Back in March 2006, when Information Cards were unknown and untested, it became obvious that the best way for me to understand the issues would be to put Information Cards onto Identityblog.
I wrote the code in PHP, and a few people started trying out Information Cards. Since I was being killed by spam at the time, I decided to try an experiment: make it mandatory to use an Information Card to leave a comment. It was worth a try. More people might check out InfoCards. And presto, my spam problems would go away.
So on March 18th 2006 I posted More hardy pioneers try out InfoCard, showing the first few people to give it all a whirl.
At first I thought my draconian “InfoCard-Only” approach would get a lot of peoples’ hackles up and only last a few weeks. But over time more and more people seemed to be subscribing – probably because Identityblog was one of the few sites that actually used InfoCards in production. And I never had spam again.
How many people joined using InfoCards? Today I looked at my user list (see the screenshot below with PII fuzzed out). The answer: 2958 people successfully subscribed and passed email verification. There were then over 23,000 successful audited logins. Not very many for a commercial site, but not bad for a technical blog.
Of course, as we all know, the powers at the large commercial sites have preferred the “NASCAR” approach of presenting a bunch of different buttons that redirect the user to, uh, something-or-other-that-can-be-phished, ahem, in spite of the privacy and security problems. This part of the conversation will go on for some time, since these problems will become progressively more widespread as NASCAR gains popularity and the criminally inclined tune in to its potential as a gold mine… But that discussion is for another day.
Meanwhile, I want to get my hands dirty and understand all the implications of the NASCAR-style approach. So recently I subscribed to a nifty janrain service that offers a whole array of login methods. I then integrated their stuff into Identityblog. I promise, Scout's Honor, not to do man-in-the-middle-attacks or scrape your credentials, even though I probably could if I were so inclined.
From now on, when you need to authenticate at Identityblog, you will see a NASCAR-style login symbol. See, for example, the LOG IN option at the top of this page.
If you are not logged in and you want to leave a comment you will see :
Click on the string of icons and you get something like this:
Because many people continue to use my site to try out Information Cards, I've supplemented the janrain widget experience with the Pamelaware Information Card Option (it was pretty easy to make them coexist, and it leaves me with at least one unphishable alternative). This will also benefit people who don't like the idea of linking their identifiers all over the web. I expect it will help researchers and students too.
One warning: Janrain's otherwise polished implementation doesn't work properly with Internet Explorer – it leaves a spurious “Cross Domain Receiver Page” lurking on your desktop. [Update – this was apparently my problem: see here] Once I figure out how to contact them (not evident), I'll ask janrain if and when they're going to fix this. Anyway, the system works – just a bit messy because you have to manually close the stranded empty page. The problem doesn't appear in Firefox.
It has already been a riot looking into the new technology and working through the implications. I'll talk about this as we go forward.