News site to display on your blog, why should you get sued if one article in the feed would be considered a breach of privacy in France? Why should you be forced to monitor and maybe even censor the stories from the feeds you display on your blog?

Indeed it's not just invasion of privacy that's a danger if you want to display other people's feeds on your own site - any content that's unlawful in France, e.g. defamatory material, could expose you to liability if you show a feed with that content on your own site.

Risks from linking

Olivier Dahan's lawyer Emmanuel Asmar also recently helped Kylie Minogue's ex-boyfriend Olivier Martinez win a lawsuit against two bloggers and a website who had only published links to content published elsewhere which had invaded his privacy. Even though the website was a Digg-like site publishing links submitted by its readers, the tribunal still took the view that it was responsible for the content, rejecting the argument that it was merely a services provider not an editor.

According to the French court, once you decide to publish information which by nature was a violation of someone's private life, you're responsible for it. (See Out-law's detailed summary of those lawsuits.)

What about the risks for bloggers or sites outside France e.g. in the UK? See Robert Lands' excellent overview of the legal risks for websites / bloggers in the UK (copyright, defamation etc), where there was some discussion of the position with links - but not with displaying someone else's content via RSS feeds, which to me is not the same thing as adding a specific link. Out-Law's own expert Kim Walker of Pinsent Masons noted that in the UK the position hasn't yet been clarified. At least in relation to defamatory material you're liable as publisher only if you're instrumental in making that material public, and he thinks it could be argued that by providing a link to it you're effectively helping the world find out about the material: in putting up the link, you've taken a positive act to publish the material.

Interestingly Mr Lands' view seemed to be different, he thought you might be OK in the UK if you were simply linking to defamatory material without repeating its content. Obviously, as there's been no UK court case on disseminating defamatory content via a link, we don't know for sure - and where even experts differ, I'd run for cover! Mr Walker did say in the Out-law podcast about these cases that hopefully, as the Net is based on linking (its raison d'être, I can't resist saying!), UK judges would try hard to avoid a result that put people off linking, given the potential chilling effect (clearly French judges don't seem to care about that sort of minor consideration...). However he thought it was unlikely that using a disclaimer would help protect a website or blog from being held responsible for defamatory content.

Mr Walker also mentioned an 1894 Court of Appeal case (Hird v Wood) where a man who sat beside a defamatory roadside placard was liable for defamation just because he was drawing the attention of passers by to it, and he thinks it would be a fair analogy to use for hyperlinking.

Note that their views were on links to defamatory material - not material that invades privacy, unlike in the French cases - as that's more of a risk for UK websites. (See my report of Mr Lands' talk for more on the legal risks for bloggers and websites in the UK generally.)

Back to France, Mr Asmar said that more celebrities were now suing websites after these cases. I wonder if those cases are going to be appealed? Doesn't look like it...

It seems that if you're famous, it's best to have an affair with a French person - then they can sue anyone who reports it in France! But seriously, it would now seem to be a risky proposition linking to French celeb gossip sites or displaying feeds from those sites. And I really don't know if you could now be sued in France if you link to anything (whether from France or not) that has a story about a famous French person, e.g. re-publishing feeds from French websites. Way to stifle reporting about people in France! And it can't be good for French bloggers or sites generally, as these cases will make people wary of linking to or showing feeds from French sites.

I can understand why a website or blogger might be held liable if they deliberately added a manual link to risky material, and I am all for protecting privacy, but I think it is ridiculous that site owners who republish a third party's feeds should be made responsible for the third party's content (unless of course the owner knew the feed was from a dodgy or risky site that tends to publish dangerous material). I sure hope that the French courts' approach to feeds won't be followed elsewhere in Europe or indeed anywhere else in the world.

By the way, I think the heading of the Out-law article "French websites liable for story in RSS reader" was a bit misleading. I don't believe that just because you subscribe to a French celebrity rumour / news / scandal site in your own private RSS reader, which you then read privately on your own computer, that you'd be sued in France. It's including, on your own site or blog, the excerpts from a feed that contains material which is unlawful in France that could get you into trouble there, as you're helping to publicise that material to the world. (Even more by the by, I think the Out-law site is a great source of tech law news, but it's ironic that although they offer their own RSS feeds, I notice they haven't enabled auto-discovery on their own site!).


Saturday, 12 April 2008

Windows Vista source code (funny, especially for non-Windows users!)






With thanks to Azyure, this very funny purported Microsoft Windows Vista "code extract" - originally posted on PC World New Zealand's Linux-focused Tux Love blog (read their post, excellent!), via MyLox blog.

Non-programmers, don't be fazed - it may look like code at first, but just persevere and read it through!


(I hope that PC World won't have a problem with the direct link to the pic but if they do please let me know and I'll remove it.)

I'd add that I'm not using Vista yet, and when I bought a laptop last year opted for XP Pro instead. Clearly I made the right decision!

Friday, 11 April 2008

How to make BBC News site easier to read






I'm a big fan of the BBC, but recently they revamped their site so that the text on the BBC News pages is now grey instead of black:


I find that very hard to read, in fact after a few paragraphs I feel like my eyesight is going. (Other pages on their site, e.g. the BBC blogs, are I find easier to read, maybe because of the dark sidebars, or the spacing between lines - whatever the reason, it feels like there's greater contrast between the text and its background). I find this particular change a bit surprising because normally the BBC are very good on accessibility.

So I was going to whip up a Greasemonkey script for the Firefox browser to address this. But I see that Joe Walp has beaten me to it with his BBC News Black Text script, so obviously I wasn't the only BBC user suffering from the change. Thanks, Joe! And here's what the page above looks like with the script installed - much more readable and legible, as you can see:


So if your eyes are bad like mine, do yourself a favour and install the script!

(For those new to this: Firefox is a free browser which is very powerful and customisable. You can get add-ons or extensions to Firefox to boost its features. The free Greasemonkey extension lets you change how particular websites look when you view them in Firefox (plus a whole lot more), e.g. if the text of a favourite site seems a bit too small to you, you can make it bigger, darker etc in your browser, with the aid of "user scripts" which you install once you've installed Greasemonkey. Here's how to install Greasemonkey and userscripts.)

