Actually, I don’t have a well-thought, proven, and complete case to make.
What I have instead is some loose consensus from a small group of people and a lot of experience trying other ideas. Historically, this is a bad way to start a discussion about new URI schemes. Getting consensus for new URI schemes is often more difficult than solving American healthcare.
The proposed ‘acct’ URI scheme is designed to identify an account. ‘Account’ is a pretty straight-forward concept. It is some sort of identifier – a string – that is specific to an authority – usually a server or domain. For most people, their account is also their email address, and in recent years, the emphasis on email has surpassed the concept of an account. When I started using the web 20 years ago, I had an account on a server. It just happened that this account has a mailbox associated with it.
A Grand Vision
Almost every single social web protocol and idea starts with the notion of each user having some kind of identifier. This identifier allows us to share pictures, send messages, and control access to our data. When this is done in a closed environment everything is straight forward and simple. But when we try to extend this model to a distributed, federated system, we quickly get stuck on how these discrete systems can identify users across system lines.
Now, granted, we don’t really know how to make the social web truly distributed. We have grand ideas and a lot of good intentions but for the most part, none of that translates into products the average web user can actually understand and use (today). Most web users still don’t get Twitter, and that’s the centralized kind.
The Bootstrapping Approach
But what we do know is that we are stuck in a chicken-and-egg situation where we are forced to use either HTTP URIs or email addresses. Neither one really works / worked. HTTP URIs are good because they are easy to deploy. From an infrastructure perspective, HTTP URIs can be used today, and don’t require any new special servers, software, DNS, etc. But our experience with OpenID has proved (beyond reasonable doubt) that web users just don’t get it. For most people, using an http://something to identify themselves is weird, counter-intuitive, unmemorable, and awkward to use.
Recent usability testing from Yahoo!, Google, and others have shown that when a user is asked for an email address, their success rate using OpenID increases significantly. Which brings us to the other alternative, using email addresses as identifiers. Here we face a different set of problems, mostly dealing with spam and privacy. Because of the critical role email plays today, people are often reluctant to share their email address, and rarely publish it publically. Furthermore, large companies will simply not allow such practices.
Appearances Matter
In a perfect world, it should not matter how accounts are represented internally. Given the right context, we should be able to ask the user the right question and turn that into the answer we need. Instead of asking the user for their OpenID URI (which we know does not work), we could ask them for their screen name at Yahoo! or AOL. Or we can give them a shiny Facebook button to press which will send them over to Facebook and back to us with the identifier we need.
But reality has proved that these internal identifiers leak, and that coming up with a UI that works is extremely difficult. We have all seen blog comments posted using OpenID that look like this:
Posted by http://example.com/identifier/guid/3392830912/asde0
This doesn’t work for humans. What does is:
Posted by 3392830912@example.com
Or even:
Posted by acct:3392830912@example.com
Why? Because as pattern seeking creatures, we can immediately identify the syntax and it makes intuitive sense to us. Something that looks like an email address is acceptable for a person while something that looks like an address for a web page is not. And what we also learned is that asking for an email address as an identifier, is easier and an effective user experience. It is just that we don’t really want their email address but their account. And yes, in many cases, they will be the same.
Why does it Need to be a URI?
Because URIs are how we identify stuff on the web. It is the namespace convention for naming things. It is also too late to change many existing framework to accept some other identifier that is not a URI. The most obvious example is links. Links are the most fundamental building block of the web. If we cannot link from one resource to an account, we lose a lot of functionality. When my identifier is a URI, I can do this:
<link rel=”me” href=”acct:eran@hueniverse.com” />
Without having to create a new context-specific relation type, or any other extension to the link framework. And the semantics of this are pretty straight-forward too.
Can’t it be an HTTP URI?
Yes, an HTTP URI does solve many problems as indicated earlier. But it lacks in a few areas that have proved to be detrimental in getting adoption (using our OpenID experience). Because this is going to be the part most of the discussion is going to revolve around, I am going to repeat some points made earlier and sum it up in one place:
- Inefficient - No direct way of telling what the URI is without performing some discovery on it (or at least a GET). Unless we do something like a well-known URI prefix (like http://webfinger.info/account/authority/local-part), which is, well, awful. Having to perform discovery on an HTTP URI to figure out that it denotes an account is wasteful and doesn’t scale. It also requires a discovery framework that, while is in the works, has to stand on its own first before it can be relied upon (that chicken-and-egg again).
- Disliked by Grandmas – An HTTP URI as an account identifier is completely unintuitive to people as we have learned from OpenID. We want something that looks like email (and works like email in most cases), but is not tied to the SMTP infrastructure (or the XMPP one). These URIs tend to leak out of the machine world and appear in front of users (again, a lot of OpenID experience). It also creates either conflict (if an account URI is also used as a profile page) or confusion (users having both an HTTP profile and an HTTP account URIs).
- Unpredictable - No easy way to ask people to manually enter their account information and construct an HTTP URI for it. Services can assign HTTP URIs to accounts, but knowing my account (username and domain where I login) does not allow me to construct that URI. This means I have no way of providing it to services without either a fixed template (which violates the namespace of the service) or a hardcoded conversion template for each service. Yes, we can use discovery to define such a template for each domain, which is what we are proposing for WebFinger with host-meta, but it’s an interaction that is not necessary unless you want to get more information about the account and not simply name it.
- Context Sensitive – It needs context when used in links. It is clear what <link rel=”me” href=”acct:joe@example.com” /> means. No so much for <link rel=”me” href=”http://example.com/account/joe” />. The first means “I am known as Joe at example.com”. The second means I own the web page at that URI. Not really the same.
How does it Avoid Making Spam Worse?
Since in many cases the account is also an email address, it is reasonable to question how it will avoid the pitfalls of spam and privacy. The new scheme does nothing to solve spam. But it accomplishes not making it worse by not requiring the identifier to be a valid SMTP address. People can ask their providers to mint them account names that are either completely opaque (3297328732) or that are intuitive but not their email address (mailto:eran@hueniverse.com vs. acct:ehl@hueniverse.com). Many systems already offer aliases, so the concept of an alias that is only good for distributed login or identity isn’t a hard concept.
Also, account discovery protocols like WebFinger should accept an account URI that was produced by transforming an email address. I can go to a site and give it my email address as my identifier. The site will then transform it into an account URI (mailto:eran@hueniverse.com -> account:eran@hueniverse.com) and perform WebFinger on that. However, when they get the account descriptor (an XRD document), it will provide a different account URI as my canonical identifier. It is that canonical identifier that will be used to identify me by the service and on the web.
So again, why not make that canonical identifier an HTTP URI? Because users will still see it and will get confused. But more importantly, the future should hold the promise of web users actually understanding the concept of a web account or identity and start using it directly.
Is this a New Idea?
Nope.
XRI attempted something very similar but with a lot more complexity (or, richness, depending on your point of view). One of the use cases XRI was trying to solve was the creation of an abstract identifier that can be used to identify individuals. However, XRI uses a completely new syntax (like ‘=eran’) which requires learning a new format and made it less attractive to most people than HTTP URIs.
Also, in the process of building the Google Social Graph API, Brad Fitzpatrick and the Google team came up with the Social Graph Node Mapper and the ‘sgn://’ URI scheme. SGN’s scope is greater than what the account URI is trying to accomplish, and those extra requirement force it to be less user-friendly. But it clearly shows that there is a need to identify individuals beyond what HTTP URIs offer, as they are widely used today across the social web. It also shows the complexity and customization needed to extract account information today.
Case Closed?
Far from it.
None of these arguments are enough to form a complete picture of what exactly this new account URI is. The reason is that we got here from trying other, easier options, and failed to get the desired result. So we are driven to this solution more out of lack of other options than a clear idea of how it answers all our questions.
I don’t expect everyone to like this idea. I wish I could say I love it, but I am simply content with it. But I am becoming more convinced that playing with an account URI and trying it out, even before we fully appreciate its meaning and operations, is the only way to move forward. We need an identity solution for the web, and we need to start somewhere.
What does it Mean to Click on an Account Link?
I’m not sure. We first need to decide if we want to bind the ‘acct’ scheme with a specific protocol like WebFinger, or to allow it to stand as an identifier that can be used with multiple protocols. ‘tel’ is an example of such identifier that can be used by many different protocols (you can dial it, use VOIP, etc.). I would like to see browsers perform WebFinger when faced with such an identifier and get back the public description of the account (just like in the finger protocol days), or something similar.
