Mitt Romney, whether he knows it or not, now has stature, and to some extent speaks for the United States. His prestige is approximately that of the Vice-President, Secretary of State or First Lady. The role he plays overseas is very different from the one he plays in the US. Here he's allowed to be scrappy and highly critical of the President. That's our system working, as long as he's being truthful, and of course that's been a problem.

Overseas, we're all on the same team. It's about keeping the country strong, and that's something Romney believes in, if you take him at his word. If a foreign leader were to get the idea that he or she could choose who they negotiate with, then the US is only one half as strong as it would be if there were only one go-to guy. If 25 people have equal power, then each represents a country with the sway of a third-tier power. Gone is the power and prestige of the United States.

The only way it works in favor of the United States is if we are united. Work out our differences here, and all our power will be represented overseas. But we only have one President at a time. And if you're playing on our team, you have to respect the wisdom of that rule.

Romney, overseas, should do what he does so well -- smile -- and say nothing. Wave, shake hands, privately make $10K bets on trivial stuff, slap people on the back, and promise to pass the message to the President when he gets home.

PS: With future candidate trips it might pay to send the sitting Secretary of State along with them, in case any of the world leaders want to talk business.

PPS: Do you think Romney will stop in Afghanistan?

 7/26/2012; 11:06:42 AM.

Even if you're not "technical" and don't understand what OAuth is or how it works, you should still read OAuth 2.0 and the Road to Hell, because it is a historic moment, and unusually well documented.

I always talk about the cycles of tech, and this is a perfect illustration of a moment when things turn, what we call in math an inflection point. Hammer was the driving force behind OAuth 1 and 2. There's always someone who plays that role in any successful new layer of technology. My guess is that he'll never play exactly that role again, having learned about the moment when BigCo's step in and take over, and seeing what they do with a basically good technology that offers a level playing field. They always try to subtract the level-ness. They don't have to do it, but they always do.

I remember once clearly in the early days of the web, having been invited to chair a panel at the Seybold conference. I forget what the topic was, I'm sure it had to do with some open technology. So I invited someone from Apple, Steve Zellers. And two people from other big companies. Zellers, who I've known for many years was respectful, but the two big company guys wouldn't take my questions, and just conversed between themselves on stage as if no one else were there. I let them go on, because what they were doing was a far better illustration of politics in tech than anything we could have talked about.

I remember thinking these are two little people who work in big companies. Inside those companies they must be treated like shit. But out here, they expect deference. I've seen this a lot too. People who have little or no sway inside their big companies throw their weight around outside. No one inside cares, because the rest of us matter even less to them.

Moral of the story, which the industry as a whole will never recognize, but individuals can -- is that when an interoperable spec falls into your lap, say yes. That's what I did with Netscape's work with RSS. I had my own format that I created to perfectly fill my need. But no one else was supporting it. Along comes Netscape's imperfect format, with support from a dozen publishers. I had already learned, in 1999, that has more value than a format that's a better fit. So deprecate your own work, and accept the interop. It worked remarkably well. I'll always take that approach, if given a choice.

So I urge you to read that document, even if you don't understand the nouns -- I don't understand many of them myself -- the verbs and adjectives, the human exasperation and fatigue are what's important. Here's a guy who has learned a big lesson, and we all can learn it along with him, without having to go down that path ourselves.

 7/26/2012; 10:26:27 AM.

If you haven't read OAuth 2.0 and the Road to Hell, stop everything now and go read it. The author, Eran Hammer, compares the OAuth 2.0 process to the WS-* process which was my own personal hell for a few years.

Obviously OAuth 1 and XML-RPC are comparable. I have implemented both. I think XML-RPC is simpler, but both specs can be implemented by a single person in a few days. With XML-RPC you got a lot of interop for that work. I've only tried my OAuth implementation with a small number of providers, but it generally works pretty well.

Then came SOAP. Where interop was very unlikely without profiles. It would be like throwing a penny out the window in Manhattan and hitting a fire hydrant in Queens. Yeah sure if the wind is blowing right you might hit the Queens hydrant. But it's not really very likely. And that was the point of SOAP. Enterprise developers could say they were conforming to the spec without all that messy interop. Sun and IBM were the two main culprits there, although I'm pretty sure Microsoft had people in the process who liked incompatibility. And once that ball was rolling, all kinds of assholes piled on. What started out as a beautiful idea and simple protocol turned into such a prolific nightmare that to this day people cite it as the canonical disaster of a standards body run wild.

Believe it or not there are people who see interop as a bad thing. It interferes with their business model, which is getting dumb customers to pay them big bucks to deliver the interop that the simple specs deliver for free.

I thought OAuth 2 was a bad idea when I heard about it. I thought it was even worse that they were calling it OAuth 2, because that would hurt OAuth 1. I had a stake in it because I had already implemented OAuth 1. Pretty sure I said something about it, but I got a pat on the head saying "You don't understand, this is going to be just like OAuth 1 but much better." Uh huh. Where have I heard that before?

So now that community has to try to put it back together. Obvious leadership could come from Facebook, which as far as I can see, drove the move to 2.0. Seems it would be fair for them to also implement OAuth 1 now, and let's do some interop testing to make sure it works with Twitter's implementation. Then everyone else will have a solid base to shoot for. And an end to the confusion about what the future holds. Let's forget about OAuth 2.0. Let the IETF have it. Pop the stack and let's move on.

I'm saying this as an outsider, with no knowledge of the politics, which I'm sure is quite intense. I don't care. We do need a standard here, and it seems to me there is one. OAuth 1.0. If I had a vote I'd go with what Twitter implemented.

BTW, I wish Yahoo had stood their ground and said that the Flickr implementation, which all this stuff is patterened after, was "good enough" and everyone should just STFU and interop with that. I had an implementation of that protocol many years before all this michegas happened. It still works.

 7/26/2012; 8:22:32 AM.