Interviewee: Jeroen van Meeuwen

In this interview we talk with Jeroen. In specific, we talk about:

• Getting involved in Fedora–identifying opportunities
• The essential identity of Fedora among it peers
• The relationship between Fedora and Red Hat Enterprise Linux
• The relationship between user adoption and Fedora’s development goals
• New technologies as the driving force behind Fedora’s development

Sean Campbell: To get us started, could you please tell us a bit about yourself and your relationship to Fedora?

Jeroen: Sure. I regard the Fedora project as one of the most innovative Linux distributions. I started using Linux on a workstation about ten years ago–just hacking around to learn how stuff works–and it wasn’t until 2005 or so that I started making actual contributions back.

And now, just a few years later, I am Fedora project ambassador, which means that I have a great position from which to get the message out and talk to people. I am the Vice President of Fedora EMEA, which is a non-profit organization to aid the Fedora project in getting resources, mostly from third-party corporate organizations.

I also develop some applications; one of the most visible ones is Revisor, which is a distribution composer. I have various positions within the Fedora project to coordinate people’s efforts, in order to get things done effectively.

The Fedora project is one of the most amazing challenges I could ever wish for. The community is so open that if you are new to the community and you want to get something done, you just stand up and shout what you are doing, and everyone else will accept that, and they’ll help you get involved and started in making contributions.

Like any free and open source software project, contributors can get lost in getting stuff done, getting involved, and innovating things. That makes for a huge challenge that I find very, very interesting, and that’s how I got involved–that was my big motivation.

Sean: In the last several months, everyone’s retirement account is kind of melting down, although if you take the long view, it should all work out eventually. In times like these where layoffs are a fact of life, do you see that as an opportunity for people to dedicate more of their energy toward contributing to an open source project?

Jeroen: Obviously, getting laid off is very stressful, but it could create that opportunity to contribute back, as well. Speaking for myself, I make a very good living being a senior system engineer, preferably Linux, but I do a little Microsoft and Cisco as well.

Right now, I get a couple of hours a week to invest in whatever I want to do with free and open source software. That might be to promote Fedora at an event, prepare a presentation, or do this interview, for example. I make a very decent living doing what I do, and part of that is the Fedora project.

Whatever your circumstances, I think it is a huge opportunity for everyone who has an interest to continue developing themselves and making sure that they excel in a very unique sense, in the public domain. At any rate, that approach works very well for me, and it has built me a nice CV.

Sean: What motivated you to pick the part of Fedora that you started working on? How does somebody from the outside identify a niche in such a large project?

It seems like cruising the mailing list, looking at the documentation, and downloading the software would get you familiar with the project as a whole, but it might take another step to find a place to apply yourself to development, even after you have decided that you want to get involved.

Some projects have an easier roadmap than others; CentOS says the way to get involved is essentially to show competence. That’s a useful, short answer, but it’s still not a roadmap. What led you to wake up one morning and get involved, and how did you decide on the first step?

Jeroen: For me, it all started with not agreeing with what was happening. I think it was in the Fedora Core 3 timeframe, and I took issue with the way I had to download Fedora. You got a large ISO, and if you downloaded it two or three months after the release, you had to download another 700 megs of updates.

I was looking for some kind of slip-streamed ISO image I could download, so all the updates would have been incorporated in it. I found a sort of sub-project of Fedora that was doing work in that area, Fedora Unity, and they were having problems doing their composes–slip streaming the updates and stuff like that. That was something I decided to sink my teeth in, and that’s were it started.

Scott Swigart: Every distro has a unique ethos and notion of what they feel like their mission is. What do you think makes Fedora Fedora?

Jeroen: We have not even yet released Fedora 10, and like six weeks before the release, we were already planning Fedora 11. We were already able to build Fedora 11 with all kinds of new packages that would have otherwise broken Fedora 10 in many, many ways. But, we created the opportunity for people to get those packages built anyway and commit them to the Fedora 11 branches.

That is kind of what defines Fedora–we always look forward and lead. We focus very strongly on future development, and having Fedora 11 packages being built before Fedora 10 is released is a perfect example.

Scott: Talk about the relationship between Fedora and the upstream projects. Are there certain projects that are most important to Fedora, or how does that work?

Jeroen: One of the big, essential differences between Fedora and other distributions is that we’d rather gain one contributor than a dozen users. In fact, if I could lose 1000 users right now and gain a contributor, I’d do it. It’s not up to me, but if it were, I’d do it.

And that one contributor is gently forced to put whatever he or she contributes upstream. That’s the only way it works–you cannot ship patches to alter whatever GNOME does on your desktop or my desktop without pushing that patch upstream. And if it isn’t accepted upstream, it will not land in Fedora.