This is where all this experimentation is critical.
BTW, What does it Look Like?
For those interested in the proposed syntax of this new scheme, it will look something like this:
acct:username@host
It is compatible with enterprise account systems like Windows Active Directory and UNIX.
Hey Eran,
I’m glad to see innovation in this space, and I agree that we need to experiment and try it out. However, I believe in general that your arguments against using HTTP addresses are still pretty weak.
1) inefficient/unpredictable. – I agree that it’s inefficient for a site to have to do a lookup on every address just to determine that it is an identifier. However, you said “we can use discovery to define such a template for each domain, which is what we are proposing for WebFinger”. I like that a lot more. And with smart caching of results, the extra HTTP hit is not required for the vast majority of lookups (which will cluster among the top providers).
2) grandmas – really? I don’t think the average internet user has any concept of what “http” means other than “that junk in front of my website”. If we introduce “acct” it will just be ignored by most people. I’m hard-pressed to say that “acct://luke.shepard@facebook.com” is any easier than “facebook.com/luke.shepard”. I don’t think the readability can get much easier here.
3) context sensitive – I agree with your point, but I don’t see how it’s relevant. If you want the link to say the meaning, couldn’t you just add an attribute – like or some such? isn’t inferring semantic information from web addresses sort of bad – it seems like it violates some other principles of the way the web works.
Anyway, I’m really interested in your answers, this is an interesting discussion.
The main focus here is on identifiers that look like email addresses and in many/most cases will be email addresses. We need to give web users (i.e. grandmas) something they can use. But we also need that something to identify ownership and such of web resources.
In many ways this is the same never-ending debate on how to make OpenID usable as a global identifier, not just as an internal interop protocol to save developers time. We don’t have answers but we do have some ideas about what might work better. This is an attempt to be able to start the user discovery process with something other than a button or an HTTP URI.
As for your specific comments:
1. Inefficient / Unpredictable – it is not really practical to expect clients to grab a template and try to match a URI they find against it to find out if it is a URI. It is one thing to take parameters and apply them to a template. It is a completely different story to do it the other way.
2. Yeah, really! Users should never have to type in acct:… they should type in something that makes sense to them, like their email address. But in case they end up seeing that acct:, it should look like an email address and not an HTTP URI because that is a much better pattern for people. If we end up using this by asking people to manually type acct:something, we failed.
3. Inferring information from URIs is a bad thing, but that is limited to the authority specific part. URIs have clear structure such as the scheme and authority which you have to parse in order to access them. Having to extend basic facilities like links is not any better.
Note that I have expressed my dissatisfaction with the rational we have for minting this new URI scheme. We know we need a URI, and we know we don’t like HTTP URIs. We also know we need a better story to make all this useful.
Hmm, I don’t understand the advantage of using mailto: (or implied mailto:) and http depending on the kind of the account. The big mistake people make when they want to add a new URI scheme is that they want to represent a new way of using a relation, not a new relation. Apple’s feed:// disaster is the prime example. Should we be using image:// to link to images on HTTP servers? Obviously not.
It should be trivial to define a way to express in DNS how to map email addresses to HTTP servers supporting OpenID. We already describe in DNS (via MX records) how to map email addresses to SMTP servers and we already use SRV records to describe how email addresses (or email-address-like identifiers) map to XMPP accounts.
Frankly, I’m not sure why this hasn’t been completed and standardized.
> This doesn’t work for humans. Why? Because as pattern seeking creatures, we can immediately identify the syntax and it makes intuitive sense to us.
I’m really sceptical to this and I’m sure my non-geeky friends will not understand acct://3392830912@example.com syntax too. You identify this syntax because you’re a geek, my mom doesn’t make the distinction between a URL and an email adress… “merging” both is just more confusing to her.
I have updates the post to remove the // from the new URI scheme syntax based on the following feedback:
1. There is no relative path, the URI is always absolute.
2. There is no hierarchy, therefore no need for a top level authority.
3. mailto: and others have established a pattern that is more appropriate here.
4. Removing the // does not change the meaning of the identifier in any way.
5. The authority component is harder to internationalize than the path.
6. Using // seems to only benefit the spec writer in having to write less text.
The main question is, should we solve the two parts of this problem using a single identifier or two.
