{"id":494,"date":"2006-07-22T17:57:31","date_gmt":"2006-07-23T01:57:31","guid":{"rendered":"\/?p=494"},"modified":"2006-07-22T18:55:11","modified_gmt":"2006-07-23T02:55:11","slug":"bad-journalism-or-bad-communication","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=494","title":{"rendered":"Bad journalism or bad communication?"},"content":{"rendered":"

Identity master Ben Laurie<\/a> of Google pushes back on me<\/a> for picking up Eric Norlin's<\/a> recent piece on Google Authentication.  Ben writes:<\/p>\n

I\u00e2\u20ac\u2122ve been trying to resist the temptation to comment on posts such as Dick Hardt\u00e2\u20ac\u2122s \u00e2\u20ac\u0153Google Account Authentication: two steps forward, one step back<\/a>\u00e2\u20ac\u009d and Kim Cameron\u00e2\u20ac\u2122s \u00e2\u20ac\u0153GOOGLE\u00e2\u20ac\u2122S AUTHENTICATION VERSUS MICROSOFT\u00e2\u20ac\u2122S LIVE ID<\/a>\u00e2\u20ac\u009d (which is mostly Eric Norlin\u00e2\u20ac\u2122s \u00e2\u20ac\u0153Google\u00e2\u20ac\u2122s authentication vs. Microsoft\u00e2\u20ac\u2122s Live ID<\/a>\u00e2\u20ac\u0153), since I work for Google and such comments might be misconstrued. However, bad journalism is bad journalism, even if you\u00e2\u20ac\u2122re a blogger and I\u00e2\u20ac\u2122m a Google employee, so I\u00e2\u20ac\u2122m going to comment anyway. Note that, like everything I blog here, this post does not reflect Google\u00e2\u20ac\u2122s views, nor does it use any knowledge I may or may not have as a Google employee.<\/p>\n

Firstly, as everyone who pays attention knows, Google doesn\u00e2\u20ac\u2122t announce what it\u00e2\u20ac\u2122s going<\/em> to do, only what it\u00e2\u20ac\u2122s already done. So, what does it mean to contrast thus (from Eric Norlin\u00e2\u20ac\u2122s piece)? \u00e2\u20ac\u0153Of extreme importance is the fact that Windows Live ID will<\/u><\/em> [my italics] support WS-Trust, WS-Federation, CardSpace and ADFS (active directory federation server).\u00e2\u20ac\u009d vs. \u00e2\u20ac\u0153Contrast all of this with Google\u00e2\u20ac\u2122s announcement: create Google account, store user information at Google, get authentication from Google \u00e2\u20ac\u201d are we sensing a trend?\u00e2\u20ac\u009d – well, yes, the trend I\u00e2\u20ac\u2122m sensing is that Windows Live ID does much what Google does today. Tomorrow they both may do something different. As of right now, what are the options? Is there any mature, reliable, secure identity federation mechanism that\u00e2\u20ac\u2122s widely used? I think not. Note, BTW, that Live ID is currently vapourware, you can\u00e2\u20ac\u2122t even get SDKs for it yet, let alone actually use it.<\/p><\/blockquote>\n

I need to begin by responding that I didn't know “Google doesn't anounce what it's going to do, only what it's already done.”  This must sound incredibly naive on my part, but it's true.<\/p>\n

I guess I don't have a good enough understanding of the cultural differences between various companies.  I'm used to being required to share a roadmap with enterprises and large organizations.  They need that to facilitate their planning.  But in retrospect I can see that Google may not need to function this way.  I'm probably not the only one who hasn't understood this, so I appreciate Ben's explanation of how we should interpret Google's announcements.<\/p>\n

Secondly, I agree that neither MSN nor Google nor AOL nor anyone else has a federation mechanism that's widely used outside their own properties at internet scale. <\/p>\n

Above all else, I agree with Ben's statement that, “Tomorrow they both may do something different.”  So peace, bro’.<\/p>\n

Speaking of peace, Ben on Liberty:<\/p>\n

Some have argued that Liberty is the answer to this, in that it\u00e2\u20ac\u2122s mature, reliable and secure. But it isn\u00e2\u20ac\u2122t widely used, partly because of complexity, partly because in its early days it royally screwed over people who might have driven adoption, like the Apache Software Foundation, and partly because of complex IPR issues. At least, I\u00e2\u20ac\u2122ve heard, the IPR might be getting fixed. I watch that space with interest.<\/p><\/blockquote>\n

Ben on Dick Hardt:<\/p>\n

Dick Hardt: \u00e2\u20ac\u0153Google has just released Google Account Authentication<\/a>. My initial reaction: great technology for rich clients and web sites acting acting on behalf of the user, but deepens the Google identity silo.\u00e2\u20ac\u009d What does this mean? How does allowing applications to access a user\u00e2\u20ac\u2122s Google services deepen anything? Did Dick actually read what these services do?<\/p>\n

\u00e2\u20ac\u0153The Google Account Authentication for installed apps<\/a> is a bold move to standardize an API for working with installed applications. Unfortunate that it is domain centric. The user has to provide their Google credentials. Clearly the easy, safe choice that creates more value for the user\u00e2\u20ac\u2122s google credential. Also makes it harder for any identity management technology to manage the Google credential.\u00e2\u20ac\u009d<\/p>\n

Well\u00e2\u20ac\u00a6<\/p>\n