This one was informative for me because although I was vaguely aware of
Ma.gnolia’s plans for their version two release, I didn’t know about
the technical aspects — requiring OAuth, self-hosting, and open source code.
The discussion about using OpenID and related ‘open web’ technologies to
automatically tell web services where things is quite appealing. This podcast
episode is from late August, so maybe work has already begun on implementing
such concepts.
If you think about it, this is really why the open web movement exists. The
open web revolves around the idea that if I put information into the system
then that data belongs to me. If I fill out a Facebook profile or use Twitter
or make a bookmark on delicious, it’s true that somebody owns the system that
allows those things — but what use would the system be if I didn’t use it?
So it’s about ownership. But ownership implies freedom — freedom to do whatever
I want with my information, since I control who has it and what they can do
with it.
This is something that companies offering hosted services dislike. Their
business model is generally based on the idea that once you put your
information into the system it’s stuck there. Investors see much more revenue
potential in a captive audience, because the audience has no choice but to
use whatever’s being offered, unimpressive as it may be — a non-technical
example would be product placement.
And this is where the whole idea really becomes useful. An important part of
the open web is data portability — the ability to easily transfer my
information between services. Suppose I’m on Facebook, and I decide I want to
try a different social network. With data portability, I’m able to tell the new
site about my existing Facebook account and let it import all my friends.
This means that the power situation is changed. I’m no longer stuck using
whatever site my friends have chosen. I’m no longer forced to trust that the
site I’m on will continue to provide new features and a useful service.
Instead, by using a service I’m actually endorsing it, because I’m not
obligated to stay there.
It also entices the site’s owner to improve their service. When a site
maintains its user base through feature offerings, they’re less able to simply
make something good and then let it sit. Innovation is hard, but when it works
everybody wins.
But despite all that, I set out to publish a transcript, not an essay. Here we
go!
LH:
Hello!, and welcome to episode nine of Citizen Garden. I’m Larry
Halff…
CM:
I’m Chris Messina.
SK:
I’m Scott Kveton.
WN:
And I’m Will Norris.
LH:
And we’re here today… I’m freshly back from Seattle after making a big
announcement at Gnomedex that Ma.gnolia is being rewritten from the ground up
as an open source, downloadable tool. Actually, it’s being broken up into
several pieces. I think that’s the more important announcement; there’s a lot
of open source publishing platforms out there… blogging tools, there’s even,
y’know, I think, a handful of open source social bookmarking systems. A more
important thing about what we’re doing is that we’re really trying to pave
the way forward with the open web, and part of that is getting these
decentralized and federated systems talking to each other. And open source
happens to be one way to advance that cause.
CM:
Let’s back up here a little bit, ‘cause I’d like to sort of understand
better where this idea came from — why you would take this approach when,
y’know, you’ve built up a pretty good audience on Ma.gnolia, you’ve got a
good user base there, and you’ve done really well so far in supporting a
number of these open protocols like OpenID and supporting microformats and
OAuth and so forth. but how does open source or open sourcing the platform
actually support the open web — and what actually motivated that
decision?
LH:
Well, I think the primary motivation was seeing that the social aspects of
these publishing tools doesn’t really scale when there’s the big single point
of failure. and Ma.gnolia has had downtime, Twitter has the infamous ‘fail
whale’, Flickr gets massages — and all these things happen, and when it
happens you sort of… you lose access to a pretty important piece the flow of
your online life. And as they grow, the load that’s caused by exponentially
putting out… the exponential effect of putting out all these social
connections and publishing and keeping everyone up-to-date just doesn’t… just
isn’t really gonna scale in the long term. And I think, y’know, what we’re
seeing with Twitter now is nothing like what we’re gonna see with that kind
of tool down the road. I mean, hardly anyone really uses Twitter…
SK:
Yeah, like a million users maybe.
LH:
So I think we really see an important next step is to finding out a way
that these things can be pushed out to the edges, yet still have the social
functionality of getting everyone talking to one another.
CM:
Now one of the things I think, y’know is interesting… so, Scott is with us
at Vidoop; he’s also the chair of the OpenID Foundation, and he’s, y’know,
sort of one of the champions of decentralizing identity and things like that.