Friday, 4 April 2008

OpenID: intro & howto for non-techies







This is an introductory guide / tutorial on the OpenID online identity management system, which is increasingly topical - e.g. internet giant Yahoo! recently announced its official support for OpenID, on 17 January 2008, and started a public beta trial of its "Yahoo ID" service at the end of January. OpenID is also one of the main planks of the DataPortability movement (see this short video on DataPortability, and this longer DataPortability video, and DataPortability discussion).

As with my other intros and howtos this post is aimed at the curious consumer rather than hardcore geeks (who probably already know all this!) and it has a practical bent, with suggestions on how to use OpenID as well as a bit about how it works. This post is my little contribution to hopefully help dispel OpenID's image as user-unfriendly and encourage more non-techies to use it.

WHAT'S OPENID, IN OUTLINE?

What's OpenID? Many websites make you register your details with them and then login before you can view all their pages or use their full services. OpenID lets you use just one username and password combo to register for and sign in to all participating websites (e.g. to post a comment on a Livejournal blog), so that you don't have to remember a mass of different usernames and passwords. Hence, it's known as a "single sign on" (SSO) system - you just register once, for an OpenID, then you can use the same login on multiple sites without having to register for them all over again.

Perhaps it's better called a single registration system for your internet identity, as via a Simple Registration Extension it can even get rid of the tedium of manually filling in your "identity information" details on those pesky Website registration forms - in particular your full name, nickname, gender, email address, date of birth, postcode, country, and time zone. (And now there's OpenID Attribute Exchange 1.0).

On web sites that support OpenID, you won't have to register with them afresh in order to sign in. If you have an OpenID, you can just login to those sites with a URL (web address) as your username, and your OpenID password as the password; you can even pass on certain personal details (email address, gender etc) direct to the site if you wish, like with a semi-automated registration form filler. (Yes, you can get that on your computer, but only if you are using that computer - with OpenID, whatever computer you're using, anywhere, you have access to this form filler.)

Hardcore geeks can set up their own OpenID servers but the rest of us would get an OpenID by getting an account with an OpenID provider,
a site that provides OpenID identity services (like Yahoo did from the end of January).

You register with the provider under a username
of your choice, if not already taken, and password of your choice. The provider site will assign you a unique URL which you then use as your OpenID login username (or in some cases you can even use their URL for the login as with Yahoo). But you can alternatively, with a few tweaks, set things up so that you can use your own URL as your OpenID login (e.g. in my case it's www.consumingexperience.com) - and I think that's much better, because if you later switch to a different OpenID identity provider you won't have to change your login URL.

Main benefits of OpenID. Obviously, to be able to log on to all OpenID-supporting Websites or Web services with just one user ID and password combination is convenient as a single combo is easier than having to register and remember different user names and passwords for different websites. And it's better than using the same user / password for several sites to save having to remember multiple passwords, which is not uncommon but which can expose you to the security risk that bad guys who get hold of your password for one site could then login as you and access your account at other sites.

Your URL is your logon. As mentioned, a key feature of Open ID is that, for your OpenID username (logon ID) or identifier, effectively you just use a URL (i.e. Web address) unique to you, that you control. So, a blog URL could be used as your OpenID username or ID - e.g. in the case of this blog, I can use www.consumingexperience.com as my OpenID identity or URL identifier.

Alternatively, you can use for your OpenID identifier the URL assigned to you by the OpenID provider that you signed up with (you may already, unbeknownst to you, have an account with a site that is an OpenID provider). This provider is technically separate from the sites that you can sign in to using your OpenID. OpenID providers are not necessarily the same as the websites which accept OpenID for logons.

So, if you have a Yahoo account, and you want to sign in to another site which supports OpenID (version 2.0 only) like Plaxo, then in Plaxo's sign-in box you'd enter just "yahoo.com" as the URL, and then you'd be taken to Yahoo's site where you'd sign in with your usual Yahoo! ID and Yahoo password. Alternatively you can get a long unique URL identifier from Yahoo, or use https://me.yahoo.com/yourYahooID or http://www.flickr.com/photos/yourYahooID as your OpenID URL:


Again as I mentioned above it's best to use your own URL for your OpenID if you can: domain names are so cheap to buy (or rather rent) these days, that there's no reason not to. I'll explain the tweaks for that later.

I like OpenID not only for the "single registration" concept, but also because OpenID is a non-proprietary open source technology - an open "identity protocol" which is free to providers as well as users. I hope that more sites will support it and more people will start to use it. There are encouraging signs that it's becoming more popular (e.g. it's one of the planks of data portability as mentioned earlier), but there may be a while to go yet before its widespread adoption.

Cons. So far, too few sites let users use their OpenID as their login. I hope this changes, as OpenID will never take off properly if in practice you can't actually use it anywhere you want to go!

Even the sites that provide OpenID identities, e.g. AOL and Yahoo, mostly still don't accept OpenID logins generally - a bit one-sided, isn't it? They want their users to be able to login to other sites that take OpenID logins, but they don't want to let non-AOL or Yahoo etc users sign in to use their sites and services in full! I suspect they're mainly being protectionist about their customers and customer data and trying to get people to register with them for OpenIDs, on which more later.

Another disadvantage is that the biggest pro of OpenID - the convenience of a single sign-on system - carries with it what's probably one of the biggest cons - security. If you have a single sign on for loads of sites, and bad guys get hold of your OpenID and password, then they can get into your account on every one of the sites you use (and maybe some you don't) which supports OpenID, masquerading as you. So you're very dependent on how well your OpenID provider maintains security, in an operational as well as technological sense. OpenID is also more vulnerable to phishing (for more on phishing see this post of a very helpful session on internet security etc, which even non-geeks should be able to follow).

You're also dependent on your provider for keeping your personal details secure and private too (if you decide to give those details to your OpenID provider), not just your password. And obviously you'll be reliant on your provider not to go down or crash or go out of business.

