Saturday, February 20, 2010

Webfinger: your real web address

[Update: This is one of those posts that was written quickly to try and capture an idea spinning in the brain before it got dizzy. As a result, it makes little sense unless you know about stuff like Shibboleth and OAuth, but if that's your bag, read on. I already have a (supposedly) more readable half-written post about why something like this was sorely needed, but now its here, lets get right to it.]

The release of Google Buzz has drawn attention to Webfinger, which appears to provide something that I've been looking for for quite some time. Despite its terrible name, my "webfinger ID" could replace my email address as the universally recognised way by which I identify myself on the web, and others out there refer to me.

Webfinger is dead simple. Really. (I think.) All it's about is a way of publishing profile information about you on the web in a way that easily discoverable. To be exact, any application presented with the webinger ID "" can query standard pages on (not quite, but almost) and find out stuff about Fred - for example:
  • their Jabber ID
  • their OpenID - no more typing in URLs
  • their Shibboleth IDP - no more WAYF problems
  • their photo, bio and any other public profile information they wished to publish. 
That means one day, I should be able to type my webfinger ID into a cloud service - or into another university's research system - and it could immediately redirect me to my organisation's own single-sign-on login screen where I can enter a different username password for authentication there, and get back a ticket - using OAuth - to use the service. Even better, if I wanted to share my research with someone from a U.S. university, I could type in their webfinger ID (usually their email address), and immediately get to see their photo to be sure that I got the right person. Better still, a stream of updates from your contacts in your favourite microblogging application could show avatars and linked profile information all derived from webfinger.

Webfinger is likely to succeed for three reasons:
  1. It's a solution that's sorely needed. People currently identify themselves by email address, but might use something different for their chat/Jabber id even on the same domain. That's bad. Secondly publishing profile data is pretty key to collaboration, and if there's a standard way to do it, so much the better. 
  2. It uses an email style ID. Webfinger IDs are just of the form "name@domain". That reads naturally, and is a lot easier to read than an OpenID, that's for sure. 
  3. It's federated. Domains control publishing of profile data themselves. This is not like Facebook or Twitter or Google profile or any other the others. 
There are potential pitfalls. Webfinger makes profile data mining trivial, which could inhibit uptake, particularly amongst institutions that dislike opening their personal data without a fight. Secondly there may be confusion where emailing a webfinger ID that may not be a true email address may cause problems. Most importantly the metadata that is published via webfinger is yet to be specified fully, and until it is, applications won't know quite how to find someone's avatar, for example. Actually the killer could be that name. It's just unappealing. "Oh, here, have my webfinger address..." or worse "I'll webfinger you..." Uh uh. Not cool. This needs a serious makeover as its not a geeky backend thing, it should be your real web address.

Ok, so I may be pushing the idea further than it can support currently, but I hope you get the idea that this could be the rosetta stone we've been looking for - allowing federated collaboration systems to talk to each other and exchange people information simply and openly. I wonder how long it will be before I give out my first webfinger address? 


Alistair said...

Data mining could be partly mitigated by having a public/less-public profile, i.e. /antleonard with email and website, /antleonard/cookies with Twitter, phone, Wave etc. The 'private' key would eventually need to be changed over time once it became more public that you wanted, but as the information is most useful at the point of receiving it (when I one-time-only connect to you on the networks), that isn't a deal breaker.

The name does need to change.

Anthony Leonard said...

That really good to know. I'd be excited to see an implementation of Webfinger somewhere when it becomes available. I'm guessing Google's systems might be the first to show signs of this being put to use?