Hi Keith, Hi Phil,
I am trying to level up a bit here and not focus on OAuth or SAML.
When someone suggests you to use a certain technology then there is typically an entire context that comes with the question that led to this recommendation. Since we don’t know the context, it is hard to say whether the recommendation
is reasonable.
I think we can all agree that there are many aspects involved of making a technology choice. Some of those choices are business related, with the availability of software and with the familiarity of the concepts by those using the technology.
What I also see happening again and again is that people confuse protocols with the deployment of protocols. Phil does this below too. Just because Facebook, Google & Co decide to use OAuth in some specific way does not mean that OAuth
cannot be deployed by others in a completely different way.
I am not confused, I merely don't accept that the distinction is a useful one. I know what HTTP and HTML were supposed to be. I also know what they have become and that there is no way to go back.
The fact that a technology has become one of the factors in reinforcing a duopoly position is far more relevant to the question of whether a group should be told that they must use it than ANY aspect of the technology itself. Yes, OAUTH is capable of supporting a different ecosystem to the one that it has established. But when an application is built on OAUTH, they don't get to change the ecosystem.
It is the same in PKI. There is absolutely nothing stopping anyone from implementing the PGP Web of Trust in X.509. Mark Shuttleworth actually got pretty far in doing just that. But nobody is ever going to be able to use that system because there are simply too many assumptions about how the formats are used built into the deployed infrastructure.
Unfortunately, I don’t see how any of this relates to the diversity discussion. I would therefore suggest to move this discussion to the OAuth group. There are so many aspects in Phil’s email that require clarifications...
If you noticed, I had actually broadened the issue of folk insisting on their technology being used to include the SPF/DKIM experience which was quite different.
What I think some of the grownups need to start thinking about is just what is going to be happening over the next five to ten years as various politicians decide to wield anti-trust against what they are now calling big tech. The ostrich strategy that has worked so far is not likely to work for very much longer.
Google and Facebook in particular would be well advised to start sending lawyers to all the standards meetings in which they participate. Or at the very least the ones that are being attended by lawyers who work for the FTC and EU anti-trust divisions.