We don’t have ways to track what patch is in Fedora and is not upstream, but since we have groups of maintainers doing a single package, every maintainer is checked by the others.

Our policy is to push everything upstream and fix stuff upstream, so Fedora does no work other than making upstream contributions, aside from building a few nice ISOs every six months and building and maintaining the infrastructure to test, develop and distribute to get the software and the releases to whoever is using Fedora.

Scott: That is different than Ubuntu and a lot of other distributions that are more focused on users and making the easiest user experience, which leads them to carrying their own patches and things like that.

Would you say that’s a fair assessment of what makes Fedora different? Not to call Ubuntu out specifically, but does that ring true that other distributions are sort of focused on the experience, whereas you are really focused on the code in the upstream projects?

Jeroen: It is. We aggregate the best of free and open source software and make it work in a general Linux distribution, whether that is Ubuntu or Red Hat or Fedora. We adopt it in an early development stage, if we think it is the next generation.

SELinux is a perfect example–we had it in Fedora Core 2. I have not spoken to a single person who had it enabled in Fedora Core 2, but we shipped it anyway. Since then, we’ve made it into an enterprise product. Everyone wants SELinux, and I think that is one of the most eye-catching technologies that we’ve adopted so far. Now it’s sort of mature, and it has the utilities and the GUI notifications and stuff like that.

To return to the original topic, our approach is very different from other distributions, which basically consume upstream, and when things go wrong, they may or may not send a patch back upstream.

Scott: Talk a little bit about the relationship between Fedora and Red Hat Enterprise Linux.

Jeroen: Red Hat Enterprise Linux could be regarded as a long-term supported, commercially available, hardened Fedora distribution. By hardened, I mean that it takes a lot of people a lot of months to certify a Red Hat Enterprise Linux product on various types of hardware and for various types of applications and to do the necessary amount of QA before it gets out to enterprise customers.

Fundamentally, RHEL is driven by making sure that the support lines at Red Hat don’t have to ring any more than necessary. As I said, Fedora, on the other hand, is very much focused on development, and we do what we think is right. We move fast, we apply fast paced changes, we release early, and we release often, with no regard to whatever is our downstream distribution.

To take RHEL as one example, we do not care at which point in a Fedora release, or in a number of Fedora releases, Red Hat decides to distill whatever packages they want to put in an enterprise Linux distribution, because that is their independent decision.

I think that Red Hat sees it the exact same way, but from the opposite perspective. They let us do what we do best and support us in doing so, so that future versions of RHEL will have those innovative technologies and a number of extra features when they ship.

They also invest a lot of time in issues that no volunteer outside of Red Hat would have picked up. A good example would be Cobbler, which is a PXE provisioning framework that Red Hat customers found lacking in Linux. Red Hat Emerging Technologies has picked that up, and Michael DeHaan has been doing a great job at it.

Right now, we have a brilliant open source software alternative for provisioning. It’s Free Software, and it’s in Fedora and the Fedora Project’s Extra Packages for Enterprise Linux. Maybe it will be in Red Hat Enterprise Linux 6, because it’s one of the most requested features–deployment utilities, but I don’t know.

Scott: You said that if something is not in the upstream project, it’s not in Fedora. Red Hat obviously has a different kind of customer base and set of requirements than Fedora.

Is it your impression that Red Hat carries some of its own patches to some of the projects, if it feels customers need them but it isn’t able to get them upstream in time for one of their enterprise releases?

Jeroen: There is almost no such thing as them not being able to get it upstream in time, because Fedora has already done that work for them. Fedora 10, for example, will just work, and all they need to do is harden it.

But then again, those patches go upstream and may run in Fedora Rawhide, which is where you can test patches and fixes while they are being reviewed by the upstream folks. Rawhide is incredibly fast paced and fast changing.

There are a number of people with their workstations running Rawhide, and they complain every time it doesn’t boot. I’ve had issues with the Alt-TAB key combination that made me eventually disable it. That’s when you notice how addicted you are to using Alt-TAB, but otherwise, I couldn’t get any work done. That stuff will happen.

When new users have questions about that “Rawhide” thing they hear about every so often, we often tell them it’s the latest and greatest and as such, it will break. The actual words we then use are, “Rawhide eats babies…for breakfast”.

Sean: I thought your remark was fascinating when you said that you would rather get one contributor than 1000 users. At the same time, for Linux to be “successful,” someone has to have a user base, whether it’s Fedora or somebody else.

Ubuntu supposedly has eight million users and Fedora has somewhere between nine and 13, depending on how people were counting it, based on some recent stuff I saw.

Does Linux have an inherent challenge in the sense of being a collection of trains running roughly at the same time on roughly parallel tracks, in terms of the sub projects? From a user perspective, they want to buy/acquire/download a thing. In commercial terms, you’d call that productizing it.

To you, is RHEL essentially that vector that productizes what you do and puts a nice logo sticker on it? Of course, oddly enough, RHEL has CentOS on the other side of the continuum that de-productizes RHEL, which is really funny, if you think about it.

Is your perspective that you’d rather make the contribution and let somebody else deal with the problem of trying to deal with the user base?

Jeroen: Are you referring to the extensive marketing that Ubuntu does, in terms of getting it on grandma’s laptop and stuff like that?

Sean: Right–Ubuntu almost fuzzes the distinction between sub-projects, from an end user’s perspective. Dell ads say, “Buy a Dell Mini with Ubuntu.” It doesn’t say “with this version of GNOME and this version of OpenOffice.”

It’s similar to the fact that Windows marketing doesn’t talk about what version of Volume Shadow Copy is installed. But still, the strength of Linux is all of those contributors being recognized and not neglecting to contribute upstream.

From your perspective, it seems that you don’t really feel you have that problem, because Red Hat handles that process for you.

Jeroen: In the area of exposure, marketing, and getting Linux on grandma’s laptop, Fedora is entirely different than most other distributions. For one thing, there’s a new release every six months, and Grandma doesn’t want to upgrade that often.

One way to look at it is that Fedora prefers to be an engineering release. We have very short release cycles and very short development cycles. There are weeks before freezes when you don’t sleep more than four hours a night in order to get your stuff done on time.

That approach is key to making the Fedora project what it is. We focus on development even if our most recent version isn’t yet released, like I described in the bit about Fedora 11 being developed six weeks before Fedora 10 is out the door.

Occasionally, discussions arise within Fedora where people say we need to create a long term support version of Fedora, but that would divert us from our development focus. If I support something that is more than a year old, one could say that I am wasting my time.

For me, long term support is in opposition to what Fedora is trying to accomplish, and it would lead us to lose the people that say development does it for them.

Sean: If you landed a Linux distribution on grandma’s laptop 18 or 24 months ago, WPA2 wouldn’t have worked, wireless would have been clunky, and certain new wireless chips from Intel wouldn’t have worked. There were workarounds and patches, but Grandma wouldn’t have been pleased.

You guys put all this stuff into a network manager that most of the distributions have picked up, and now even a webcam works right out of the box. That doesn’t really map to the fact that lots of people are saying that there’s really no great demand or market for a Linux desktop.

Then I look at what’s on the roadmap again, and I see that you are tackling multiple monitor support. I personally love the idea, as I struggle with my 24″ Samsung, but what insight can you give about the value of moving those rocks?

These issues don’t really seem related to RHEL on the server side, and you have also said that you’re not trying to target the desktop. If people were asked for a show of hands, they’d probably say well that’s what Ubuntu is trying to do. What’s the motivation behind addressing those issues?

Jeroen: Even though our main focus is not to expand our user base, that doesn’t mean we don’t do work that mostly benefits users, including stuff that may wind up on Grandma’s laptop. [laughs]

The motivation for work like that is mostly the technical challenge associated with it. I did another thing for remixes, which was a Core 7 feature, and for me the motivation was quite the same. I learned a lot while doing it, and I found it very rewarding to have other people talk about it and use it.

If you do anything within a certain distribution and it only ends up in your distribution, the reward is a lot smaller than when it spans over all Linux distributions, such as the work of Network Manager, which is awesome. You’re going to see PolicyKit, ConsoleKit, PackageKit, from a lot of people that are involved with Fedora and other distributions as well.

Those are all new technologies that would make desktop life easier. My original point was how we don’t really focus on expanding the Linux user base. We very much more like to do the work that enhances the computing experience, whether it’s for the desktop, the server, or both.

Scott: This conversation has really opened my eyes about how Fedora approaches things. To summarize that, it seems that the goal is to identify promising open source projects to be included in Fedora, which raises the visibility of those projects and encourages the people working on them to work even harder, because they want their work to be included in a release.

It also seems like the short release cycles help to fuel innovation, since people want it in the next release, and so they work very hard at it. Fedora seems really to be about driving hundreds of individual open source projects to be better and to integrate and work together.

Jeroen: To put it in one phrase, you could say that Fedora is a snapshot of the best of free and open source software, and what is next. The goal is not to provide the best in the sense of what’s most mature, but to provide a sneak preview of new technologies.

Scott: That means things that are on the right track can show up in Fedora quite a while before a lot of other distros.

Jeroen: True–one of those things was PulseAudio in Fedora 8. We adopted and shipped it, and we got a lot of users complaining about their sound not working, which resulted in a lot of bugs getting logged and fixed.

That helped PulseAudio get ready to go over the entire spectrum of most distributions, and that’s what we like to do.

Sean: We’re getting close to the end of our time. Is there something else you wanted to touch on, or any closing thoughts?

