Join the Season of the Stars Remix Event!
skip
Home » Forums » Features » OpenID - I think

OpenID - I think

victor
.
permalink   Wed, Mar 25, 2009 @ 10:11 AM
We don’t get crazy big numbers here at the site, but we are very, very healthy. The vast majority of visitors (around 98%) are not registered users. They are just folks listening to music and generally lurking about.

With the advent of OpenID (read about it at wikipedia, home page), users don’t have to “create an account” to log in to sites, they just have to “log in” and away you go. CC is even an OpenID provider (for a small donation).

I think the right thing to do is enable OpenID as a way to enable access to features currently reserved for folks with a “real” account here.

I’m a little nervous about giving uploading rights to OpenID accounts, but I think that’s for me to let go and just let it fly. I think.

The fact is, anybody today can register a bogus account at yahoo! or hotmail and sign up here at ccMixter to create havoc (many have done just that). I wish I could say OpenID adds a layer of accountability but, in reality, I don’t think it does.

It took me less than 3 minutes at http://claimid.com to create an openid account that gives me anonymity across the web.

What it does do (I hope) is allow for any of 150 million OpenID users ability to quickly recommend and review music here at ccM. It also allows them to jump in and (hopefully) be helpful in forum discussions.

My ultimate hope is that we can chip away at the 98% of folks who are just lurking, many of whom obviously love the music here, and give them a way to participate.

Thoughts and feedback would be helpful…

VS
teru
.
permalink   Wed, Mar 25, 2009 @ 11:54 AM
Being totally pessimistic, I dread the idea of moderating uploads and comments by OpenID users. But I guess it may be a good idea to reach a happy medium somewhere between totally anonymous and what we have now.

How about to start, OpenID log-in can be used for recommends and creating playlists?

A “real” account is required for comments, uploads, etc..

*just off the top of my head. Haven’t thought too deeply about this yet. : )
spinmeister
.
permalink   Wed, Mar 25, 2009 @ 1:38 PM
If this is worthwhile depends very much on the self-image and going forward objective of ccMixter.

At the very least, there’s the basic question if ccM should be trying to grow into a large inclusive community or if it would be better off to remain a smaller group.

I’d be totally happy with either model (each is interesting in its own way), but sudden growth might have implications:

With larger numbers of content creators (sounds and/or words) come associated issues like increased moderation demands as teru mentioned. And some of those have different implications, like for example moderating comments vs. moderating uploads. All of these are solvable, but probably end up having technical as well as people/time implications. (e.g. additional moderators, a distinction between different levels of admin access etc.)

If the addition of OpenID ends up leading to an avalanche of new users and resulting moderation needs, it might require a relatively speedy addition of moderators and thus possibly the addition of a more granular security system with roles?
victor
.
permalink   Wed, Mar 25, 2009 @ 2:01 PM
just so we’re all on the same page, here are some caveats:

- There are currently 3 roles in ccH, anon, user and admin, plus ‘editor’ which is a total hack. Other than that, ccHost (the underlying code of ccM) does not have a very flexible model for ‘roles’ of users. This is a non-trivial undertaking (a couple of weeks of dev, a couple weeks of bug shakeout). In the past, the rationale has been to keep things simple for ccH admins. Managing roles can be a big time suck.

- Unlike other areas of developing the site, I don’t know much about implementing OpenID here, I’ve poked around a little and think I get the basics, but that’s never enough in the real world.

So the way it works is that I would first have to tackle the issue of ‘roles’ in ccH in general, and then layer the OpenID thing over it in order to segregate OpenID users. Not unthinkable, and, as spin points out, is likely a necessary step if our user base kept a sustained spike when managing roles is trivial compared to managing the moderation of uploads and topics.

Here’s another thing to think about: I don’t have the exact count but a huge amount of registrations fail (maybe as high as 1 in 10 or 20, I don’t know for sure) because their mail accounts bounce the confirmation mail. Now, some percentage of those are people trying to hack in, but I suspect many are legit musicians who have mailboxes that don’t like the CC server. Having “same as native” OpenID accounts as an option alleviates all of those issues.

I prefer not to have this thread spin off into a discussion about extending our current model for user roles in ccH — unless of course, the consensus is that enabling OpenID accounts simply doesn’t make sense without it.

VS
 
.
permalink   victor Wed, Mar 25, 2009 @ 2:03 PM
as I hit send, of course, I realized I lied - there’s actually another level of admin (super-admin) who has the privilege of restricting URL/commands to one of the other user types
 
.
permalink   spinmeister Wed, Mar 25, 2009 @ 3:44 PM
yeah, I thought it might be non trivial to insert more of an ACL model into the ccHost code. Security programming and administration is always a major pain in the neck.

But I don’t know of a way around it for larger user communities. So my point isn’t just about OpenID, but about anything that would dramatically grow the number of content submitting users. — Same issue would arise, if you appeared on the Colbert Report ;-)

So I’m not necessarily saying that OpenID will bring on such an onslaught of new content submitters, but if it does …

On a philosophical level I’m cautiously in favor of user-id’s which can be re-used. And I most certainly prefer an open system over something under the control of one of the evil empires.