So it's very important to think carefully about which identity provider you'll use: some may be better and more trustworthy than others. And it's also a good idea to get your own domain name and use your own URL for your OpenID. I'll explain how below.

(For good summaries of OpenID pros and cons see this post, this post and the bottom of this diagram.)

THE QUICKIE - PRACTICAL STUFF

  1. Getting an OpenID. You can get your own OpenID from an OpenID provider (identity provider or identity server) by signing up with a provider for an OpenID username and password. The provider stores your OpenID login and password or other "authentication" credentials, and also (if you want to provide them) registration details commonly requested by websites: your nickname, gender, email address, country etc.

    • You may already have an OpenID if you have an account with certain services like AOL or AIM and, more latterly, Blogger or Yahoo: you just need to find out what URL to use for your OpenID (more details are given below e.g. with Blogger, who are now an OpenID provider, you can just use your blog's URL). I wouldn't use Yahoo though, for now - their system only works with OpenID-enabled sites that support a newer version of OpenID which was only released in December 2007, so it won't work with many sites yet.

    • Many identity providers will provide OpenID IDs for free. See later for the links.

    • You can have more than one OpenID identity if you wish. And you probably should, if you want to be careful about your privacy.

    • You can store various registration details associated with your OpenID identity such as nickname, gender, email address etc - then choose which details you want to give the site you're logging in to, and have the details automatically filled in without your having to re-type them. (Not all identity providers support this "simple registration" feature).


    • You can use your own blog or Website URL for your OpenID ID, if you know how (covered below). A plus - you can keep that same URL to use as your OpenID, even if you later change identity providers.

    • You can even set up and use an OpenID provider on your own computer server, if you know how (not covered below!)

  2. Using your OpenID. Once you have an OpenID, you the "end user" can just use your OpenID username to login to all sites that accept OpenID (these supporting sites, or OpenID-enabled sites, are known as "relying parties" or, in my view confusingly, sometimes they're called "consumers", because they're "consumers" of your identity).

    There's no need to register or sign up afresh with OpenID-enabled sites, because you prove your identity via your OpenID login.

    Mechanics: the "relying party" site that you want to log in to - e.g. Plaxo - contacts the identity provider's servers - e.g. Yahoo's - to verify your identity when you try to login on the site, so you'll be diverted temporarily to your identity provider's site to enter your password with the identity provider (if you're not already signed in with the provider at the time you try to login to the relying party site). That way, you confirm direct with your identity provider (and only with your identity provider, not the relying party) that you are who you say you are, and the provider tells the relying party that you're OK, and youo're sent back to the relying party's site. And you can also choose which (if any) personal details e.g. email address you want to give the site you're trying to access. Don't ever enter your OpenID password on any page that isn't on your OpenID provider's site (in this example Yahoo) - the whole idea is that you only need give your OpenID password to your identity provider, not the relying party site or any other site.

  3. Note: providers vs relying parties. Note that the identity provider need not be the same company as the accepting site, and in fact usually it isn't - which is part of the point of OpenID, separating the two. An identity provider which offers OpenID identities to its users may also decide to accept OpenID logins from others for its services generally - but it doesn't have to. E.g. AOL provided OpenID identities to its users a while back, so that AOL users could login to other sites which accept OpenID logins, but AOL itself is still only gradually allowing non-AOL users to access AOL services via OpenID login. In other words, not all providers are relying parties, and vice versa. So, just because people can now comment on Blogger blogs using their OpenID logins, it didn't mean that you could use your Blogger URL to login on other sites, even if they generally accepted OpenID - the latter only became easy when Blogger became an OpenID provider itself in January 2008.

  4. Tip: get your own URL (domain). Then you can use it for your OpenID identifier, using any identity provider you wish, and keep the same URL as your OpenID even if you later switch identity providers.

  5. In a way, OpenID isn't really "identity" or even an "account". Using OpenID just means that the identity provider will confirm to the relying party that you are the person who controls the website whose URL you enter for the login username. The relying party gets no guarantee that you really are who you say you are (or indeed that the identity provider is telling it the truth!). So you can use OpenID and still be anonymous, or in my case pseudonymous. For me its main advantage is the convenience factor of a single login and password. And believe it or not, it positively helps me to stay anonymous and maintain my privacy, because I can have several different OpenID identities, one for each of the different aspects of my life.

  6. More details. For those who want to know more even about Open ID, below I'll cover:

    1. the increasing adoption of OpenID

    2. how to find out which sites accept OpenID

    3. what your OpenID identifier is, if you already have one through having an account with AOL, Blogger etc

    4. how to get yourself a free OpenID identity if you don't already have one, including finding out about identity providers, some things to look out for when choosing one, signing up for an OpenID, how to use your own URL as an OpenID identifier, some useful features of OpenID, and checking your OpenID works

    5. a walkthrough the process of signing in to a relying party site with OpenID

    6. Blogger blogs and OpenID

    7. some OpenID tools for users

    8. risks and issues with OpenID

    9. links to some resources (I'm not going to cover how to set up an OpenID provider or relying party server, but I'll include some links to some webpages that do)

    10. thoughts on possible future developments.

THE LONG AND SLOW

OpenID - a bandwagon?

Open ID is not the only digital identity management service or digital identity network around - but it is gaining momentum, gathering support from more and more of the big boys and continuing to develop further too, recently finalising various enhancement specifications in December 2007: OpenID Authentication 2.0 (and also the related OpenID Attribute Exchange 1.0).

OpenID got a big boost last year in February 2007 when Microsoft, Verisign, Sxip and JanRain announced their intention to collaborate on interoperability between Microsoft's Windows CardSpace and OpenID, and around the same time the over 63 million AOL users also got a free OpenID service from AOL. AOL have also since started allowing people to login to AOL websites and services using OpenIDs provided by certain companies other than AOL. The first telecomms company to embrace OpenID was Orange France, which began providing OpenIDs for all their over 40 million subscribers in September 2007. As mentioned earlier, Yahoo! decided at the start of this year to be an OpenID provider, and Microsoft started an experimental OpenID provider Inkblot in December 2007.