I think it’s sort of interesting to think about how OpenID in some ways
creates the preconditions for Ma.gnolia going open source, by allowing people
essentially to have sort of a cargo horse on which they stack a bunch of
things — their photos, their bookmarks, and so forth. Maybe you
can — Scott — talk to us a little bit about how you see OpenID maybe as that
beginning point that… allows for this type of decentralization that Larry’s
talking about, where there are much fewer single points of failures, or at
least these concentrations that maybe are creating these pressures on the
network.
SK:
Okay! Uh, yeah, absolutely! So there’s, y’know, we’re three years into
OpenID now, and it was really funny at OSCON,
actually — and I think Chris you were on that panel with me, weren’t you?
CM:
Possibly, yeah.
SK:
Leah Culver got up…
CM:
Oh, right.
SK:
… started just dropping f-bombs about how she just thought OpenID was
dumb, she’d never use it, da da da da. And y’know, in reality, it’s… it is a
URL-based system, and that’s just… users have
not, y’know, grokked that. But I think what we’re starting to realize is the
value is proving a potential service endpoint, which means nothing to
users.
CM:
[Nor necessarily?] should it…
SK:
Right, absolutely.
CM:
For now.
SK:
… but for developers it’s extremely important. So, y’know, some of the
challenges that we’ve been facing in the OpenID community are around security
and usability. If we can make it easier for people to identify
themselves — whether with an email address or identity in the browser — then
they can get in, prove that they are some end point without having to know
what that endpoint is, and then start to put their data there. and then we
start that… that lays the groundwork for things like y’know, lower-case data
portability and the ability to, y’know, have more control over who provides
your… or manages your data.
CM:
Yeah, I’ve been thinking about these things lately, and it… it’s
interesting to reflect on what assumptions we bring to these problems,
especially around sort of, as you talked about, the developer part of the
equation, where you’re starting to think about and understanding well, if a
developer starts to tackle a problem, trying to build a new service on the
social web, what assumptions can they make today that they couldn’t make
before? And previously maybe you made an assumption that people would have an
email address before; okay, great, then you could send them a password or a
token, and they can prove received that token — that’s a way of confirming…
that’s a durable identifier, but you can’t really attach services to it. You
can’t actually look up that email address and ask it, y’know, ‘well where is
this person’s photo store’, y’know, ‘where is this…’ — there’s no directory
for that. Using URLs as identifiers sort of
helps to at least make that situation a little bit better. So I’m actually
interested in hearing from Will, ‘cause Will and I work on the DiSo project
together. How do you think the ability to use unique
URLs to identify people — which then have
services offered at the end of them — changes what you can sort of take for
granted? What are the building blocks now, that when you approach building a
new application, you’re like oh, well they probably have identity, they
probably have, y’know, some service that they’re gonna use, we’re just gonna
throw it all together and make it happen?
WN:
Yeah, right. I mean, we’ve been trying to address those exact problems of
‘how can we build that infrastructure so that you can take advantage or take
it for granted?’. And like you said, y’know, you can’t attach these services
to email addresses. Recently, I co-authored a spec — and we’re now using this
with a lot of our stuff — called ‘EAUT’, which
is e.a.u.t. It’s Email Address to URL
Transformation. It basically allows… it’s a really standard way of taking
that email address and talking to whichever email provider it is that
provides that, and say, y’know, ‘how can I turn this into a
URL that I can then go and try to find these
kinds of services on that URL?’. So y’know,
Yahoo! can host their own thing, Google and all this, and then we also have
this fallback service. But the idea is that, so, we can use an identifier
that users are familiar with, and comfortable with, and use everyday, and
they love — it’s their email address — but still be able to get these
additional kinds of things. So, y’know, when I go in to whatever it is, I can
give my email address, it can be converted into an OpenID; this application
can then go and look at my OpenID and say ‘hey, y’know, we need to publish a
bookmark, where should I do that?’ And, y’know, I could be doing that on
Ma.gnolia proper, or if, y’know, I have my own Ma.gnolia instance running,
with the new open source version, or if I’ve, y’know, maybe… maybe Vidoop,
y’know, we set up our own, for our employees, I can say y’know what, that’s
where I do mine. And so all I have to do is present my identifier, and,
y’know, magic happens, basically, and this consumer can push that bookmark
out to wherever it is that that I store them.
