[OpenID] [OpenID board] OIDF "OpenID Compliant" Program -- WAS: Perceptions of OpenID

[Pat Cappelaere]

Chris,

Automated testing & validation is a good idea.  This will help the  
smaller organizations with deploying good implementations.  We do have  
people that can really stress the software and could guide us towards  
the best of breed while keeping it as simple as possible.
At the Open GeoSpatial Consortium, we do have a Compliance &  
Interoperability TEsting & Evaluation Initiative (CITE) that works in  
a similar manner http://cite.opengeospatial.org/

Pat.

On Jan 7, 2009, at 1:49 AM, Chris Messina wrote:

> Rough thoughts while I was on the plane back from Hawaii yesterday:
>
> certification only works with carrots and sticks. why would someone  
> want an "openid certified badge"? today it'd be meaningless. needs  
> to be something people strive for -- instead of just installing the  
> libraries. the "Validation" buttons from W3C have gone out of style,  
> like "Get Firefox" buttons. those kinds of campaigns won't work the  
> same way they used to in 2005. maybe as a transitional step to raise  
> awareness, but we should consider how many teeth we want this baby  
> to grow.
>
> we do need an openid directory though -- where can you use your  
> openid?
>
> it should come with a battery of automated tests ... auto-signin  
> with a robot OpenID... and perform discovery, oauth,, ax, SREG... on  
> the directory page for that openid, we would list these features and  
> perhaps providing voting/reviews/support requests/feedback... etc...  
> work with get satisfaction on this?
>
> this tool would basically be a suite of tools useful for devs to  
> test their openid install. it would simulate lots of different  
> openids -- XRIs, HTTPS, EAUT, etc, with scores on speed, etc. could  
> also report "you could add an SREG/AX request to get user data like  
> "name, username, email" etc to demonstrate what else can be done  
> with openid.
>
> offer guidance on account recovery with openid.
>
> offer suggestions on merging existing accounts.
>
> this would be aimed at websites-at-large rather than corp/edu/gov  
> institutions (let them be jealous)
>
> tie in with demand.openid.net -- as sites pass tests, we should  
> notify those who have made demands of certain sites to support  
> openid ("Hey guess what? site X that you wanted to support OpenID  
> now does!"). now there's market benefit to adopting openid and  
> joining this program -- rather than putting a button on your site,  
> you're getting early adopters/enthusiasts to come back to your site  
> to use their openid.
>
> it's like telling visa customers a new store that now offers visa  
> (paypal has a good model for this).
>
> ...
>
> In general I think the idea has legs -- but I think it would require  
> management, oversight and direction. There have been some efforts in  
> the past to do this, but it's really costly to maintain. I feel like  
> some of the folks who have suggested that we need to "get real" are  
> referring to ideas like this -- certainly appropriate and good...  
> but I think we have more housekeeping to do -- i.e. making OpenID  
> STUPIDLY SIMPLE to setup and maintain -- before we go about  
> certifying folks. Otherwise we'll end up looking foolish -- because  
> certifying folks could break or be brittle on the basis of our code  
> not working!
>
> So, I'd approach this in a stepwise fashion -- let's collect the  
> idea, but let's wait on it until we know that 94% of site developers  
> can get the basics up and running first.
>
> Chris
>
> On Mon, Jan 5, 2009 at 7:32 PM, Nat Sakimura <sakimura at gmail.com>  
> wrote:
> For the details, I need to evaluate more, but it has been my opinion  
> that there should be this kind of program. This is also closely  
> related to the trademark issues, IMHO, and it is one of the thing  
> the new board should tackle very soon. Also, it has some  
> consequences agains IPR policies. In general, vendors would not like  
> the fact that their product failed the test, and that is very  
> understandable. So, confidentiality type of IPR should be needed to  
> be defined.
>
> =nat
>
>
> On Tue, Jan 6, 2009 at 8:20 AM, David Fuelling <sappenin at gmail.com>  
> wrote:
> One of the major concerns raised in Chris' blog centered around  
> Interoperability -- (Summarizing): "OpenID's don't work on all sites  
> in the same way (if at all), and the Foundation isn't strong enough  
> to make this happen, since OpenID is such a distributed idea, so  
> users aren't likely to embrace OpenID..."
>
> However, it seems like the OIDF could solve this problem by  
> introducing an "OpenID Compliant" program, with a linkable Image  
> that implementor's can advertise, and that end-users can click on,  
> taking them to openid.net, with information about the particular  
> implementer's "compliance" measurement -- e.g., "This RP/OP passed  
> various automated openid.net tests with this particular score".
>
> Such a mechanism would be a useful debugging tool for openid  
> implementors (OP's, RP's, and Libraries), and could be nice tool for  
> end-users to both a.) figure out which OP supports openid the best,  
> and 2.) See that a particular RP's openid implementation is broken,  
> not the openid protocol itself.
>
> The incentive would be for OP's and RP's to want to advertise the  
> "seal", and thus to offer "working" versions of OpenId.
>
> Automatic Verification Process for RP
> RP developer creates an account on openid.net, and clicks the  
> "verify my RP" link.
> Various info is collected from the developer, perhaps payment, and  
> an RP URL that adheres to a certain set of "testing  
> parameters" (i.e., a single login form with a standardized button  
> name, etc, for testing purposes -- this would not be the actual  
> login form, but would use the same libraries, and would allow for  
> automated testing).  Alternatively, the end-user could supply these  
> button names to openid.net (enabling steps 3 and 4 below)
> Openid.net-based software would simulate various OpenID logins, with  
> the OP being served from the same domain as the claimed identifiers  
> (i.e., openid.net).  This way, no real-world user interaction would  
> be required to test the OpenID flow since user-agent an OP would be  
> the same (for testing purposes).
> Various extensions could be tested for support -- such as Sreg, AX,  
> etc.  Again, there would need to be a standard way for an HTTPClient  
> (simulating a web-browser) to easily gather this data from the RP  
> web-page for verification -- again, part of the verification process.
> Automated Verification/Testing for OP's would be similar, except the  
> software running at openid.net would merely simulate an RP talking  
> to the implementor's OP (and could also test for sreg, AX, etc).
>
> Such a verification process could require a series of standardized  
> UX pages that would only be used for these tests (not used by actual  
> customers/websites).  Alternatively, more sophisticated software  
> could allow the implementor to specify the name of key pieces  
> required for the test (e.g., by button's name is "submitButton", etc).
>
> OpenId could even exercise these automated "test" pages  
> periodically, to make sure that an RP/OP maintains protocol  
> compatibility.
>
> Of course, this idea would require some custom software funded by  
> the Foundation, but such a program would have a lot of benefits,  
> especially from a marketing perspective (with a side-benefit of  
> helping libraries and implementations become "compliant" and  
> "interopable").
>
> David
>
>
> On Sun, Jan 4, 2009 at 11:15 PM, Chris Messina <chris.messina at gmail.com 
> > wrote:
> I've just blogged about perceptions I've seen recently of OpenID in  
> the wild.
>
> http://tr.im/fj_perception
>
> I think these are serious issues that we must think about and  
> consider, since many popular bloggers are only carrying negative  
> stories about OpenID (with good reason) lately. I think it's  
> imperative that the marketing committee ramp up its efforts to  
> provide public domain case studies, stories and regular news that  
> can help highlight and promote the successes that people are having  
> with OpenID so that we can counter these negative impressions and  
> provide a more positive, balanced perspective on where we're at with  
> OpenID.
>
> Chris
>
> -- 
> Chris Messina
> Citizen-Participant &
>  Open Web Advocate-at-Large
>
> factoryjoe.com # diso-project.org
> citizenagency.com # vidoop.com
> This email is:   [X] bloggable    [ ] ask first   [ ] private
>
> _______________________________________________
> board mailing list
> board at openid.net
> http://openid.net/mailman/listinfo/board
>
>
>
> _______________________________________________
> board mailing list
> board at openid.net
> http://openid.net/mailman/listinfo/board
>
>
>
>
> -- 
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
>
> _______________________________________________
> board mailing list
> board at openid.net
> http://openid.net/mailman/listinfo/board
>
>
>
>
> -- 
> Chris Messina
> Citizen-Participant &
>  Open Web Advocate-at-Large
>
> factoryjoe.com # diso-project.org
> citizenagency.com # vidoop.com
> This email is:   [ ] bloggable    [X] ask first   [ ] private
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090107/c613a242/attachment-0002.htm>