On the blogging front, OpenID was originally developed at LiveJournal so not surprisingly it was supported by that blogging platform from early on. In March 2007 WordPress.com began providing OpenIDs to their users. From September 2007, with Movable Type 4, Movable Type included OpenID authentication built in, so commenters on Movable Type blogs can sign in using OpenID. And in December 2007, Google's Blogger began accepting OpenID sign ins from people logging in to post comments on Blogger / Blogspot blogs, at first just via their test bed Blogger in Draft, but that feature was soon rolled out to all Blogger blogs, after they'd fixed some teething issues too. Blogger began acting as an OpenID provider in January 2008, with users of Blogger being able to use their Blogspot URLs as OpenID logins on other sites which support OpenID, and then even allowing Blogger users to use their own domain URLs instead of their blogspot.com URLs for their OpenID logins. For those who write or read Blogger blogs I'll be covering OpenID in more detail below, after a general overview.

Dave Recordon was a winner of the 2007 Google-O'Reilly Open Source Award for best strategist for his role in, as they put it, "pushing Identity into the open source space", and Google and Yahoo have modelled their OpenSocial Foundation after the OpenID Foundation, so clearly it's all been developing very well.

On which sites can you use OpenID?

There seems to be no totally comprehensive, constantly-updated list of all the sites that accept OpenID logins - if anyone knows of one do please let me have the URL. The fullest lists of OpenID-enabled sites are probably these:

As you'll see from those lists, quite a few sites already let you sign in with your OpenID ID. Some examples:

But beware of a twist: not all OpenID-enabled sites will accept OpenIDs from all OpenID identity providers. For instance, AOL Developer Network have a whitelist of accepted OpenID providers; if a provider is not on that list, you can't sign in to that site with an ID from that provider. So if you're signing up for an OpenID, best opt for a well known one.

And as I keep emphasising, not all OpenID providers will accept OpenID logins from other sources, e.g. Yahoo doesn't.

How do you get an OpenID identity? Have you got one already? What's your OpenID login ID?

You may already have an OpenID identity if you've previously registered with certain websites or services - particularly some popular blogging platforms.

OpenID have a fuller list of what your OpenID URL would be if you already have an account with services like WordPress.com; below I give the format for your OpenID URL if you have an account with the most popular sites, such as:
  • AOL or AIM - use openid.aol.com/YOURAOLSCREENNAME. Note: If you have an AOL blog, then you can also use its URL, i.e. http://journals.aol.com/YOURSCREENNAME/YOURBLOGNAME, for your OpenID login. Yes, if you have more than one AOL journal, you can use any of their URLs

  • Blogger - use your blog URL as your OpenID logon. Go to your Dashboard, Settings, and the OpenID tab will state what your OpenID URL with Blogger is. (Note: the OpenID site says you can use yourusername.blogger.com but that didn't work for me)

  • LiveJournal -use YOURLIVEJOURNALUSERNAME.livejournal.com

  • Technorati - use technorati.com/people/technorati/YOURTECHNORATIUSERNAME - see further instructions on how to use your Technorati profile URL as an OpenID login, both generally, and in order to comment on a Blogger blog even if you don't have a Blogger account.

  • Vox - use YOURMEMBERNAME.vox.com.

  • WordPress.com (see the WordPress.com OpenID FAQ) - use YOURBLOGNAME.wordpress.com

  • See the list for a few others. You can alternatively use your existing TypeKey or TypePad account, if you have one. (I don't use TypeKey myself, but it seems the OpenID URL for those who do would be: profile.typekey.com/YOURTYPEKEYUSERNAME).

For instance, if your WordPress.com URL is http://yourblogname.wordpress.com, you can use that URL as your OpenID logon.

Got a Yahoo account? As mentioned, Yahoo are now a provider - go to Yahoo's OpenID page to customise your OpenID URL. Previously you could have an OpenID using your Yahoo login by signing up for Simon Willison's idproxy.net which is "unofficial but sanctioned", and it's still in operation. (Simon ran a very helpful session on JQuery at BarCampLondon3 in November, totally by the by.)

But what if you don't want an account with one of those websites, or what if you don't want to use a URL with "aol.com" or "WordPress.com" etc in it as your OpenID login?

You may well want to use a completely separate dedicated URL for your OpenID logins. Or you may already have your own domain name, or your own blog, and you might prefer to use that URL as your OpenID instead.

The good news is, you can use a different URL as your OpenID. But first, you'll need to have an account with an OpenID identity provider. And then, if you want to use your own URL instead of a URL assigned to you by the provider, you'll need to take some further steps which I'll cover below.

Alternatively, you can set up and run your own OpenID identity server - but that's way beyond the scope of this post.

Signing up with an OpenID provider

When you open an OpenID account with an OpenID identity provider, you'll have to choose an OpenID username and password. Obviously try to pick a strong, long password with a mix of letters, numbers, maybe symbols, and both uppercase and lowercase, as this will be your "single password". Then, after sign up, you should be able to use the same ID and password across all "relying party" sites which accept OpenIDs provided by that provider.

Note that although you'll use a URL to login to OpenID-supporting web sites after you've signed up for OpenID, you don't actually have to use a URL as your username when you're signing up for OpenID with an OpenID identity provider. You can just pick a name that's not already taken. I use "Improbulus" (surprise, surprise).

Normally, after you sign up with an identity provider it will assign you a special URL on its own site which you can then use as your OpenID username / identifier. For example, I signed up for a VeriSign Personal Identity Provider account with the user name Improbulus, and they gave me a "Personal Identity Provider Access URL" of "improbulus.pip.verisignlabs.com". So I can sign in to OpenID-enabled sites by entering "improbulus.pip.verisignlabs.com" (without the quotes) into the username box. That "access URL" is what I'll call my basic OpenID identifier with VeriSign (identity endpoint). With providers like Yahoo!, which use OpenId 2.0, you can even use just "yahoo.com" as your login username on the relying party site, then sign in to Yahoo with your usual Yahoo details.