The first part is coming up with an identifier people will be comfortable using as an identifier for themselves. So far people are happy to use a username, screenname, handle, or email address. Not so happy to use an HTTP URI.
The second part is finding an identifier machines can use to associate a user account with web resources just like any other resource, link to it, describe it, etc.
While the second part is purely technical where the challenge is scalability and efficiency, and HTTP is a valid choice, the first part is very much up in the air.
This proposal reflects the current thinking of addressing both parts with a single identifier. Is that the best approach? I am not sure, but putting it in front of people is the only way to find out.
But I expect your mom to feel comfortable with just 3392830912@example.com. And I would also expect most people who are not geeks to simply block out the acct: part and focus on the someone@somewhere part.
Agree with David – I think the prevalance of phishing attacks demonstrates the general user confusion over web addresses. Many people just see “htt…….gobbledygookthatmakesitwork”. I think there’s a strong chance that something different – ANY different – from what they are used to will, if anything, make people confused. Obviously they can get used to it but still, it’s certainly not clear that this is a usability win.
It’s definitely worth structuring some user tests over.
Oh, just saw this. Yeah, removing // would be cool. Still need to define what happens when you click on it but it feels more lightweight already.
I don’t understand why a new scheme is needed. mailto: could just as easily be used as an account identifier – e.g. mailto:bob@accounts.example.com. It needn’t be the cause of additional spam problems, because servers needn’t actually accept e-mail to these addresses.
Because mailto: has a very well defined meaning and behavior in user agents and other software.
[...] back in the days. It’s chaining together some upcoming protocols, like XRD and the proposed acct: URI [...]
[...] its part, WebFinger has minted the new URI scheme acct: to denote a generic account. From this generic concept, the WebFinger protocol can be used to [...]
Interesting idea. I like the approach of applying finger and like the approach of using known-to-humans patterns like email addresses, which BTW are also, if I’m not mistaken by the Session Initiation Protocol (SIP) to identify (federated) users.
Check out this buzz thread:
http://www.google.com/buzz/dclinton/HeMv1AQTXS8/Envisioning-decentralized-replies-and
See also – “Why @ Is Held in Such High Design Esteem”, NYT http://www.nytimes.com/2010/03/22/arts/design/22iht-design22.html?partner=rss&emc=rss
“NEW YORK — The French and Italians have nicknamed it the “snail.” The Norwegians have plumped for “pig’s tail,” the Germans “monkey’s tail,” and the Chinese “little mouse.” The Russians think of it as a dog, and the Finns as a slumbering cat. [...]“
When will OpenID & OAuth comprehend that we have SOLVED yes SOLVED this problem?
Users LIKE our URLs and server DO get it!
We are still waiting whilst you ignore the ONLY solution but more and more people are already listing to us and all agree.
And what solution is that?
While probably not as deep into this from the developer perspective as most of you, I don’t see the value in providing a scheme that allows spammers, et al, free hints at my email address.
Currently I am unknown to many 3rd parties out there because I use an arbitrary account name rather than an email addresss as my identifier. If users are forced into using something like the acct:name@domain.com format doesn’t this give those 3rd parties a shortcut to being abe to harass me?
Of course, if the industry would step up and provide a proper spam prevention approach (validation of sender etc) then I as an end user would be more open to using some form of one of my email address (I’m assuming I would be able to use one of my various addresses depending on the need).
And pease don’t lump me into the “Facebook has shown us that using an email address is ok” crowd… since when did “mob rule” rule? The mob isn’t known for thinking clearly and certainly doesn’t have the ability to define technology standards for the rest of us.
I am currently using XMPP JIDs in an application that is not necessarily constrained to merely XMPP. I want to expose these user ids as a URI, and I feel “acct:” could be more appropriate than “xmpp:” in my case, even though the ids are only accessible via XMPP and we have no immediate plans to support WebFinger.
Is this acceptable usage of acct? It sounds like one part of the discussion is whether to tie it to a specific protocol or to leave it generic. I’d prefer generic, as I don’t think there is any other good URI scheme option for this otherwise.
BTW is this blog post the canonical documentation for the acct URI scheme? Any plans for a more formal spec?
Thanks.
You can. I have moved away from the acct URI proposal while others still like it. I have no plans for any more work to register it at the moment.