monkinetic weblog | redmonk.net

The action is over here. Next step is to start in on the thornier issue: how to start building the whitelist.

While writing Whitelisting With OpenID and XFN, I started thinking about what kind of work would have to go into implementing these ideas in Wordpress. One of the roadblocks I ran into was that in Wordpress (and Drupal, probably, and most other similar systems) links only support a single URI (not surprisingly). In order to support OpenID whitelisting, we need a unique identifying URI for an XFN contact - which may or may not be the same as the blog/site URI that you’d want to list in a blogroll.

I thought about trying to hack the support in myself, but after browsing through the 4 or 5 different files that would require patching, as well as adding database support, I decided I haven’t the experience with Wordpress nor the time to do it right. But I’d like to discuss this with someone who has the Wordpress expertise to give this a shot. Would be nice if it were a plugin, so we don’t have to hack the core code.

Any takers?

This weekend I ran across a post on Tim Berners Lee’s blog (the Giant Global Graph - Groan), but what got my attention was a previous post by Dan Connoly about the social-network-based whitelist they’ve developed for commenting on the Decentralized Information Group blog.

In less than a nutshell, the DIG is using the relationship data in their members’ FOAF files to build a whitelist of users (identified by their OpenID) who can comment on the site.

Decentralized Information Group, OpenID+FOAF Whitelist

In FOAF and OpenID: two great tastes that taste great together, Dan writes about the system the DIG devised to whitelist comment authors:

In more detail, you can comment on our blog if:
You can show ownership of a web page via the OpenID protocol.
That web page is related by the foaf:openid property to a foaf:Person, and
That foaf:Person is listed as a member of the DIG group in http://dig.csail.mit.edu/data, or
related to a dig member by one or two foaf:knows links.

Sean Palmer has a deeper, very interesting description of the process that went into the system, and Shahan Khatchadourian describes how it works for a new user

Mapped out, the system looks something like this:

To be added to the site’s comment whitelist, either the green or blue path must be satisfied: User A has to be either identifiable (via OpenId) as a DIG member (foaf:Person matches in the DIG member data) or another DIG member must “claim” User A (User A is identified via OpenID and their foaf:Person is related via foaf:knows to the known DIG member).

OpenID+XFN (+Wordpress?) Whitelist

So tonight I got to talking to Chris Messina about DIG’s system (he pointed me to Simon Willison’s efforts back in January at whitelisting via OpenID) and wondered if we couldn’t build a similar system with a little less propeller-head factor using XFN instead of the semantically pure but pragmatically awkward FOAF.

In order to make something like this work, it seems that the flow would work like this:

1. You can show ownership of a web page via the OpenID protocol.
2. That web page contains your hCard, or a symmetric XFN rel=”me” link to a separate page with your hCard
3. The URI of your hCard is listed in the service’s membership data, OR
4. The URI of your hCard is listed in the XFN of a member of the service with an XFN relationship of “acquaintance” or better (”better” is subject to definition, based on the XFN profile).
5. You get added to the service’s whitelist

This is very rough, but mapped out it looks something like this:

As before, to be added to a site’s whitelist, either the green or blue path must be satisfied. I think that a system like this for Wordpress (for example) could be built out of mostly existing parts, starting with the Wordpress OpenID Plugin (newly 2.0). (Chris has more notes on a wordpress plugin.)

My thinking here is rough, and probably contains quite a few holes, so I’m trusting that those more knowledgable that I will point out flaws in my thinking or new directions.

UPDATE: A conversation with Paul Walsh and Simon Willison sprang up in the comments on Pauls’ post, “Identity” the most widely misused term by Internet experts. Paul makes a decent case (and Simon agrees) that saying OpenID “proves identiy” is misleading - nothing is proven and no Trust is asserted. OpenID provides a form of identity (”I can prove I own this URI”) that particpants have agreed to. Thanks to Paul and I’ve updated my diagrams accordingly.

At Chris Messina’s request, I just installed and enabled the WP-OpenID+ plugin for this site. So if you want to comment, give it a shot.