Gluu Blog

Follow us:
Back to Blog

Part I: No TAX on Internet Security Self-Certification

Mike S. May 7, 2015


Note: This is Part I of a three part series. Part II and III are published here and here, respectively.

The OpenID Foundation (OIDF) recently announced a certification program.

“Google, Microsoft, ForgeRock, Ping Identity, Nomura Research Institute, and PayPal are the first industry leaders to participate in the OpenID Connect Certification program and certify that their implementations conform to one or more of the profiles of OpenID Connect standard.”

How was this elite group selected? Was it based on merit, contribution, level of patronage or simply opportunity?

A clear picture emerges from the meeting minutes. The board picked themselves and their best friends to participate in the initial pilot! Yay Board!

Unless I missed it, there was no notification or outreach to the community asking if anyone wanted to be in this prestigious pilot group that would capture the lion’s share of the press and media publicity. In the minutes, Mike Jones from Microsoft dutifully records on October 2, 2014 that “Don has created a draft workflow for self-certification and a proposed term sheet with Roland Hedberg and his university to create and deploy the conformance testing software. Don will also be visiting Microsoft, Google, and Symantec in the next few weeks and among other topics, will discuss certification with each of them. He has also already discussed it with John Bradley of Ping Identity.”

There are many such notes about further discussions regarding Certification pilot members. By October 29, 2014, the minutes note “several companies have expressed interest being among the first adopters, Forgerock, Google, Microsoft, Ping Identity and Salesforce.”

Of course Gluu has a gripe that we were not included in this group.

Gluu has been participating in OpenID Connect interop tests since 2012. These tests became the basis for the certification program. According to the tests in January 2013, the Gluu Server was the best OpenID Connect Provider (OP) implementation. Since that time, the Gluu Server has continued to test as one of the leading implementations.

Last year, Roland Hedberg, author of the current OpenID Connect certification tests (mentioned above in the meeting minutes), had this to say about the Gluu Server in one of Gluu’s press releases: “I see two main features that speak in favor of the Gluu implementation, it has passed all tests for compliance with the standard with flying colors, and it is one of the most complete implementations of OpenID Connect, making it a singularly useful tool.” Not surprisingly, Gluu’s current results are also quite good.

So despite being one of the most active partners for the real pre-release period of the certification tests, Gluu was excluded from the announcement. I also think MitreID Connect deserved to be given a chance to participate in that pilot. Justin Richer contributed greatly to writing the specification, and he wrote an implementation. In baseball, that would be like pitching and getting an RBI!

In my discussions with the OIDF board members, the justification for the select group of participants was to limit demand on the developer, Roland Hedberg. It took Gluu years to develop its OpenID Connect Provider. It’s hard to believe that a deluge of OpenID Connect Provider implementations will arise and drown the OIDF in self-certification requests. If high demand was a concern, then why is there no mention of resource bandwidth concerns in the many discussions recorded in the OIDF minutes about certification?

But it gets better. After reading the minutes, I had another realization–the reason for the certification program is to force membership in the OIDF. In fact, at first Don Thibeau, the Executive Director at the OpenID Foundation, wanted to use OIDF conformance testing to force registration in both the OIDF and the OIX (the “Open Identity Exchange”), a related organization he also runs. It was like a two-for-one! However, the OIDF board pushed back. Google even expressed concern about the OIDF membership requirement, and asked whether the OIDF would eventually relax the membership requirement.

There also seemed to be some concern about charging for the certification. Ping Identity suggested that a very small fee to financially validate the entity would add value to the program. In subsequent meetings, Ping says they thought there should be no fee for a self-certification program. Kudo’s to Ping… However these concerns did not stop the plan to use conformance testing to force OIDF membership. So while the board might maintain that there is no fee, there is clearly an intention to require membership.

Even non-profits need to have a sustaining business model. Certainly, some for-profit companies, like Nok Nok Labs, charge for standards certification. And the allure of OpenID Connect is its massive applicability. So I don’t blame the leadership of the OIDF for perhaps wondering “wouldn’t it be great if everyone who wants to show their product is OpenID Connect compliant would pay a small fee for the privilege?” The minutes clearly indicate a thought process where membership will be required for certification, or a fee equal to the membership fee will be assessed to non-members.

Its a brilliant plan–MSFT and Google reap most of the savings–their massive scale means they arithmetically have the most to gain by security costs going down. And the OIDF gets funding to make sure most of the intangible benefits (like press opportunities) are routed back to the mother ships.

The OIDF asserts that I see a conspiracy where none exists. That’s just the way it is, and we should accept it… But it is obvious to me that the OIDF’s mission should be to serve the community, not the executive director, or the corporations who occupy the board seats.

Now I know why I wasn’t elected to the OIDF board. Imagine what a pain in the neck I would have been asking all these questions? Frankly, I wonder why we need a dedicated organization, like the OpenID Connect Foundation, for a few specifications? The IETF, OASIS, Kantara or the W3C already have more generic missions.

What is the OIDF board’s advice to Gluu? Simply renew our corporate membership.

So the OIDF’s plan to generate publicity is a success. And now they want to test their business model–that the certification program will drive memberships, starting with Gluu. Our feedback is simple: Gluu will not pay your tariff.

In many ways the future of the Internet is the future of security. Based on this last experience, I am starting to question whether the OIDF has shown whether it is up to that responsibility. If their intention is to increase the quality of OpenID Connect implementations in order to increase security on the Internet, then I applaud them. But right now, I choose not to pay to participate until my concerns can be addressed.

Note: This is Part I of a three part series. Part II and III are published here and here, respectively.

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.