Jeroen: Red Hat has been a major contributor to OLPC software development, and that desktop environment is now available in Fedora as well. So, if you want to turn your laptop into an OLPC, you can sort of render your keyboard useless …

[laughter]

Jeroen: There are only icons. A child can work with it, even if the most technical, intelligent people will need to click everything and break everything before they know how to work with it.

I’m amazed by the interface, and it is one cool feature in Fedora 10 you want to try–the OLPC desktop. It’s called Sugar desktop in Fedora.

Scott: I’ve actually got one of those things that my five year old loves.

Jeroen: Have you tried to use it yourself?

Scott: Yeah, and it’s like you said–I don’t really get quite as much out of it as she does, but she’ll just explore and explore and explore the thing. It gives that sort of “it’s safe to just push something and see what it does” kind of experience.

Sean: Well, thanks for taking the time to have this call today.

Jeroen: Thank you.

Bookmark this:

Interviewees: Brian and Larry, and Michael.

In this interview we talk with Brian, Larry, and Michael. In specific, we talk about:

• OpenID’s offerings for decentralized online identity management
• Securing online identity: technology and beyond
• Aggregating identity information for multiple resources
• Spurring adoption by developers, service providers, and web sites
• Responding to objections about centralized identity management
• Closed source versus open source credibility
• The future of online identity management

Sean Campbell: To get us started, could each of you introduce yourself and tell us about your current role as it relates to OpenID and JanRain?

Larry Drebes: I am in engineering, and these days, I spend most of my day thinking about our software and how it relates to the market needs.

I was one of the co-founders of Four11, which produced a product called RocketMail, the underlying platform for what became Yahoo! Mail. Yahoo! bought RocketMail back in 1997, shortly after Microsoft bought Hotmail.

After that, I co-founded a company called Desktop.com, which was earlier than Google Docs, but similar in concept. Most of my background is with large-scale software, in software as a service deployments.

Mike Graves: I’m the CTO. I’ve been here a little over a year; I was previously at VeriSign, where I was CTO of one of their two divisions. I arrived at VeriSign in 2000 as the founder of a dot-com-era startup company called Signio. It became the merchant-payment processing system for VeriSign until they sold to eBay last year.

I took a little time off and came back to VeriSign to help lead the charge into new markets where I first became familiar with OpenID, and eventually ended up here at JanRain where we’re exclusively focusing on OpenID.

Brian Kissel: I’m Brian Kissel, the CEO. I joined the company in January of this year at the point when the team felt like OpenID was really starting to reach an inflection point of market adoption. The OpenID V2.0 specification had been recently finalized, large corporate sponsors like IBM, Google, Microsoft, Yahoo, and Verisign were announcing their support, website adoption growth was accelerating, etc.

We wanted to take advantage of the extensive development work that the team here had accomplished over the last couple of years in creating next generation platforms and technologies for user-centric identity and authentication management via OpenID.

Scott Swigart: Thanks. Give us a little bit of a description of OpenID, and what you as a company do around the technology.

Brian: OpenID is the equivalent of single sign-on that you would get inside an enterprise. If you log in at the beginning of the day via Exchange or something like that, there’s an abstraction layer that also logs you into backend systems like CRM, ERP, HR, Accounting, and so forth. You only have to log in once.

You may be familiar with Microsoft’s Passport and InfoCard technologies, which is the idea that you have one user name and password that you can use on any enabled web site.

That’s really the same concept behind OpenID–it’s for users on the open Internet to have just one or a few identities that they can use to access all web sites that are OpenID-enabled.

Scott: And in terms of your company, what are some of the things that you do around OpenID?

Brian: Our goal is to be the platform provider of choice for OpenID implementations, for the end user, the OpenID provider, and the web sites that are accepting OpenIDs for registration and login.

In OpenID parlance, there are two kinds of contributors to the OpenID ecosystem that benefit the end user. One type is called the relying parties (RPs), which are web sites that accept OpenID for authentication. The other type is the OpenID providers (OPs), which are organizations that issue OpenIDs to consumers, employees, or members to use on the web sites.

We have a property called MyOpenID.com, which is a hosted ASP service where you can come and get an OpenID. We also offer services to web site operators to enable their web sites for OpenID and to create better, more intuitive login user experiences.

And then we have solutions that we offer to OpenID providers who want to issue OpenIDs to their employees, their partners, or their customers with their own brand.

Scott: Obviously, people who are building sites that may accept OpenID are using a variety of technologies. What kinds of technologies do you support, in terms of the components that you provide and things like that?

Brian: There are open source OpenID libraries for about eight different platforms out there, including four or five major platforms.

