Aaron Parecki

I’m a little confused, how do chickens identify me? Do we paint the eggs?

If you are the chicken, or the egg, you can eliminate a chicken and egg problem by building some tech. But in a distributed identity system you’re just a farmer who doesn’t yet have any chickens or eggs or a place to get them.

1. Big provider builds popular service (Facebook, Gmail) 2. Apps want access to data in big provider in exchange for your privacy 3. Big provider offers “Login with big provider!” buttons and API 4. Apps adopt buttons. Demand existed on both sides, and the bigcos invested first.

Do you have an idea on how did oauth2 find "a way around the chicken and egg problem"?

There’s an apt analogy there. Think how many people are capable of deploying “WireGuard” (or IPv6) vs how many can install “tailscale.” Orders of magnitude! It’s not because we have tons of money (we don’t). It’s because we really really hate chicken and egg problems.

on the first part, kinda like what tailscale is doing? : )

I don’t want it to be “possible” though. That’s such a low bar. I want real people to actually be able to use it, internet wide. Oauth2 won because it found a way around the chicken and egg problem. Doesn’t matter that it sucks. That didn’t affect its adoption.

Imagine you want to share the invite list to a party with a new acquaintance. Would you be more comfortable sharing 50 identifiers if they're people's personal email addresses, or their personal URLs?

It's not impossible to use email address as identifier, many sites do that. I think URLs have a property that makes them a better identifier: they don't forcibly bundle a means of contact (or spam) into the identifier itself. People can still volunteer it at the given URL.

That's where Brad's webfistbump comes in handy: onebigfluke.com/2013/06/bootst…

That hasn't been true for years. Browser vendors are pushing new features that they want or think will be helpful. Here are some examples: github.com/WebKit/explain… See also all the Twitter threads of people getting angry that Chrome implements something before it's standardized.

That creates a chicken-and-egg problem: browsers won't adopt it unless it's popular. It won't be popular unless browsers adopt it. Chicken-and-egg problems create usually-insurmountable barriers to adoption.

Why is entering an email address less work than entering a URL? What I'm saying is browsers could have an "account chooser" UI to save a URL and enter it in the login field.

If login were automated like credit card forms, it would fail about 50% of the time and need me to enter a page full of unnecessary personal information by hand. That’s not a good model. Why not let me enter an email address instead? That has a domain in it.

That problem can only be solved by browsers. Right now, most of the time the browser autocompletes my URL because I've entered it enough, so I'm not actually typing it out. With any amount of thought, browsers could automate that just like credit card payment forms.

Neat! Seems to still have the URL pasting problem though. How is that UX different from openid, which users didn’t like?