But you're not stuck with having to use only that basic OpenID identifier as your OpenID login. You can still use your own URL as your OpenID login if you prefer (I'll explain how below). They're just separate alternatives. You can log in to OpenID-supporting sites with either the special URL your identity provider gives you (your basic OpenID identifier), or (once you've taken a few extra steps) your own URL. Either will do.

Checking if your new OpenID identifier works

How can you test if your OpenID ID is working?

You could of course try to sign in with it on one of the OpenID-supporting sites.

Or you can try OpenIDEnabled's checkup page for testing OpenIDs - just enter your OpenID URL/identifier in the box and hit Check. (They also have a page to help the geekier ones amongst us to test OpenID servers they've set up themselves).

Registration form filling - Simple Registration, and personas

Now, an OpenID feature you may find helpful is Simple Registration, which I touched on earlier. Many websites, when you register with them, ask you to fill in a form with not only a username and password but also other personal details such as your email address, gender, birth date, postcode, country of origin etc - some of which is compulsory. It's a pain to have to enter all that info just to complete your registration with the site, site after site after site.

So OpenID allows you, under what's called Simple Registration, to store certain commonly-requested pieces of personal data with your identity provider, which you can then selectively choose to pass on to the relying party when requested during your signing in process.

As long as your identity provider supports simple registration (not all do e.g. ClaimID doesn't seem to at the moment), you can store with it whichever of those pieces of identity information you choose. And you can edit it all afterwards, of course.

However, different identity providers deal with simple registration differently. It's easiest to illustrate the differences with some actual examples.

MyOpenID
allows for a concept called "personas", where you can create different personas, each with a different set of personal details, all under the same OpenID. One persona may be associated with your birth date, gender, email address etc, but another persona only your gender; or different personas could be associated with different email addresses. The "persona" concept is also described in the recently-finalised OpenID Attribute Exchange 1.0 specification as "A subset of the user's identity data. A user can have multiple personas as part of their identity. For example, a user might have a work persona and a home persona."

When you try to login to a relying party site, MyOpenID will fill in the boxes on the registration form for you depending on the persona you pick. For instance, the "identity data" info I've associated with my default persona on MyOpenID by filling in the form on MyOpenID is limited to name, nickname, gender, website, country, language and timezone (I've not included email or birth date; never ask a woman's age!).


Now I'll try to login to the AOL Developer site via my MyOpenID ID. That's fine, I get in after I give my OpenID password on the MyOpenID page which I'm taken to. But then the AOL site's registration form for new users asks them for their email, gender and country. Well, that info is automatically entered into the registration form boxes for me by MyOpenID, because I'd previously registered it with MyOpenID; but where I've not given details to MyOpen ID then, not surprisingly, it's not filled in - e.g. here I've not given my email address or date of birth to MyOpen ID, so those boxes are blank below, but my gender and country have been completed by MyOpenID for me. I could then still delete anything I decide not to give the site, or edit it, before I finally hit OK:


If I had a separate persona called e.g. "Fake Man" where I'd entered some email address and given my gender as male (yes I can do that!), and I'd selected that persona on MyOpenID for logging in to AOL Dev, it would have filled in the email field for me and selected Male. And so on.

Verisign, on the other hand, lets you fill in one set of personal information in your Verisign account on your "My Information" page there, e.g. your email address (I've just blanked it out from the screenshot below):


- and then when you try to log in to a relying party site with your Verisign PIP OpenID, you are shown the type of info required by that site on the left (boxes corresponding to the data requested), as you can see below. The info you'd previously filled in on the Verisign site is shown on the right (in this case only my (blanked-out) email address), and you can then choose which ones to "copy across" to the left with a few clicks, to help fill in the relying party site's registration form. More steps are needed on your part, but perhaps you have more control this way:


As another example, another relying party site where I'd signed in using my Verisign OpenID only wants my nick name, so there are virtually no boxes on the left shown to me by Verisign:

Which OpenID identity provider?

There are many OpenID identity services which will provide you with an OpenID ID, many of them for free. See:

It's your decision who you go with, of course, but you're probably better off signing up with one of the providers listed on the official OpenID page as they're relatively known quantities and hopefully can be relied on to be more careful with their security. Reassuringly, all the ones on the OpenID page are also on the AOL whitelist.

They all appear to be slightly different - see the OpenID wiki list for brief descriptions. Myopenid.com is probably the best known as the company behind it, JanRain, has been heavily involved with the OpenID project from the start. They also have decent help pages. ClaimID seems to be venturing into social networking, encouraging users to "claim" all their websites, and providing supporting "identity tools" like microformats for your profile contact details. Some providers will charge you for providing you with an OpenID. You pays your money...

But I'd just mention a few particular points to bear in mind when you're choosing an identity provider:
  1. Does it support "delegation" (covered below)? If you want to use your own URL as your OpenID login, you have to pick a provider that supports delegation - most of them do, but it may be worth checking the point. For instance, VeriSign doesn't seem to support delegation.

  2. Does it support Simple Registration / Attribute Exchange, and if so how does it work? I think it's very useful, so personally I'd prefer a provider who does have it.

  3. How much do you trust it to keep your information secure and private, and to not stop being an OpenID Provider, not go bust and not sell your details to someone else?

How to use your own URL for your OpenID identifier

Now if you control your own blog or website, such that you can insert some HTML code into the head section of the main page of your site template (e.g. Blogger blogs, or a WordPress blog that's not on WordPress.com), then you can use your own blog or site URL as your OpenID login.

This makes use of an OpenID feature known as "delegation". If you don't run your own identity provider but have signed up with a third party identity provider (which is most of us), you can "delegate authentication" of your identity to the identity provider that you've signed up with, like MyOpenID or VeriSign or even Blogger. The OpenID wiki explains how to set up delegation.

To use your own URL as your OpenID:
  1. Sign up with an OpenID identity provider that supports delegation.

