Thursday, May 12, 2011

The Status Quo of OpenID development

Preceeding the IIW12, the OpenID Summit took place at the World Headquarters of Symantec in Mountain View, California.
Considering my prior interest in OpenID and its future layerment on Oauth 2.0 (next to UMA !!) I was very interested in the Status Quo of OpenID development.
This Summit, presented by the OpenID Foundation, as part of a 2011 series, focused on 'Balancing Security and the User Experience', very interesting for me as a tester.
Through 4 sessions (3 panel discussions and 1 presentation) the attendees were stimulated to think about and discuss the present state of OpenID, the changing authentication protocols, the best practises and also the monetization (making money) of identity without traumatizing the customer.
Especially the latter is important, because of the adoption of OpenID and other identity protocols by enterprises and governments. No business Case means no assurance of a possible Return on Investment, resulting in NO adoption by enterprises or government.
A Business Case alone, is in my opinion, still insufficient, because if the OpenID protocol is crap, no customer wants to buy it.
Well, you might guess what my question was: Why not involve testing in the OpenID development lifecycle from the beginning, the specs, to improve the quality?
After all, I have done this for the UMA-protocol last year, and the UMAnitarians are very happy with it. Reactions to this from the OpenID Summit were positive, let's see what happens in the coming weeks.
But let's get back to the OpenID Summit. I won't give elaborate descriptions of how the panel discussions went (see the link above for more info and the panel members), but I will highlight some.

The first panel, chaired by Nico Popp, our Symantec host, discussed the changing authentication protocols like strong authentication, One Time Passwords (OTP), PKI (-smartcards), but also identity proofing, biometrics and risk-based authentication (especially banking!) were addressed. Next to this the different levels of authentication were explored.
I thought it described the evolution of authentication protocols and easy to follow if you had some knowledge of authentication.

The next session was done by The Oauth-pro's: Mike Jones, John Bradley and Nat Sakimura.
They gave us an insight in the Status Quo of OpenID development.
Next to the work done on JSON and JWT chain representation, especially OpenID ABC framework and OpenID Artifact Binding were discussed. Vey nice, because, that's what I came for.
Regarding the rapid development of mobile phone authentication, more use cases will be made to extend the OpenID development here.
Well done guys, I'm up to date again on the OpenID development.

The third session was all about best practices and chaired by Eric Sachs from Google.
Especially the authentication of web 2.0 apps were discussed and especially the minimal scope of the parameters of a ID check. I think they were Name, Email and Photo.
Also the combination of OpenID and the HTTPS-protocol to ensure a secure exchange of data. Facebook, for instance, now gives its customer the opportunity to use this protocol.
But still a lot has to be done here to ensure a good functioning of the OpenID protocol.

The last session, hosted by Don Thibeau, features investors interviewing technology leaders about investing company money in identity and technology leaders interviewing investors about venture investing in identity companies. Bottom line here was, is there an investment opportunity in Identity management or online privacy: NO.
It still needs a well defined business case and certainly won't give profits in the short term, although these aren't excluded in the long term.

Well, that was for me the OpenID Summit May 2011: I learned a lot, had good pizza for lunch and went home with the feeling that OpenID development is ongoing, although it needs a good business case and a critical look from a tester's point of view.
OpenID Foundation, Symantec and Google, thanks for a great day!

The next blog will highlight my days at the Internet Identity Workshop 12 last week.

No comments: