July 03, 2007

OpenID, Gallery, and the Big Three

Besides the withering battles with existential angst and the woeful failures with women, the biggest problems in my life in recent years have revolved around my photo gallery. Specifically, I have struggled with achieving a proper balance between the diametrically opposed goals of providing access to friends and family, and simultaneously, limiting access to the general public. (My political career may well be ruined, but that does not mean I should actively try to ruin that of others.) A quick historical survey of the archive should demonstrate just how much of a problem this has been.

The Problem

In November 2005, I upgraded my photo gallery software to Gallery2, and shortly thereafter, I rolled out an identity management system to restrict access. However, after only nine months, I essentially ditched that system (it was never properly finished, to be honest), and was left with what exists now: an unwieldy hodgepodge of non-standard user accounts; no means of maintaining said accounts without going into the database manually; and an access model that is neither fully-defined nor fundamentally sound. While much of this is probably my fault (never put incomplete crap into production!), I am quite certain that I am not the only person who struggles with these issues.

The basic problem here is three-fold:

1. Restricting access to my photo gallery inevitably involves introducing a login barrier, which as discussed on Coding Horror, is usually a Bad Thing™, and so, I want to make the experience as hassle-free as possible;
2. Both authentication (i.e., establishing a person's identity) and authorization (i.e., establishing what that person can do on the system) are notoriously difficult to get right, and reimplementing the wheel in this situation is not only inefficient, but often times can cause major security lapses; and
3. Manually maintaining user accounts for my site, and all the support that goes with it (e.g., password resets, etc.) is a major source of tedium for me.

For many of the aforementioned reasons, OpenID was introduced a couple years back, and has since gained widespread adoption amongst techies. The major problem with OpenID, as I see it, however, is that it still requires one to have a URI of some sort, which in practice means that you either: (1) need to be savvy enough to own your own domain and deploy an OpenID server; or (2) you need to use a service (e.g., Live Journal) that provides OpenID functionality for its users. Either way, this still excludes a significant majority of people whom I wish to provide with access to my gallery. Thus, simply deploying OpenID authentication for my gallery (I'm not even sure such functionality exists within Gallery) is not going to be sufficient.

The Solution

The most frustrating thing about this situation is that all the technology is already in place for a fairly robust solution. OpenID works pretty well as a distributed identity mechanism, and while most people do not have URIs, almost everyone has an account with one of the Big Three In-ter-net companies, i.e., Google, Microsoft, and Yahoo. If the Big Three would just introduce OpenID support for all their (hundreds of millions) of users, suddenly, the notoriously difficult problem of authentication simply goes away. As a website owner, I could deploy OpenID authentication on my gallery, and then, never worry about having to maintain a repository of user information at all.

Of course, authorization would still have to be conducted on my end, but: (1) that was never going to go away in the first place; and (2) hopefully, it would be as easy as adding an e-mail address of a family member or friend to an access control list (or specifically in Gallery, a group). Essentially, I would go from being forced to maintain my own de facto Internet portal (albeit a minuscule one) to simply fielding requests for access and approving those of people I know.

Better still, this is a win-win situation for everyone involved:

• The user does not have to create yet another account or remember yet another password for my gallery;
• I do not have to deal with the frustration of maintaining my own user base; and
• The Big Three get to drive their hooks further into their users (and also, violate their collective privacy even more), as the singular provider of identity across the web (i.e., a business incentive to implement this feature).

Finally, users who do not (for whatever reason) wish to use their Big Three accounts for identity (these will generally be people who recognize there are alternatives), are more than welcome to deploy their own OpenID server and use that as their authentication mechanism. I would still retain control over authorization and could always reject sketchy or random people.

Hell, even near-ubiquitous social networking sites (I mean Facebook, not MySpace—whoops, is that my hegemonic side coming out?) could do this for pretty much the same reason, and with the same results. We are so close to a much better Internet experience! The better question is: why has not this already happened?