walkah: openid

I had an interesting e-mail exchange yesterday with Chris Messina and a handful of folks from the DiSo project about "DiSo for Drupal". For those of you who haven't heard of it DiSo is:

DiSo (dee • zoh) is an umbrella project for a group of open source implementations of these distributed social networking concepts. or as Chris puts it: “to build a social network with its skin inside out”.

See, Chris recently started a new job working on DiSo full-time at Vidoop. With the announcements of Facebook connect and Google's Friend Connect, there is a battle raging for control of your identity and your relationships. DiSo, in many respects, is the free open answer for the rest of the internet. It combines several free, open standards that already exist in the wild like OpenID, OAuth, and Microformats for exchanging identity and "friend" information.

So, Chris reached out a handful of us Drupal folks about getting on board. The good news is: we, the Drupal community, are already well on our way:

• OpenID (in Drupal 6.x core)
• OpenID Provider : http://drupal.org/project/openid_provider
• OpenID Attribute Exchange : http://drupal.org/project/openid_ax (in progress via Google SoC)
• OAuth : http://drupal.org/project/oauth
• Atom : syndication only - http://drupal.org/project/atom - might be nice to have a basic envelop generator/parser implementation
• XMPP : http://drupal.org/project/jabber , http://drupal.org/project/xmpp and http://drupal.org/project/xmpp_server (the latest of which is maybe the most promising)
• vCard / hCard : http://drupal.org/project/vcard

The big holes at the moment (from a DiSo perspective) are XRDS-Simple support and better support for microformats - specifically XFN.

From the list of Drupal modules above, you may notice that this is an area of interest of mine :-P I look forward to working with the rest of the DiSo project and the Drupal community on this stuff!

Summer is coming - which means it's time for Google's Summer of Code. This is the fourth year of the project (and the fourth year that Drupal has been involved). We continue to be one of Google's favourite open source projects this year grabbing 21 spots - which means a $105,000 investment in Drupal development this summer!

I'm excited as this will be my third year as a mentor and my project this year will be OpenID Attribute Exchange support for Drupal. Attribute Exchange is one of the next important pieces in digital identity and one that I'm pretty excited about. My student, Anshu Prateek, has shown a lot of enthusiasm. I think it's gonna be a good summer!

With almost a week gone by since I left Boston, it's high time to do a quick recap of DrupalCon Boston 2008. Despite spending most of the week battling a nasty stomach flu, making two trips to the Apple Store in Cambridge, and being without my laptop (which suffered a failed keyboard and trackpad), I had a great time and want to offer my congrats to the organizing team for a solid event!

Although I took part in 6 sessions, I only presented one of them on my own: OpenID and Identity in Drupal. I was pleased with how the session went - packed room with lots of great feedback and discussion. For those interested, check out the slides on slideshare.

Otherwise, it was really great to see all the old faces and meet some new ones. For anyone who missed it, the Acquia party was a blast (Orbit rocks!). Looking forward to the next!

Here we go again! One week from today, DrupalCon Boston 2008 will get underway. For the 3rd straight conference, I'll be doing a session on OpenID in Drupal:

OpenID and Identity in Drupal: the future of user.module

Those of you who have attended my OpenID talks at previous DrupalCons should definitely come out to this one, as I would like to dive a bit deeper into roadmapping future changes, additions and directions for the code as well as touching on rolling out OpenID support across the Drupal.org infrastructure itself. I'd also like to discuss additions and changes to user.module that will better accommodate alternate authentication mechanisms.

Can't wait to see you there! Oh, and yes, I'll bring my socks ;-)

There have been reports that Harvard recently had a Joomla! based website compromised, and the database contents have been made available via BitTorrent. Of interest - the compromise was apparently via the usage of an insecure password. From the Torrent Freak article:

A file included with the release labeled password.txt carries a message:

Thomas gatton….stupid people, you don’t use a secure password

While it's not entirely clear whether it was an insecure system password or an insecure Joomla! password used - it does highlight an important aspect of security.

Ensuring that you write secure code is only (a small) part of the security problem. With our recent Drupal 6.0 release, we have tried to incorporate several changes to help our users be more secure:

• Password strength checker: when selecting a password now in Drupal, users are advised when their passwords are "weak". Encouraging tougher to crack/guess passwords particularly for admin and privileged users.
• OpenID support: Even a strong (hard to guess / crack) password can be compromised by a clever attacker if you consistently log in without SSL (i.e. when you're at that internet cafe). Also, remembering several (hundreds!) of complicated, strong passwords can be daunting and frequently leads to poor password choices. By including OpenID authentication support, Drupal users and administrators no longer have to remember passwords to every site they administer. They can use their OpenID - which in turn can implement stronger authentication methods to limit potential vulnerabilities. Development Seed has a great article on how they use OpenID to avoid sharing passwords for admin accounts.
• Update module: One of the biggest security challenges is keeping you site up to date. Drupal sites tend to be a combination of Drupal core and several (10 - 50) contributed modules - keeping them all up to date is a complicated task. It's also a crucial security precaution.

The point being: writing secure code is one thing, but there is a much trickier, critical task in educating users and administrators. It's something we're working towards within the Drupal Security Team and within the community in general. We're not done yet, and welcome your feedback and suggestions!

Happy Valentine's Day everyone! I case you hadn't heard, Drupal 6.0 has finally been released! It's been just over a year since our last major release and, while it feels sort of like an eternity, there is a *ton* of great stuff in this new release.

I'm really proud to have helped contribute OpenID support (relying party) to this release - the first step in a larger plan to put (keep?) Drupal at the front of the digital identity curve. Those interested in hearing more, check out my OpenID session at DrupalCon.

There's a ton of other great new stuff in 6: Update module (if you haven't used update status in Drupal 5 - you should), revamped i18n support, and Drag 'n' Drop everywhere (Nate, you're a rockstar)!

Drupal, be mine. :-*

It's official!. ReadWriteWeb picked up on it early last week, when OpenID link tags appeared on flickr profile pages. Rampant speculation ensued, but the wraps are off. "Yahoo! Support Triples Number of OpenID Accounts to 368 million". Full details at http://openid.yahoo.com/ .

At last! Good news last night from the Internet Identity Workshop in California: OpenID 2.0 is finally final! I agree with Simon that the most interesting new thing in 2.0 is likely directed identity. And, yes, Drupal 6 already supports it.

However, one of the more interesting things (I think) is the final release of Attribute Exchange 1.0. I think attribute exchange (think profile data sharing and updating - and digitally signed assertions) represents the killer next step in online identity. Kudos to everyone involved! Time to get crackin' on some code :)

430+ attendees. 5 sessions. 4 days. One hell of a time.

I have to say, I might be addicted. The post-drupal conference mixture of utter exhaustion (plus jetlag) and renewed energy and excitement is a feeling that I've really grown to look forward to twice a year. This is one great community full of great people. i love you all!

My personal highlights:

• Having my son, Andrew, along- definitely mitigated some of the usual homesickness and was hopefully an experience he'll cherish as long as I do.
• My socks! I love 'em - and they made chx jealous :)
• Seeing Dries, Gabor, Bert, Adrian, and all the other non-north american drupal folks that I feel like I never get to see enough of
• Hanging out with the amazing team from Lullabot: you're rockstars, each and every one.
• A great venue and superb planning - hats off to Robert Garrigos and crew!
• All the amazing energy behind image/file handling, OOP and other awesome stuff to come in Drupal 7

As promised, I gave 3 presentations... all of which went well (I thought):

• OpenID: it's in core... now what?. Another variation on my OpenID theme. Boris wanted more discussion on directions - but we're still educating, IMO. We'll get there, Boris, promise! (slides | pdf)
• Image handling in core... for real this time.: Possibly my favourite session. Lots of good energy and good discussion - and already some subsequent action. I'll definitely be posting more on this topic! (slides | pdf)
• Drupal and SimpleXML: This session was fun, and better received than I'd expected. I'm not the only one excited by PHP5! (slides | pdf)

In addition to those three, I also took part in a couple of panels: the live podcast was a lot of fun - go check it out!

I was also on the Drupal Association panel. This was interesting - it was clear that as a young organization - we still have a lot to learn and a lot to do. I was sympathetic to the concerns raised, but there has been a lot of discussion amongst association members since the panel and hopefully we'll see some positive changes forthcoming.

*phew* ok, that's enough for now... although I've left out a bunch. Jetlag calls... g'night planet drupal!

I haven't quite made it to "my bags are packed and I'm ready to go", but I'm only a load of laundry away. Tonight I'm flying off to Spain (for the first time ever!) to take part in the biggest Drupal Conference yet! Boy we've sure come a long way since a handful of us met in a basement in Antwerp just 2.5 years ago...

As usual, I'll be pretty busy. The following sessions should be interesting ;) :

• OpenID: it's in core... now what? This is going to be sort of a continuation to the talk I gave at the Yahoo OSCMS. I hope to cover a few main things : first, there's still a lot of confusion about what OpenID really is (or more so what it isn't). Hopefully, I can answer some of that. I'll also be outlining where I'd like to take the code moving forward, as well as new technologies in the OpenID community that we - the Drupal community - should keep our eyes on.
• Image handling in core... for real this time. It wouldn't be a Drupal conference if I didn't, right? I have not spent as much time as I'd like lately with image/media stuff in Drupal - but a lot of really great people have. I'm hoping to gather as many of said people as possible, survey the landscape of "image*" modules and devise (or at least share my thoughts on) a plan for making Drupal better with images out of the box.
• Drupal and SimpleXML. This will be a brand new talk, but one I'm excited about. The move to php5 brings lots of advantages for developers, but the one I'm most excited about is the option to ditch all of our old expat-based parsing code in Drupal. As someone who enjoys writing a lot of 'web-services' type code, consuming and producing XML documents in a simple and efficient fashion is exciting.

I'll also be sitting on the Drupal Association panel and hope to rock out on the Live podcast (those are always fun). It should be a busy week! :)

I'm super excited to see all the awesome people in the community - especially some of the new fathers. But, I'm *really* excited to be bringing my son Andrew with me. I love getting to travel as part of the Drupal community and am so excited to get to share a new adventure with my favourite guy on the planet.

Back to packing...