At RWW, Marshall Kirkpatrick describes yet another open identity effort, not surprisingly from a coalition reacting to a popular but uncooperative service. And again it is Facebook inspiring this latest competitive, open specification.
I had to visit the specification section of the XAuth site to understand how it differs from OpenID and OAuth. The main difference appears to be that this protocol is designed to allow sharing between multiple social services and multiple third party sites without creating a combinatorial mess of code and behind-the-scenes requests. It takes a page from the PuSH spec, using a third party hub through which “extenders”, or service providers, and “retrievers”, or client sites, communicate. It has similar management capabilities to OpenID but lacks even the simplistic identity sharing capabilities, at least in the spec itself. I find that a bit of a step backwards in terms of more easily distributing and managing my social identity.
I am inferring that XAUth does, or will eventually, provide access to your social graph on an extender service. Kirkpatrick states that it will allow 3rd party sites to request information about you from participating social networks. It is unclear from the spec page how this will work in practice. Unless it is like a combination of OAuth and OpenID such that the authentication both logins in the user and establishes trust between the service provider and the client site. I wish that was made more clear in the project page though going by the examples Kirkpatrick shares, it has to be close to the way things will work.
If my theory is right, the social networks will be responsible for wiring XAuth into their existing account settings. I don’t find that prospective either attractive or confidence inspiring. Sure, if the specification tried to be too pushy about what implementers have to do, it risks sluggish adoption. However, giving the providers a more free hand makes it more confusing to users about what will and will not be shared, or even whether one of their social networks is participating in this system for 3rd party info sharing.
As I always do with these efforts, I have to ask why existing technologies were not deemed good enough for the task. Both OpenID and OAuth have had more time to bake and address not just the privacy issues they concede in talking to Kirkpatrick but the security issues a larval spec like this is inevitably going to exhibit. I get that OpenID and OAuth won’t scale well with a cluster of interacting sites and services but an incremental addition of a central hub would seem less risky than building yet another spec from scratch.