LH:
Right. I think it’s important, it’s like that’s another precondition we
haven’t explicitly mentioned. It’s like, we have the… we know identity
exists, and we also, with the unsung but super-important spec
XRDS Simple is really key to making that
happen, because at least for programmers, it’s like, they can go to the end
of your OpenID, and they can say ‘well, this is someone’s identity
URL’, and they can get a whole bunch of links
off of that. But they’re really meaningless until we have a way of saying
‘what do each of these links do?’, and so I think, I just… point that out as
a key piece to that, which isn’t just having the thing, but also having the
mechanism to say ‘what can we do with these different things?’.
CM:
To put that another way, it’s kind of like when you go to someone’s blog
and they have a sidebar that lists all their other profiles. What we’re
trying to do, I think — and this is sort of what this discovery protocol is
all about — is taking that list of URLs and
making them make sense to computers, essentially. So that when it sees a
Twitter icon, y’know, more or less, it’s like ‘oh, that’s a status update
service’, or ‘that’s a microblogging service, therefore I can post messages
to it, if I’m authorized to do so’. Very similarly, if you see a little
Flickr icon, or if you see a YouTube icon, those are different services that
someone might use that actually have APIs that
you can talk to. So if you can advertise those
URLs through this discovery/specifications at
the end of an OpenID identifier, that’s where the magic starts to happen. So,
what I was actually interested in hearing you two guys talk about a little
bit — and recently, y’know, you’re wearing the WordCamp shirt, and you were
at WordCamp, will, and you talked about OAuth for WordPress. and this is, I
think, very interesting, because we’re at a point where WordPress currently
does not support OAuth. Most of its transactions are done with the standard
username and password, which means that if you wanna, let’s say, blog from
your iGoogle home page, you’re gonna have to enter in your WordPress username
and password into iGoogle. Well that’s great, except when you start doing
this across the web and so on, and that’s the password anti-pattern. now on
the other side, we have Ma.gnolia, which already supports OAuth in the
platform. And I’m interested sort of in hearing you guys talk a little bit
about the pros and cons and the challenges of retrofitting OAuth and
authorization-based permissioning into a platform like WordPress, whereas
Ma.gnolia already has that — Ma.gnolia open is gonna come out supporting that
from the get-go — what does that mean for people building on these different
platforms? How does that actually improve the situation?
LH:
I think it improves the situation that enables a lot more seamless
experience for the end user that… I think combining OpenID with discovery
with something like OAuth is, y’know… this is a whole lot of hot air, so I’m
ashamed of the words that are about to leave my mouth, but the browser of the
future…
CM:
Uh-oh.
LH:
There, I did it.
?:
He did it! He did it!
LH:
… will be like…
SK:
Tshirt’s already been ordered.
LH:
The browser of the future…
CM:
dot com!
SK:
That’s right. Do we have that yet?
LH:
… when I go to save a bookmark, instead of it saving in by browser — it
will have known my OpenID already, because when I launch my browser and it’s
first setup, it says ‘what is your OpenID?’ — it will have verified that, it
will have discovered my online bookmarking service, and it will know where
that lives, and as part of that process it will have authorized access to my
bookmarking service account though OAuth, and I will have said ‘yes, this
browser allowed to post things to my bookmarking service’. And so ‘save
bookmark’, it will be seamlessly integrated to me. And that really is the
end-user benefit for all this, despite all the horrible, geeky, completely
incomprehensible nerdiness and the ongoing usability issues with OpenID,
which Ma.gnolia open has cracked open again.
CM:
Yes.
LH:
If you wanna participate in a great little thread about OpenID usability,
go to the magnolia-2-discuss group on Google.
SK:
Yeah, y’know, if there’s one thing I’ve learned over the last three years
of the OpenID stuff, is it doesn’t matter how open it is, if it’s not usable,
it’s broken. And so that means, y’know, I think usability has to come first,
and I think we have to break some things around the openness of it to get it
right first. And we’re seeing, y’know, Facebook — we were talking about this
today. Y’know, what Facebook is doing sort of, y’know, in the eyes of a lot
of folks who are very open-centric — which doesn’t really make sense, but
anyway — they see that as awful, because they…
CM:
Whoa, wait; be more specific about what Facebook’s doing.
SK:
Well, they’re embedding an <iframe>, effectively, on other sites — and
this is effectively what Google is doing as well.
CM:
That’s right, that’s right.
SK:
And, y’know, that’s all well and good for the sites themselves — they
don’t actually get the access to the user information — but, they can get
more people and pageviews, which could be really important to them. but from
an open perspective, it’s not that open, to be able to do that. And… what’s
the other thing I was gonna say? God, this coffee really does — oh my god!
sorry.
LH:
These guys bought you Blue Bbottle before?
WN?
Sponsored by Blue Bottle…
LH:
I am writing without Blue Bottle here.
CM:
It’s a plug for the [something]. Oh my god.
SK:
It’s good stuff.
LH:
But, so I mean… so I think we were getting… we were also talking about the
whole convergence to this stuff, and what’s, like, what’s… the work you’re
doing with WordPress, and like, where’s… do you see that headed in a similar
direction? Is WordPress thinking about this?
WN:
In a similar direction as..?
LH:
As sort of, like, end-to-end integration…
CM:
Well the interesting thing is that Weave — which is a Mozilla
Labs project — is kind of in that direction, where it actually does kind of
what you described, Larry, in allowing you to kind of sign in with some
accounts, through OAuth actually authorize the browser to both publish your
bookmarks and download ones that you’ve already saved — very much like a
MobileMe for the rest of us, in a sense, for those of us who are not gonna
pay Apple or whatever to do so. And all of… the entire sort of service stack
of MobileMe could be more or less built on open technologies. It’s
interesting, though, to think about what it would mean for someone like
WordPress, or even someone like Drupals of the world and so on to really
embrace some of these technologies, and to look at the opportunity that the
browser, y’know, deep browser integration and web service access and offline
storage, to some degree, would offer. And so I guess the question for Will is
sort of around, y’know, what would OAuth mean to the WordPress platform? How
would that accelerate the development of things, how might that make
WordPress a different type of integral platform for publishing all sorts of
different services on the web, perhaps?
WN:
Well I guess, I mean… the most immediate use case, I think, that we’re
gonna see with getting OAuth into WordPress is just allowing whatever service
it is to publish to WordPress without needing the user’s credentials. So,
this could be something like the WordPress iPhone app, this could be
MarsEdit, it could be… Flickr already has a way where you can push your
photos directly from Flickr into your WordPress blog…
CM:
Well Ma.gnolia 2 actually offers publishing your bookmarks to your
blog.
WN:
Oh, does it?
CM:
But right now, I believe, you have to take… it’s the password
anti-pattern.
LH:
Yeah. It’s the password… nobody… yeah. The major blogging platforms except
for Blogger — which we don’t support because they don’t use the MetaWeblog
API — use OAuth authentication. And I
mean, that’s great for Google [something].
CM:
And Movable Type is going to be supporting OAuth in the next release, I
believe.
SK:
It’s already out.
LH:
It’s already out.
SK:
The libraries are there, they’re in the core release… four, two, whatever
it is.
CM:
But still, we’re still at a point where we need that deeper integration,
but…
SK:
Well, yeah, and just kinda playing off that a little more is that a lot of
people that I’ve seen are using WordPress as kinda more of a persistent
storage of their social objects. Y’know, with Ma.gnolia, y’know, you have…
there’s things going on with Ma.gnolia, but, y’know, Ma.gnolia might go away
tomorrow, or I might wanna move to some other platform, so I wanna have a
copy within my own control. So, y’know, I do a nightly pull or push or
whatever to my blog. People do that with their Twitters — er, their tweets,
y’know, they’ll do a day’s worth of tweets as a blog post.