While it may seem to make it easier to create an id on many sites for spamming or other nefarious purposes, it also makes it more costly to misbehave after establishing a credible persona under a specific id. i.e. if you blow your credibility on one site, it becomes more likely to have negative side effects for the entire underlying id.
 
.
permalink   victor Wed, Mar 25, 2009 @ 4:04 PM
Quote: it also makes it more costly to misbehave after establishing a credible persona under a specific id

here’s the bad news and I could be totally wrong about this, b afaik: there’s nothing stopping me from creating 1,000 openids, one for each site I want to spam. the overhead may actually less than creating a hotmail account.
 
.
permalink   spinmeister Wed, Mar 25, 2009 @ 4:47 PM
I haven’t thought this through, but I’m not sure if that would be a “productivity” improvement for the spammer.

But of course predictions in the topic of spam are hard to make.
MC Jack in the Box
.
permalink   Wed, Mar 25, 2009 @ 2:45 PM
i’ll just add a bit of 2 cents in non-technical terms….

i think teru brought up a good point regarding moderation, but i’d say the biggest time drain would be having to moderate uploads which might use unlicensed source, or more specifically commercial source which shouldn’t be used. it’s hard enough to track that kind of thing down, and we seem to rely on others to point stuff like that out where it’s applicable (as a flag for instance). with registered users, admins can contact a guilty party and discuss an issue with source or samples. With an OpenID submission, I’m guessing the only option would be to delete the track.

we can’t have too many recommends or comments on tracks, so i’d be all for opening that functionality to OpenID visitors.

the other thing i’d be slightly concerned about is if you don’t need to register to utilize the functionality, will that seriously reduce the number of registrations? this could also be both a good or bad thing, depending on the view (as spin pointed out).

so in conclusion, i’d be all for offering some degree of OpenID functionality (recommends, comments) and limiting others (uploads) to registered users.
 
.
permalink   victor Wed, Mar 25, 2009 @ 4:21 PM
let me get technical one more time:

nothing interactive happens at this site without a “registered account” - no matter how the account was created, there is no recommends, reviewing, playlist making, anything without a record in the users’ table.

If someone “logs in” with an OpenID that I’ve never seen before, I would have to create an account for that person (or at least associate it with an existing account) to enable anything. The idea that there is such a thing as an “OpenID account” is something we invented in this thread. More accurately it’s “a ccM account, created using an OpenID”

So really, what we’re talking about here:

- what are the implications for allowing accounts to be created via OpenID vs. our current “ping the mailbox confirmation” scheme ?

- if an account is created using the OpenID method should that be flagged and treated differently than through our current means?

As a data point, it might help the discussion to note that 95% of time spent on “moderation” (chasing away bad, lame, ignorant folks) can be accounted for by %0.01 of users.* I have my doubts that statistic will change in the near future if we allow account creation via OpenID.


*these are totally made up stats - it should be treated with the “fourstones rule of half” which says if you halve or double the numbers in the claim and it’s still f*cked up, then the numbers are valid.
 
.
permalink   spinmeister Wed, Mar 25, 2009 @ 5:01 PM
wouldn’t treating OpenID triggered accounts differently be a bit of a mess to program, troubleshoot and understand for users? Almost similar complexity to having a moderator group?
 
.
permalink   victor Thu, Mar 26, 2009 @ 1:14 PM
exactly like having a moderator group - I would first expand the user/roles code, then treat the OpenID generated accounts as a ‘role’.

The more we discuss it however, the more I think it’s a mistake to treat it differently. If a musician shows up with an OpenID I can’t imagine what hoops we’d have to jump through to “approve” the account for uploading. I definitely don’t want to punish that musician for having and using an OpenID.
 
.
permalink   spinmeister Thu, Mar 26, 2009 @ 1:32 PM
Quote: fourstonesThe more we discuss it however, the more I think it’s a mistake to treat it differently.
yeah - I couldn’t think of a good reason to go down that road either or any other good system to have been implemented that way. The idea of id’s being managed by external systems, however is quite common.

i.e. keep a clear separation of the concepts of authentication vs. permission.
 
.
permalink   teru Thu, Mar 26, 2009 @ 2:34 PM
Thinking a bit more about it, would OpenID really attract that many more users? I think we need to keep in mind a lot of people just want to enjoy the music and we should remain thankful for that without pressuring anyone to participate.

IMHO lurking is a not convenience issue. It is more of a commitment issue. If someone checks things out here and really likes it, I think they would eventually sign-up and get more into it. OpenID or not.

Personally I know I have the option on a lot of other sites, blogs, etc.. but I find myself registering if I think something is worthwhile. I find I use OpenID mostly when I just want to leave a comment or two and probably never go back to that site again.

Also, if someone is not willing to take the time to sign-up, would they take the time to familiarize themselves with the Terms and Conditions of this site and the CC licenses?
 
.
permalink   victor Thu, Mar 26, 2009 @ 10:59 PM
it’s great how you use it but I think the target scenario for the initiative, overall, is to use it when you register at new sites.

fwiw, you are in fact “creating an account” at those sites when you log in with openid.

and the last thing I want to do is pressure anybody, I want to relieve their guilt lol