  2. Set your website or blog up to delegate authentication by inserting certain HTML code into the head section of your blog template or site's home page or index page (i.e. the page that visitors are first taken to if they just try your base URL), and save and publish / upload. Most providers will have the delegation code info for their particular service somewhere on their Help pages. (For beginners - go to the Edit HTML view of your blog template or similar, and in the line just before the </head< tag, paste in the delegation code.)
The basic format for the delegation code is the following, but you'll need to get change YOUR-PROVIDERS-OPENID-SERVER-URL to the URL of your provider's identity server, and change YOUR-OPENID-URL to the special URL given to you by the identity provider when you signed up with them i.e. your basic OpenID identifier (in my Verisign example, that would for me be http://improbulus.pip.verisignlabs.com):
<link rel="openid.server" href="http://YOUR-PROVIDERS-OPENID-SERVER-URL">
<link rel="openid.delegate" href="http://YOUR-OPENID-URL/">
or for providers using the shiny new OpenID Authentication 2.0 spec, the code is in the slightly different format:
<link rel="openid2.provider openid.server" href="http://YOUR-PROVIDERS-OPENID-SERVER-URL">
<link rel="openid2.local_id openid.delegate" href="http://YOUR-OPENID-URL/">
Both versions do the same thing. The first line indicates the URL of your identity provider's identity server - so that the relying party site knows which server to go to in order to check your OpenID identity. The second line indicates your OpenID basic identifier, so it knows which identity / identifier it should check.

MyOpenID uses both versions of the code, plus a bit extra which I won't go into here, with their code currently being the following (change YOURMYOPENIDACCOUNT to your own MyOpenID username before inserting it into your blog template or site HTML, of course):
<link rel="openid.server"
href="http://www.myopenid.com/server" />
<link rel="openid.delegate"
href="http://YOURMYOPENIDACCOUNT.myopenid.com/" />
<link rel="openid2.local_id"
href="http://YOURMYOPENIDACCOUNT.myopenid.com" />
<link rel="openid2.provider"
href="http://www.myopenid.com/server" />
<meta http-equiv="X-XRDS-Location"
content="http://www.myopenid.com/xrds?username=YOURMYOPENIDACCOUNT.myopenid.com" />

For ClaimID the code is the currently the simpler older OpenID Authentication 1.1 spec version, being:
<link rel="openid.server" href="http://openid.claimid.com/server" />
<link rel="openid.delegate" href="http://openid.claimid.com/YOURACCOUNT" />
You get the drift... you'll have to consult your provider's help pages for the exact delegation code to use, as it'll vary with the provider - in particular you need to know the URL of their identity server to insert it in the server or provider bit of the code.

But you'll notice that the URL of your blog or website, the URL which you want to use for your OpenID identifier, doesn't appear anywhere in the delegation code. It doesn't have to: it's enough that the right code is added to the header section of the template or HTML of the blog or site whose URL you want to use as your OpenID identifier. As long as the correct code is in the HTML of the website whose URL you've entered on the relying party site, your OpenID sign in will work.

One possible gotcha to note. My main URL is http://www.consumingexperience.com/, but via the settings pages of my domain registrar, I have also fixed it so that the URL of http://consumingexperience.com/ (without the www) will forward to http://www.consumingexperience.com/. In other words, if a visitor tries to go to http://consumingexperience.com/ in their web browser, they'll be taken to http://www.consumingexperience.com/. However, when I login to an OpenID relying party site, I can't use consumingexperience.com - I have to use www.consumingexperience.com, which is my main URL, or else it doesn't work and I can't log in. I don't know enough yet to know if it's the provider or just the way OpenID is, but rather than face problems, it's probably best to enter your full main URL rather than being idle like me!

If you change identity providers, all you have to do is update the delegation code in the head section of your blog or website's to your new identity provider's delegation code, and voila you can still use your blog or site's URL with the new identity provider.

Can you have more than one OpenID identity?

You can have more than one OpenID identity if you want. All the talk about a "single ID" or "single-sign-on" with OpenID doesn't actually mean you are restricted to using a single ID on participating OpenID-enabled sites. Rather, it just means that, if you wish, you can use a single user/password across all OpenID-enabled sites without having to register separately for each of those sites (which is the main point of OpenID and similar systems).

You don't have to do that, though - if you prefer, you could stick to using a different ID/password for each site, or have two or three different OpenID identifiers to use for different types of sites (I'll explain how below).

So I could have an "Improbulus" OpenID ID for all tech sites, another OpenID identity like "Singer" for (say) music-related sites, and yet another OpenID user for sites which I'd visit under my real name. And, given how strongly I feel about privacy and security/safety online, I would.

You can even have more than one OpenID from the same identity provider, e.g. VeriSign offers this option.

If you control more than one blog or website, you can use different URLs for different OpenID accounts. Put one bit of code in the head section of one blog, and put different delegation code in the head section of another blog or site!

Can you use more than one URL to "represent" the same OpenID identity?

Conversely, if you really want to you can have one OpenID account but put the exact same code in the head section of more than one blog or website.

Then you can log in to relying party sites using any of those blog URLs (but with the same password, the one you use for that particular OpenID account).

For instance if I put the MyOpenID code above (altered for my MyOpenID username of course) in the head section of the template for this blog, and also put it in the head section of the template for a test blog originalimprobulus.blogspot.com, then I could log in to any OpenID-enabled site by using either www.consumingexperience.com or originalimprobulus.blogspot.com as my "username" / OpenID identifier! Either would work.

What you shouldn't do though is to try to insert delegation code more than once in the same template, but pointing to different OpenID providers' servers. The site you're visiting might throw a fit trying to deal with being directed to more than one OpenID provider, or it might just take the first one it finds in the head section and ignore later ones, but either way it's not a great idea and I for one don't intend to try it as I don't want to be responsible for giving any poor widdle servers the wobblies, they've got enough to contend with as it is.