?:
My tweets are very important.
SK:
Well yeah, absolutely, that’s how people feel. And whatever that…
LH:
Live coverage of the Olympics…
?:
[something] my addiction.
SK:
So yeah, I mean… just simply using WordPress as kind of a persistent
storage of these objects that are within the individual user’s control. And
in order to make all that stuff happen in a secure way, yeah, absolutely,
you’re gonna need a secure mechanism for pushing that in, and that’s gonna be
OAuth at some point, once we get that built.
CM:
And I think… well I dunno, we probably should wrap up pretty soon…
LH:
I think we’re heading towards that.
CM:
Yeah, well… so I guess actually we could close on some final thoughts,
since this has sorta been a whirlwind discussion… and there’s much more,
obviously, we could talk about. What it sounds like you’re talking about — I
really like the way you framed it in terms of kind of your store for social
objects, your generic store, is that increasingly we’re gonna have specific
tools that do a good job at storing different types of social objects and
providing metadata around those objects. So we’ll have Ma.gnolia, the
Ma.gnolia bookmarks is like the WordPress of bookmarks in a sense, so you
might use your self-hosted WordPress — I’m sorry, Ma.gnolia install — to host
bookmarking-type things, which have certain screenshots of the webpages,
maybe some tags, so on and so forth…
LH:
And have access to all that’s going on out there.
CM:
Right. And maybe you’ll also be able to push those bookmarks out, and also
pull things in via that type of channel, because again, that channel is
designed specifically for those types of objects. Then you have your Flickr,
which might be a better photosharing application, or maybe you wanna use
Facebook to view photos. I mean, who knows. Whatever the case is, moving
these objects around into different web applications seems to be where this
is gonna go, and being able to push the data around fairly [in a] fairly
straightforward way using OAuth to control sort of who has access to
read/write, that’s important, and then coming up with the standard protocols
so that each endpoint kind of understands what kind of data is being pushed
around is also a matter of import, I think, as well. So it’s really
interesting to think about how we can actually move to real cloud computing
using these types of protocols. So that was a longer closing from me, so what
do you think?
SK:
Yeah, I think… I think as we move closer and closer to having… putting
users in control of their data — and I actually really like that term
‘social objects’ — because to me social networking actually isn’t something
you do on the internet, it’s just a feature? And especially when you apply
it to things like bookmarking services or photosharing sites, I wanna be able
to bring my social network along with me. It should just be a foregone
conclusion. And so to me, the work that we’ve all been doing has been headed
in the direction. And, y’know… good stuff.
WN:
Yeah, me too. Plus one. Plus one!
SK:
Plus one for me.
LH:
I think for me, it’s like, what we’re gonna be seeing next, since — is
that mandatory, do you have to close with ‘what’s next’?
CM:
No.
SK:
Absolutely!
LH:
But I’m gonna do it. What we’re gonna be seeing next is — and Ma.gnolia
isn’t the first — but we’re gonnna be seeing these kind[s] of services
becoming more decentralized, which means… which means creating another
problem. But the ‘more decentralized’ means more reliability, more control,
more adaptability to individuals’ needs. But that removes a lot of social
functionality, removes a lot of community, removes a lot of interaction. So
we’re gonna be seeing that problem solved. We already know how to
decentralize; we do it with blogs. It’s there. But we’re gonna be seeing the
federation problem being solved over the next few months. And we’re gonna see
how we can bring those together in more of a ‘small pieces’ type solution
[something] social network.
SK:
We’re gonna solve the problem in six months?
LH:
Yeah. Yeah.
SK:
All right, let’s go.
CM:
We’ll be there.
LH:
High five.
?:
Yeah!
CM:
So just one more plug for… it’s Ma.gnolia.org is where you’re
gonna find this stuff, and it’s ma-dot-gnolia-dot-org, that’s where you can
find out more about the announcement, the m2 — as it’s being
called — charter, and…
LH:
And the Google group.
CM:
Yeah.
LH:
Come and join and contribute to the discussion.
CM:
There you go.
