Hueniverse

There is a pretty good story behind this. That is, how we found and managed the OAuth protocol security threat identified last week. In many ways, the story is much more important and interesting than the actual technical details of the exploit.

For everyone involved, this was a first-of-a-kind experience: managing a specification security hole (as opposed to a software bug) in an open specification, with an open community, and no clear governance model. Where do you even begin?

But right now, I know you want the technical details.

Yesterday Twitter released 'Sign-in with Twitter', the ability to use Twitter as a delegated sign-in provider for third-party websites. The cool thing about this new feature, which is part of their OAuth API beta, is that it is completely standard OAuth. No extensions, not secret sauce, and not another proprietary provider (yes, I'm looking at you Facebook).

It is Open done right.

With this small enhancement of the Twitter OAuth API, Twitter created a product that directly competes with Facebook Connect. The implementation details are significantly different (and there are some technical shortcoming on both sides), but there is little you can do with one and not the other. There is no reason why 'Sign-in with Twitter' cannot be used anywhere Facebook Connect is offered, including blog posts and activity streaming.

It has been a year since I decided to put my startup Nouncer on hold and join Yahoo!. It has been fascinating to witness Twitter's renewed media attention and recent growth, and it has inspired me to go back to my old posts about trying to run such a business.

The following are three posts on the subject:

This was a light blogging week with mostly short posts. They included an invitation to attend the upcoming Internet Identity Workshop, clarifications to help those implementing OAuth on the server side, announcement about OAuth being nominated for a Webware 100 award, call for action in the Open Web Foundation, and some advice on versioning specifications.

I will be in traveling to New York, New Jersey, and Virginia over the next 10 days. Hope to see a lot of my New York friends while I'm there.

With a growing number of new specifications being published by first-time authors, I think it is important to pay attention to when should a specification carry a version number. For most people, giving a specification a version is a sign of forward thinking and planning for future revisions. But not every specification should have a version number.

Next month will be a year since the work on creating the Open Web Foundation started. It has been 8 months since the initiative was unveiled at OSCON 2008, and six months since the legal entity was created and work began on the legal framework for specifications.

We accomplished a lot during this time. Not so much in hard deliverables, but in building industry-recognized momentum and starting to change the way individuals and companies think about community-driven specifications and light-weight standards. Over the past couple of months, members of this community have been invited as experts to talk to well respected and established standards bodies, and explain this work. This is not a small accomplishment.

 OAuth was selected as a finalist in the Infrastructure & Storage category in the 2009 Webware 100 Awards. I consider this nomination as a recognition of the incredible accomplishments of the OAuth community and the record-breaking adoption of the OAuth Core 1.0 protocol. Voting is open until April 30th, so go vote...

Its never good when specifications are read like the bible, where people find in it what they want.

Over the past few months I have been getting many questions about requirements in the OAuth Core 1.0 specification, as well as finding significant issues with existing implementations. I agree that the specification isn't clear on many of these issues, but until we have a replacement, I hope this list would help.

There are few events more productive than Internet Identity Workshop.

And few that I enjoy quite so much. I'm an engineer at heart, even though these I play a pseudo-lawyer and write specifications. While I enjoy the meta conversations about the social web, I love talking code. The real thing, like working with a group of people on a new XML schema using a whiteboard, or walking through use cases and designing protocols. Ultra-geek stuff.

I am working on some new designs for this blog, trying to transition it into a more persistent online resource for the subjects I care about: OAuth, Discovery, Open Web, and Microblogging. This will include a new look, custom pages for each topic, and the usual house cleaning.

The first step was to review every blog post I wrote over the past two years and recategorize them. The idea is to make the categories a useful tool to stay up-to-date with the topics you care about. On the right side of this blog you will find the 'Categories' tool which shows (in font size) how prominent this topic has been over the past two years. It also provides a link to the posts in each category.

Here are some of my categories:

• Discovery
• Microblogging
• OAuth
• Open Web
• OpenID
• Startup