Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

You know me

Dave Winer: The “You Know Me” Button. Dave hates posting comments on blogs and then having to check back constantly to see if anyone has replied (I do too). Sam Ruby’s solution is to provide the comments as a separate RSS feed for each of his entries, but Dave wants something more automatic that won’t clog up his aggregator. Dave’s new proposal is intruiging to say the least. When you sign up for an account with a discussion forum you have the option of configuring a link to an “identity server” able to respond to a specific protocol. Once this has been done, the discussion software “pings” your identity server with your username and a message whenever someone responds to one of your posts.

The idea as it stands is great, but at the moment it fails to address discussion forums that do not require the user to create an account (many blog comment systems for example). These could probably be served by a single text field asking for your optional You-Know-Me address. The problem that arises then is that of authentication—what’s to stop someone maliciously signing you up for comment threads without your consent? The spectre of spam can’t be too far over the horizon.

Maybe a solution would be to turn subscription in to a two-step process—first you tell the comment thread your details and have it ping your identity server, then later on you visit the web application running on the identity server and “approve” that subscription. That should defend against unwanted subscriptions, but it also adds another layer of complexity to what should be an automatic process. You would also have to do this for every unauthenticated thread you subscribed to (I imagine that authenticated account based subscriptions such as the ones Dave describes in his initial article would handl auto-subscribing you to all threads you participate in).

I have no doubt that someone will come up with solutions to any issues with Dave’s system, and I look forward to seeing the spec develop. Once a basic protocol has been laid down the possibilities are huge—I-Know-You to RSS/email/Jabber gateways are an obvious extension that could be great fun to hack around with. It’s been a while since I’ve messed around with web services and my XML-RPC library could do with an update.

Posted 20th January 2003 at 11:19 pm

This is You know me by Simon Willison, posted on 20th January 2003.

Tagged ,

View blog reactions

Next: Scaling the two way web

Previous: A global conversation

7 comments

  1. What's to stop someone else from posting to a Moveable Type weblog, as it stands now, with someone else's name?

    Dave Winer - 20th January 2003 23:37 - #

  2. BTW, you're onto something with the Jabber connection. It's an easy extension to Jabber to handle this. Also an easy extension to Manila.

    Dave Winer - 20th January 2003 23:39 - #

  3. The authentication problem is more to do with people signing you up for threads you don't want to track, although thinking about the web interface would presumably provide a one-click unsubscribe mechanism so false subscriptions wouldn't be nearly as big of a problem as I first thought. I'm still slightly concerned about the opportunity for spammers to send crap straight to your "tracked threads" interface though.

    Simon Willison - 20th January 2003 23:43 - #

  4. I built something exactly like this using Jabber for a research project. Our system was meant to establish identity for credit card transactions (one click shopping via jabber transactions) but could just as easily be used for comment monitoring. The jabber infrastructure is an exact fit for the way this should work.

    Matt Jankowski - 21st January 2003 01:41 - #

  5. I wrote up my thoughts on my blog: link: http://www.kingprimate.com/weblog/archives/2003_01 _21.html#12:17AM P.S. With this system in place the process of blogging something and then linking to it in a discussion would die -- there'd be once central place where all of a person's comments were stored (and are linkable) as well.

    Jeremiah Rogers - 21st January 2003 05:21 - #

  6. On authentication - my initial reaction was paired keys. The user encrypts the permalink URL for the entry with one key and enters it in to a field, then the blog makes a connection to some server which decodes the URL with the paired key, follows it, finds a <link> in the permalink page and gets comments via RDF.

    The major flaw with this is that generating the proof of identify each time would be a pain. However I would *imagine* that it could be automated with Mozilla XUL and ActiveX (although this rather leaves users of other browsers out in the cold).

    David Dorward - 21st January 2003 07:35 - #

  7. Here's a super primitive way to get some level of authentication (not much admittedly) -- contact the poster's email address and require them to click on a hyperlink before it goes live. This way at least someone can't post as "dave@userland.com" without at least having access to that email account. Not perfect at all but I wonder if we're not missing baby steps along the way to a real solution.

    Scott Johnson - 24th January 2003 14:30 - #

Comments are closed.

Previously hosted at http://simon.incutio.com/archive/2003/01/20/youKnowMe

A django site