Beyond Reading The RFC: How to Actually Shape Identity Standards
Heya,
I recently had the chance to review the Cross-Device Flows: Security Best Current Practice IETF draft document.
You know what I had to do to get this chance?
take the time to carefully read the document, taking notes
send an email to the email list with my questions and notes
That's it. However, I won’t lie; I was a bit nervous about sending an email to hundreds of OAuth experts with my questions.
If you want to be involved in standards around identity, there are plenty of ways to get involved, including reading emails and thoughtfully responding. Heather Flanagan did a good presentation at Identiverse a few years ago about standards development, as well.
The BCP document is now nearly published. As of time of writing, it was in the "WG Consensus: Waiting for Write-Up" state, which is the second to last step before publication, per the documented workflow.
What benefits did I get from doing this, other than my name in a document that will hopefully live on the IETF website forever?
Plenty.
I got:
a deeper understanding of the problem space
a chance to ask questions of a community of experts
a list of features that I can bring back to my employer to improve our product
The BCPs in general are great documents to review because they are less focused on implementation details and more focused on best practices. I think they are more actionable without a large amount of product effort. For example, if you compare the BCP doc I reviewed to the device grant RFC, which it references, the former is far more accessible and less technical. Of course, the latter underlies the former and is worth understanding as well.
There's plenty of scope for pushing CIAM forward beyond the standards bodies, particularly outside of authentication. I do think picking a CIAM solution that implements standards has all kinds of benefits, though. And participating in crafting those standards is easier than you might imagine.
Cheers,
Dan