Today I was attending the ‘OpenID in de Praktijk‘ event to see what the current status of OpenID is in The Netherlands. The summary of OpenID from Chris Obdam (OpenID Netherlands Foundation), a security analysis from Christiaan Roselaar (ITSec) and the story about Hyves as a OpenID Provider from Yme Bosma (Hyves) were the most interesting stories. OpenID is gaining momentum in The Netherlands, but there is a long road ahead of us.
Chris Obdam from Stichting OpenID Nederland (Dutch OpenID Foundation) did the kick-off and gave us a OpenID 101. He’s comparing the OpenID redirection mechanism with the Dutch equivalent of Paypal, where you also get redirected to your local bank and back to the webshop afterwards. He explains the difference between OpenID SREG (Simple Registration, from which you can request 9 basic attributes from the user) and OpenID AX (Attribute Exchange, which provides a broader set of attributes). I’ll write an (Dutch) article to explain OpenID SREG en AX further next week. Chris expects our local governmental identificationsystem DigiD to become a part of a locally extended Open Stack as a verification system, because DigiD is the only system in The Netherlands which can issue verified address and personal attributes.
Christiaan Roselaar van ITSec tries to be the devil’s advocate and gives us a glance into the insecurities of the OpenID protocol. At the end of his presentation he gives us a demonstration of DigiD and shows us that it is not only OpenID which has its flaws. He basically hacks into one of the local government sites and retrieves the username and password of his test account with which he just logged in. Very scary..
Next is Yme Bosma (business development at Hyves) with a talk about Hyves as an OpenID Identity Provider. He explains that Hyves Connect consists of: OpenID, OAuth, Open Social and the Hyves API’s. The Hyves API’s will become Open Social REST compatible within a few months. Hyves is also testing with OpenID-in-a-pop-up and they have an optimized landing page for OpenID logins for mobile devices such as the iPhone or the T-Mobile G1.
Yme continues with explaining the difference in attribute extraction at Hyves between OpenID AX and oAuth. OpenID AX provides public data and has a static API. oAuth provides both public as private data and has the option to run speficic actions on Hyves through the API’s. They choose this model because oAuth is build for access control and OpenID for identification.
Hyves is opening up to the world to extend their social network to third parties and make that network more relevant to users. Hyves is using OpenID and oAuth to make it ‘easy and safe’ for users and ‘simple and standardized’ for developers. The biggest news from Yme was however that Hyves will become an OpenID Relying Party. It will be possible to connect third party OpenID accounts to existing Hyves accounts and use OpenID to login to Hyves after that. Hyves is the second large Social Network to announce becoming an OpenID Relying Party. Facebook did this a couple of weeks ago.
It was an interesting afternoon, but there’s a lot of evangelizing to be done in The Netherlands. I spoke with Chris Messina, board member of the OpenID Foundation, last weekend and he told me the OpenID Foundation could be of help for us in The Netherlands too. With large companies like Facebook, Google, Microsoft, Yahoo! and IBM supporting the OpenID Foundation, they will be capable of assisting us to promote and ease the acceptance of OpenID in The Netherlands.