Larry: We currently support three of those; we used to support six. Very early in the design process, we created open source reference implementations in a variety of languages. For OpenID V1, we wrote Ruby, Perl, Python, PHP, Java, and C# libraries, all with a common API, and tried to seed the market to get OpenID into the hands of developers.

Since that stage, we’ve brought a lot of companies into the fold, and it’s no longer necessary for us to support some of the more niche platforms. Right now, we provide open source libraries for OpenID V2 in Ruby, Python, and PHP.

OpenID fits together between the end user, the provider (which is often us), and the web sites through common web protocols.

Scott: As you mentioned, the idea behind OpenID is similar to what Microsoft was trying to accomplish with Passport. What are the advantages of OpenID versus a Passport implementation?

Mike: The crucial factor is that there are a lot of technical things inside of Passport that are very nice architecturally, but politically and socially, it’s just not an option.

The ecosystem will resist any company owning that space in that way, no matter how good the technology is. No one wants to be locked into a silo at that level of the stack.

One extremely valuable thing that OpenID offers is its decentralized nature. The trust and provider infrastructures are decentralized, so anyone can spin up their own OpenID server.

That doesn’t mean they have to be trusted or that anybody is going to trust them. But the trust circles and trust relationships arise organically out of that, meaning that if you use OpenID, you have portability and the ability to avoid lock-in. You can move to another provider using the same technology, and let them compete against each other in terms of serving the user.

That’s not the only difference, but it’s crucial that no one owns this, and the turf is not proprietary at the lowest level.

Scott: So since there are a variety of OpenID providers, people develop trust in specific ones, and the providers work to build their reputations.

Mike: Right. A lot of factors go into the decision of which provider you want to go with, and those factors can change over time. With OpenID, however you decide, you’re not tied into that provider.

With OpenID, if you read a headline that gets you concerned that your data is being disseminated somehow that you don’t approve of, or violates the EULA as you read it, etc., you have more options.

That doesn’t mean that it’s not a headache, but the architecture of the system is such that you can migrate to a new provider that abides by the policies or values that you demand in that relationship.

Sean: Would you say that what you are trying to do by federating identity is somewhat similar to the experience somebody gets when they can look at Debian versus Ubuntu?

That is, Ubuntu is Debian with some chrome and obvious other technical differences, but they come from the same lineage, and if I don’t like what Ubuntu is doing, I can go back to Debian, or CentOS, or elsewhere. Do you feel like OpenID shares some philosophical relationships to that approach?

Mike: Yeah. We understand that it gets away from the end-user retail-consumer mentality, but at its core, that ethos is very much the same as what drives the open source philosophy of OSs.

Linux is a very good analogy to use, because for instance, even if there are things you don’t like in a Debian architecture, many users can’t help themselves, but it’s always available. If you really need to change things, you have a path if you want to marshal the resources and effort to change and accommodate your interests, even on your own.

OpenID is similar, in the sense that it’s a roll-your-own architecture. If you’re sufficiently motivated and equipped, you can roll your own to provide biometrics support, or requirements for attribute exchanges that are very stringent or that otherwise meet your needs. And you aren’t beholden to anybody’s particular implementation.

Sean: What do you think the natural evolution of OpenID is down toward the desktop? Do you see people eventually weaving it into desktop scenarios to secure data in home and business settings, or do you think it’s predominately going to stay with service providers and data storage that you access in the cloud?

Mike: My personal view is that part of OpenID’s value is that it’s fairly narrowly cloud centric, and that’s the way it should be, even long term. There are lots of great existing desktop identity management and security solutions. OpenID’s primary design intent was for open Internet identity and access control.

We see OpenID as part of a mosaic or a stack that provides user-centric identity and the security and privacy around that, but I don’t think OpenID has the charter to try and reach from the cloud into the desktop.

We want to tailor things into a modular concept, where OpenID meets its goals very well and in a very lightweight, flexible way, and it defers to other tools that can be plugged in and out, depending on the context, to work with it.

I think it’s far beyond what OpenID needs to address in terms of desktop integration, because as you said, the Linux desktop is going to have a different set of tools than the Microsoft one. As you know, InfoCard is actually a pretty nice solution in this area, but it’s Microsoft-centric. And despite the difficulties of getting beyond Microsoft on the desktop, that’s going to be a sweet spot for the long term.

Sean: Let me ask you a question in a different area. How do you address the man in the middle question? Obviously, it’s a tough potential problem for any identity system, even if it depends on factors that are very hard to spoof, like biometric data.

Larry: As you know, there are general security issues with the web, and to some extent, the world has survived with those security issues. For instance, if I’ve been phished and I think I’m on Amazon but I’m not really on Amazon, bad things could happen.

Certainly, OpenID is living within the web framework, and we can’t do anything to remove existing global security issues, but we can add additional features onto the normal intercourse of the web that provide additional protection.

With our product, we’ve added security measures as options for the user. For instance, the user can use a client side cert.

We have an out-of-band, second-factor authentication solution,”Called VerifID,” which actually uses your cell phone in conjunction with a password to verify your identity. Every time you input your password, you get a phone call at that number, and you must hit a number on the keypad in order to continue.

We also allow InfoCard to be used, which is a sample-based public key encryption protocol. So all those options can provide additional layers of protection. Of course, we have to strike a balance between inconveniencing the user and securing their web transactions.

This is really the same story everyone can tell you–Amazon is making the tradeoff of just using a password versus a more secure option, which might cause more friction against people filling up their carts and checking out.

We are participating with other members of the community, since it’s not at all a unique problem to us, and we’re giving users tools so that they can secure their identity themselves, if they choose to.

Mike: A lot of this is anthropology, as you know. We have to be realistic about how much of this technology actually can solve. There are social relationships and social trust issues that play a major role. I worked at VeriSign for a long time, and they’re heavy into the mediating technology for trust relationships.

But even for a big, badass security company like that, they understand that, at some point, it happens above the technology layer. That being said, it doesn’t mean we’re not cognizant of it, but because we’re cognizant of it, we know that that’s not something that can be solved with just bits.

Scott: Another topic that tends to come up a lot when we discuss identity management is that there are a couple of choices about aggregating that information, and they both have issues associated with them. One option is to have a different password for every single place you go, and nobody really likes that. On the other hand, there’s obvious danger to having one password for everything–if it gets compromised, that’s really bad.

But as I understand it, I can have more than one OpenID, so I might have different identities for different purposes.

Brian: You may have one or you may have many. It’s up to you, and you’ll have different reasons why you’re using different identities, whether it’s a work identity, or a home identity, or an affinity group identity with your college, or some other interest area that you have. It could be an AARP identity. It could be an American Express identity.

The tradeoff with one or a few identities is that you can be a lot more vigilant and mindful of how you manage your identity. You may have 50 different username password combos out there on the open Internet, and most people do something which is called password reuse.

Your password is only as secure as the weakest place it’s used on the Internet, and if it gets phished at Billy Bob’s Phish and Tackle Shop, then it’s compromised, and it’s good anywhere else you’ve reused that password.

On the other hand, in the OpenID model you only share your password once, and that’s with your OpenID provider. And you can make sure that you trust that your OpenID provider is doing infrastructural things to protect it, and that you’re creating and managing strong passwords.

You can be reminded to reset your password with a given frequency, and you can be encouraged to implement multifactor authentication protocols–whether that’s an SSL certificate, an InfoCard, anti phishing site verification tools, out of band authentication with cell phones, or an RSA token. With this approach, you get to choose how much security you’re willing to layer on top of your authentication process, to balance between convenience and security.

That’s what it will always boil down to. Unless every device and every opportunity uses biometrics, and it’s your retinal scan or your thumbprint scan on every device where you would ever authenticate, then there’s going to be some inconvenience to you to do something more than username and password.

Actually, though, it turns out that if you have a good relationship with your OpenID provider, you get very easy login on any OpenID-enabled site – single click with no text entry required in many cases. You maintain a very trust-driven relationship with your OpenID provider, and that OpenID provider can manage all that infrastructure across one account as opposed to many.

If every web site had to implement the same multiple layers of protection for your identity that an OpenID provider did, I would posit that the whole ecosystem would not adopt the same level. But if you have a handful of OpenID providers who are really focused on managing your identity and providing multiple layers of protection, then you’re more likely to have a more secure experience.

Sean: What about the challenges of educating developers? Some technologies are just flat out sexier than others. That’s nothing against anybody in particular, but Scott and I have had the experience of educating people about some pretty dry stuff, and we appreciate how difficult it can be to engage people on it.

What do you do to evangelize to the broader open and closed source development communities about the importance of identity?

What are you trying to bring to market to make it easier for them? I have to imagine that, on one hand, everybody understands it’s important, but on the other hand, it might not be the thing that they want to pay as much attention to right out of the gate.

Brian: The OpenID Foundation along with the member companies are doing outreach and education on the features and benefits of OpenID. We run a web site called OpenIDEnabled.com that hosts resources for the development community. Additionally, we provide tools like ID Selector (www.idselector.com) to enable website operators to adopt and deploy “best demonstrated practice” implementations of OpenID login. We’re also working on white papers for OpenID providers, web site operators, and end users on how to get the most out of OpenID.

In addition to outreach and education to the development community, we’re providing more “turn key” solutions for OpenID providers, website operators, and end users. Just like Sugar CRM, VA Linux, RedHat, MySQL and other open source initiatives, you can get the open source libraries or you can get professionally managed services using the technology. We provide the widest range of innovative, fully featured solutions on the market.

Scott: Where are you seeing OpenID being most widely adopted? Who do you see as being the early adopters, and maybe the second wave of adoption? Who’s using it?

Larry: At the user-created points of the web, like blogs and wikis, it’s gaining tremendous ground and is actually a sort of thought leadership. It’s the right way to do things, and it’s thought of as very cool in lots of circles.

Beyond what you might call the technical early adopter part of the web, if you will, you have large players like Yahoo!, Microsoft, AOL, Google, MySpace, and VeriSign all coming out in support of OpenID. So really, the adoption is expanding. So the top end of the market has already either announced support or delivered production support.

It’s that middle of the Web that our eyes are really on, at this point, and it’s a large middle. That’s where future adoption is going to come from.

Scott: What do adopters point to as being advantages of the technology, to validate their decision to go that way?

Brian: As Larry mentioned, the early adopters have been either the large portals or the user generated content sites, like blogs, discussion groups, wiki’s, social networks, and sites like that, where the primary objective is to get registered users on their site as frictionlessly and as quickly as possible.

If users can show up at a site with an identity that they can sign in with, it’s much more likely that they’re going to become active participants. The big benefit to website operators is that the more people they have active on their sites, the better they can do with personalization, advertising, promotion, and cross selling. Also, for sites that sell advertising, they can get higher CPMs for profiled users than generic site visitors.

So the first measure of success is probably the conversion rate from “site visitors” to “registered users,” followed by the activity level on the site.

Back to your earlier question, I think that the next categories we will likely see come online will be content sites other than user generated content sites. They’ll be media properties, like newspapers, radio stations, TV stations, magazine sites, sports sites, gaming sites, and some affinity groups–organizations where they don’t control the members, so they can’t manage single sign on from an enterprise perspective, but they have members where they do want to provide access.

Alumni associations, community organizations, little league teams, AARP, Boy Scouts, and organizations like that are not necessarily transacting business, and they’re not asking for credit card numbers, but they do want to have registered users.

Another category would be all the customer supported sales and customer self help resources on product web sites, where they have blogs, discussion groups, or wikis to allow people to ask and answer questions and help each other.

If you go to one of those sites and you have to register to participate, and you’ve already got 50 user names and passwords, the likelihood you’re going to participate is lower than if it would accept an OpenID that you already have.

That’s the primary initial benefit for the web site operator–ease of registration and login, and ease of registration is important as well from the standpoint of being quick and error free.

OpenID has with it the ability to transfer personal data at the user’s discretion. Right now in simple registration, there are 10 demographic data fields, but it’s extensible (and we think longer term it will go that way) with a component of OpenID, which is called Attribute Exchange where you can share as many data attributes as you’re willing to publish about yourself. And you can share that information with a web site at registration.

So instead of having to fill out all those data fields, you just pass them to the web site operator in a machine readable format and pre-populate your application. As OpenID evolves, we’re going to get to the point where we’re going to get single-click login.

And that’s something our solutions actually support, so when you show up at a web site, you don’t even have to type in anything. It just remembers who you are, you click to authenticate, and it goes back to your OpenID provider to authenticate you seamlessly, and it comes back and logs you into the web site. So from a user’s perspective, the ability to register quickly and login easily is important.

Longer term, managing that data is going to be important. If you changed your phone number or email address and you had to go back to 50 different web sites and update your web site profile with that information, it would be a very tedious process.

If you have one digital identity, or maybe a handful that remember what sites are using that identity, and you can choose to pass that updated information to the site, that’s a benefit to you, and it’s a benefit to the site operator.

Scott: What are some of the misconceptions or common objections that you run into when you’re talking to people about using OpenID?

Brian: It tends to fall into one of three buckets.

The first is that they don’t know whether their customers want it or need it. The second is that they wonder how long and how much effort it’s going to take them to implement. And the third is that they want to know who among their peers and competitors are using it, because they may not want to be first, and they have to consider how this ranks among their other priorities.

We’re actually trying to systematically address each of those concerns with products and services that we’re offering to make it easier (a) for web sites to implement OpenID, (b) for them to be aware of the number of users who would like to use an OpenID on their web site, and (c) to get a few testimonial accounts in any given category to adopt OpenID.

You can envision the scenario that as soon a few major college alumni associations adopt it, others will follow. As soon as you get the Boy Scouts, you’ll get the Girl Scouts and the Campfire Girls and 4H and everybody else. As soon as you get United Airlines, you’ll get Delta and Northwest. And as soon as you get Hertz, you’ll get Avis and National and Enterprise.

So I think part of the challenge for us is getting those early adopters who see the benefit and want to be perceived as thought leaders. As soon as that happens, the others will follow.

Right now, of the 18,000 OpenID enabled web sites, a majority of them are in that “user generated content” category. Some blogging sites, web sites, and discussion group web sites that are just going live now are choosing to go entirely OpenID.

Some are retroactively going OpenID and converting all their users to OpenID. So in that category, the benefits are compelling, in terms of ease of adoption and deployment. Reduction in customer care costs is another thing we should talk about.

If you only have one or two user name passwords to memorize and maintain, the likelihood that you’re going to forget it on a site that you go to less frequently goes down dramatically.

And it turns out, according to Forrester and Gardner and Meta, forgotten passwords account for 30 to 50 percent of customer care support calls. So if you can drive that cost down dramatically, you drive the customer frustration down about going to a site that they’re only going to less frequently.

Scott: I guess the other advantage for the site operator is that it’s not their problem anymore, right? They just basically shuffle you off to your OpenID provider who handles all of that lost password, password reset kind of stuff.

Brian: There are actually a couple of benefits there. One, you do outsource that customer care cost to your OpenID provider. The other is you don’t need to maintain the passwords, so you don’t have liability in the event that a password is compromised.

Scott: I think there’s an interesting dynamic there, in terms of how the Internet has changed. I think originally, site operators saw it as a purely positive proposition to collect information on their users.

In the last couple of years, they have really started thinking about the fact that there’s liability associated with that data.

I know as a user, I really wonder when I go to a site whether they are really qualified to store my credit card information. Are they really competent to safeguard this information? And if they give me a check box that says: “We can forget your credit card and you have to enter it every time,” I always check that box.

Brian: That’s one of the reasons why PayPal has become compelling on smaller sites where you might not have that trust factor. There’s a way for you to abstract away your proprietary account information.

Sean: What do you think about the ability of something like OpenID to be born from a single closed source company or even a small gaggle of them, whether it was Google, who has tremendous credibility, or Apple, who’s also closed source but has a lot of positive brand equity?

Do you think something like this has to be created by an open source type of community?

Mike: I think that this could’ve been pushed out by one of the big companies. Google, or Yahoo!, or Microsoft has the girth and user footprint to push something like this out.

But the technology has to have some genetic features that those companies typically wouldn’t provide–namely, the ability to easily migrate right off that particular silo into another.

It’s practically achievable for someone like a Google or Microsoft or Yahoo! or AOL, but disruptive to their community base. One of the things that we’ve seen happen is that Yahoo!, for example, has been very proactive with OpenID, relative to some of the other big companies.

But there was a time not long ago that they hadn’t warmed to this idea any more than Facebook or some of the other more closed companies, because they wanted to preserve their proprietary silo. One of the things that OpenID or similar technologies will do is to flatten the namespace and make it easy to move things around and facilitate portable user-managed identity. Momentum for that paradigm is expanding beyond OpenID in areas such as OpenSocial, OAuth, Data Portability, Portable Contacts, etc.

Scott: We’re drawing near our time limit, so I’d like to ask whether there’s anything that we didn’t ask about that would be interesting in this space to discuss.

Brian: One area that we think longer term is going to be interesting as OpenID becomes more prevalent is the notion of consolidating and aggregating and more intelligently managing all the content and communication that happens on the Internet today.

Right now, you have silos like email, chat, discussion groups, blogs, and wikis, with different people, groups, and topics that you’re trying to manage in a more disaggregated way.

Imagine a time in the future when all of your communications and all of your content sites are OpenID enabled, so you can pull them all together in a more consolidated way. You could keep track of various discussion topics, blog entries, emails, and chats in the context of topics that are of interest to you from people and groups that are of interest to you. It would let you prioritize and organize information in ways that make sense to you, based on your stated priorities or what the technology can infer from your actions.

That’s something we think that in the longer term, OpenID will enable that no other solution or approach has done to date. So we’re excited about what it can do for registration and sign on today. We’re more excited about what it can do with digital identity, reputation, and content management long term.

Mike: One of the things that JanRain has to balance is the immediate, practical needs of equipping the industry to provide practical solutions, with the long range opportunity, which is huge. Once OpenID proliferates in a broad way, they will become the effective end points for all sorts of things. Communications is an obvious one, but commerce and trust and the things that spring from them are going to increasingly become factors, in terms of the basic building blocks that are OpenID end points.

For us, that’s an enormously motivating horizon to keep looking at, even if it’s not proper to talk about in this quarter or next, or even next year. But as time goes on, this is going to unleash a huge number of disruptive opportunities for new communication tools, new workflows for collaboration around content, new e-commerce trust mitigation, and e commerce payment flows, all using OpenIDs as the atoms building into molecules and organisms in a way that hasn’t happened before.

Scott: This has been a good conversation, and thanks for taking the time to chat with us. Identity and personal data are central to the work that lots of people are doing, and so it’s really nice to get your perspective on how OpenID fits in.

Bookmark this: