Digging deeper into OATH doesn't look so good

* The Initiative for Open Authentication disappoints

I've heard from a few people who followed my advice at the end of the last newsletter about the Initiative for Open Authentication (OATH), the vendor group charged with creating an authentication protocol. I suggested that you download the group's white paper and see how your efforts in the authentication area mesh with those of this new organization. Most replied that the new group didn't mesh at all.

Some pointed out that, while I mentioned major identity players Sun, Novell and Microsoft weren't in the group, I overlooked the fact that RSA Security wasn't, either. That's surprising since the first "key feature and benefit" of the new initiative was supposed to be "lower costs for authentication devices (chips, tokens, smart cards)." Now if there's one area RSA can be said to dominate, it's chips, tokens and smart cards. It looked like further examination was called for.

As others pointed out, OATH's claims of "open source" have little meaning when compared to other authentication protocols such as SAML. When you include the entire Liberty Alliance specifications as well as the Web Services Initiative protocols and methods (as devised by Microsoft and IBM) there's nary a proprietary bit of code involved. Actually, there's no code involved at all. Protocols are, by their very nature, open. If you can't read the protocol specification then you can't very well implement it, can you?

Someone suggested I look at the license document (which you must sign to join the initiative). It begins: "This contribution and license agreement is entered into, by and among, VeriSign, Inc.," (which started the initiative) and each party that signs the agreement. OATH's mailing address is the same as the VeriSign building here in Mountain View, Calif. That should raise an eyebrow or two. If it doesn't read http://www.nwfusion.com/news/2003/0922verisign.html and refresh your memory of how the company was accused of hijacking misspelled URLs. There are people who distrust VeriSign even more than they distrust Microsoft. Really.

It was also pointed out to me that the draft that OATH submitted to the IETF was authored by VeriSign employees. The draft only describes an algorithm, by the way, to generate a one-time use password. Yep, a one-time use password. How's that for cutting edge?

It may be that OATH will amount to something someday, but so far, it appears to be a stalking horse for VeriSign and that's not a bandwagon we should thoughtlessly jump on.

Learn more about this topic

HP adds identity wares to platform

Network World, 12/06/04

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.