The OpenID login process - a walk through

A quick walk through the OpenID login steps might be helpful at this point - that is, logging in to an OpenID-enabled relying party site with your OpenID.
  1. Find the OpenID login page or tab on the relying party site. That can be the hardest challenge in this process! On some sites the login is OpenID as standard, but on other sites unfortunately you have to choose the correct tab or select the correct option (which sometimes is well hidden away or needs some hunting around for), in order to be able to use OpenID for the login.


  2. Enter your OpenID URL. Once you find the OpenID login page or tab, you'll see that they only ask for your OpenID user or identifier, i.e. your OpenID URL, see the screenshot above. No password is required at this stage, nor should it be (if it asks for your OpenID password it may be a bad site trying to get hold of your info!). Just put in your OpenID URL and carry on. (Note: it seems you can leave out the initial "http://" and any final "/" in the URL - works for lazyfingers me, anyway, so I'd just enter www.consumingexperience.com.)

  3. Behind the scenes. The relying party site then, behind the scenes, goes to find the webpage whose URL you entered, and (if you entered your own URL rather than the special URL given by your provider) sees if there's delegation code in the webpage source (this is known as "discovery"). Then, it goes to whichever server of the OpenID provider is specified in the delegation code.

    • Of course, if you entered the URL assigned to you by your OpenID provider (e.g. my VeriSign OpenID URL is http://improbulus.pip.verisignlabs.com), it will go straight to your OpenID provider's servers without checking any other webpage.

  4. Your identity provider kicks in. At this point things may differ depending on whether you were already logged in with your OpenID provider before you went to the relying party site. The common factor is that you are now redirected to your OpenID provider's site. This might not always be obvious. But you shouldn't be taken to any site - only your provider's site. Be suspicious if it doesn't seem to be your provider's site.

    • Choose registration details. If you had already logged in with your OpenID provider via the same web browser before you tried to visit the relying party site, you can just choose or edit any further registration details required by the relying party site (as mentioned above), and then login (sometimes it may be the other way round, you may only be asked for further registration details after you log in). And you'll be taken back to the relying party's site, all nicely registered (if necessary) and logged in. In the screenshot below, I'd click Add Persona (outlined in red) if I wanted to use a different persona with different registration details.


    • Enter password and choose registration details. If you hadn't yet logged in with your provider (and there's no particular reason why you should be), then you'll need to enter your OpenID password on your provider's site - that is, the password for your OpenID account with that particular provider - also, before you can proceed further. (If all checks out, i.e. you give the right password, again you'll be taken back to the relying party's site.)


    • Choose how long your sign-in is good for. In the MyOpenID screenshot a couple of pics above, do you see in the bottom right hand corner something I've outlined in blue? "Allow Forever, Allow Once, Deny". Those options are self-explanatory. You can choose to always allow that relying party site, if you trust it and want to be able to access it more easily in future, with "Allow Forever". Similarly, just before the "Which OpenID identity provider?" section above, the VeriSign screenshot shows a "Trusted Site Expiration" box at the bottom: Never expire, Expire on [a date of your choice], Expire after signing in. Similarly if you use Blogger as your identity provider:


  5. Return to relying party site. If you've entered your correct password with your provider, then it'll take you back to the relying party's site, confirming to the relying party that it all checks out, and you'll be registered / logged in to the reyling party site.

Note that it's the server at your OpenID provider that checks that you've entered the right password for the OpenID account associated with your URL. The relying party site never gets to see your password. Simple and effective, isn't it?


Blogs and OpenID

Now on to blogs. There are of course two ways in which OpenID can be relevant to a blog, on whatever blogging platform:
  1. Can the blog accept OpenID logins from commenters? i.e. is it an OpenID relying party, is it OpenID-enabled?

  2. Can you use your blog URL as an OpenID login (a) with delegation, or (b) directly (i.e. without having to insert any delegation code)?
I'm really mainly a Blogger user so I'm going to cover in detail just that platform. However, I believe there is a WordPress plugin for those who want to enable OpenID commenting on WordPress blogs and see this on amending WordPress files.

Allow commenting on your Blogger blog by OpenID users

For 1, as mentioned earlier the answer is now "Yes" for Blogger / Blogspot blogs. Blogger blogs can now be set up to allow comments by people who login using OpenID.

As you'll know if you have a Blogger blog, you can control the sorts of people who can post comments on your blog: Anyone, Registered Users, Users with Google Accounts or Only members of the blog (Dashboard - Settings tab, Comments, Who Can Comment).

Obviously "Anyone" lets anyone comment on your blog, even anonymously. So it's up to them if they want to use OpenID or not.

If you want to stop anonymous comments but allow readers to comment using their OpenIDs, you can pick "Registered Users" to enable OpenID commenting. This would widen the pool of commenters beyond just other Blogger users. In other words, "Registered Users" will allow both OpenID and Blogger users to comment (AOL, LiveJournal etc logins are of course just one type of OpenID, as you now know):


And Blogger will even give hints to LiveJournal, WordPress, TypePad or AIM users as to the format to use for their OpenID:


There's Blogger Help on OpenID commenting and Kirk's post on enabling OpenID support on blog comments for Blogger gives a step by step on how to use OpenID to comment on a Blogger blog (as does a Technorati post, using your Technorati profile as your OpenID ). There was a little niggle which Kirk pointed out but they fixed it, Blogger folk generally listen to him!

What about using your blog URL as your OpenID? As mentioned above, you can now simply use your Blogger blog's URL as your OpenID username when logging in to any OpenID-supporting site - just go your Blogger dashboard, Settings, OpenID tab to check what your OpenID URL from Blogger is.

If you want to use your own domain name on Blogger but use Blogger as your identity provider, just use delegation, as I've already covered above (and as Kirk previously had, much more concisely, in his post).

Team Blogger have given some delegation code in a Blogger in Draft post:
<link rel="openid.server" href="http://draft.blogger.com/openid-server.g">
<link rel="openid.delegate" href="http://yourbloggerblog.blogspot.com/">

In case anyone is confused by that, the code is to let you use Blogger as your OpenID provider, but instead of using your Blogspot.com URL as your OpenID identifier, you can use your own domain name URL. So say you owned the domain MyGreatDomain.com, and you had a Blogger blog at MyGreatBlog.blogspot.com. You'd change the HTML of MyGreatDomain.com's base webpage to add the delegation code above, changing "yourbloggerblog.blogspot.com" to "MyGreatBlog.blogspot.com" in the second line.

Then in future you can login to an OpenID-enabled site by using MyGreatDomain.com as your username (instead of using MyGreatBlog.blogspot.com), but using your Blogger password as the password. You wouldn't need to do anything to your Blogger blog's template.

What if you have a custom domain with Blogger? Now I haven't tested it yet but I expect that in that case either you wouldn't need any delegation code at all, or else you would insert the delegation code given by Blogger in the head section of your blog template, but changing yourbloggerblog.blogspot.com to your custom domain's URL.

OpenID tools for end users

I've only come across a couple of OpenID tools for OpenID endusers i.e. us consumers (as opposed to identity providers), so far.

Both are free add-ons or extensions for the fab Firefox browser (how to install a Firefox extension; ) and they're intended to help you manage your OpenIDs, if you have more than one, and help to automatically fill in your OpenID username (i.e. identifier URL) in the appropriate box on the sign-in page of OpenID-supporting sites whenever you go to the login page, to save you typing in the logon URL manually.

Be warned that I haven't had the chance to test them properly yet, but I'm listing them here for those interested, they both add icons to the right of your Firefox status bar; I've outlined them both in the screenshot below:


  • Appalachian (download) - for the modern privacy freak like me, who has more than one OpenID ID... Outlined in orange in the pic above (and the icon is an orange oval).

    • They say "Appalachian assists users by storing which of their OpenIDs have been used on which sites. It is inadvisable to use one OpenID for all identification purposes, especially if you want to keep your activities in one regard separate from another, or if you desire anonymity. "

    • "Appalachian also keeps you from repeatedly typing your OpenID."

    • "To shield you from a well-recognized weakness in the OpenID login protocol, Appalachian will also help you combat phishing attacks by explicitly verifying that the login protocol is proceeding as it should or noticeably warning you when it appears the login protocol is deviating from expectations."

    • Once installed you'll get that little orange oval in the status bar of Firefox as shown above. Rightclick it for settings etc:


      At first sight it doesn't look very user friendly, but you're supposed to be able to add OpenID info for your IDs just by logging in to your OpenID provider's page, whereupon the oval should show a blue plus sign, see below, and left clicking that should automatically add in your OpenID details for that provider; however, it wouldn't work for me, so I may have to add the info manually - would be interested to know if anyone has managed to get it to fill in the details automatically?:


  • VeriSign's SeatBelt plugin - outlined in red in the status bar, bottom right, in the screenshots earlier. This is meant to ease OpenID signin and looks out for phishing attacks - it was produced for VeriSign PIP users mainly, of course, but there's an option to add other providers and switch between them (if the other providers support Seat Belt).

    Here are some screenshots of SeatBelt's settings:


    As you can see from the pic below, it lets you add other OpenID providers apart from VeriSign, too; in fact, when I login to MyOpenID on the MyOpenID site, SeatBelt seems to automatically detect that login, which is great (see the screenshot above which shows my URL identifier next to the lock icon at the bottom right). So that beats Appalachian for starters, where clicking the plus sign doesn't do anything at all to grab your OpenID details from your provider and store them in Appalachian:


    There's a tab in the settings for OpenID delegation also, but it doesn't automagically insert delegation code for you, alas - what it does is to let you enter your preferred URL (e.g. blog or own site URL) in a "Delegate Identity URL" box and choose the OpenID provider you're using for that, and then when you go to an OpenID-supporting site it'll automatically fill in the username box with the URL of your blog or site. But you still have to add the delegation code to your blog or site before that'll work properly.


    Don't worry about the following "error" by the way, that just means you haven't logged in with an OpenID provider during your current Firefox session. You just need to login there before SeatBelt will fill in your OpenID identifier for you on OpenID-enabled sites.

    This tools isn't without its problems or issues. For example I've been getting these even when logged in to an OpenID provider, and if you can't trust myopenid.com which is one of the original OpenID sites, who can you trust...? Shurely shomething wrong, shomewhere?:



    Still it's early days yet, I'm sure things will improve with time.
There are also some Greasemonkey OpenID user scripts but I've not tried them yet. (More on Greasemonkey for Firefox.)

I gather that Firefox 3.0 when out is due to have built-in OpenID support, but it doesn't seem a priority so who knows when...

Risks / problems with OpenID - security etc?

With the increased convenience comes some risk. If someone knows your blog or site URL and gets your OpenID password, they could of course login as you at any of the variety of sites supporting OpenID, so you're possibly more exposed in that way.

You'll thus be very dependent on the strength of the security of your OpenID provider. Which is a major reason why earlier I suggested you go for a well known one rather than a new tiny outfit from somewhere you've never heard of.

And phishing may indeed be made easier by OpenID.

Arguments seem to rage either way, see e.g. this post. I'm taking a "wait and see" approach myself, but I really like the concept of OpenID and want it to succeed.

And the future of OpenID?

Hopefully more sites will support OpenID in future. One interesting development as I mentioned is that some providers allow you to have several different "personas" associated with the same OpenID identity e.g. one for technology sites, one for things accordion, one for sites where others share your secret passion for collecting candy bar wrappers, and so on.

There seems to be more progress generally, with technologies meant to be complementary to OpenID like OAuth being developed (more on OAuth and its relationship with OpenID; Wikipedia entry) and, of course, the DataPortability movement.

But I don't think OpenID will take off properly until more sites agree to support OpenID as relying parties, not just as identity providers. Indeed, it's even been suggested that big companies which just set up as providers are exploiting their users (AOL rebuttal..). Google has been mentioned as one of the few that is both a provider and "consumer" with Blogger, but in fact it's not really fully supporting OpenID in Blogger yet, because if you want to create and post to a Blogger blog you have to have a Google account - not just an OpenID identifier.

Time will tell...

More OpenID info

If you're keen to find out more about OpenID, try these: