The Evolving Security Standards in the Social Software Industry
The social software industry is still in the process of figuring out the best way to do social application integration. There are standard data formats, standard authentication security methods, and standard mechanisms for embedding one application inside another. The challenge with these standards is there are so many to choose from.
And because social collaboration overlaps with the public social web, which is rapidly changing and morphing to accomplish other trends (such as the rise of mobile apps), setting standards that will last is extremely challenging. The very nature of standards-setting organizations has also changed under the influence of open source software, which emphasizes the creation of working software over stacks of specifications. Meanwhile, de facto standards including those from public social platforms like Facebook are often as influential as any defined by a formal committee.
Standards organizations like the Internet Engineering Task force (the custodian of the most fundamental Internet protocols) are often in the position of formalizing the definition of technologies that are already being treated like standards by agreement among major Internet companies. In the process, they try to improve the quality of these technologies — for example, of the OAuth social authentication protocol (see below).
As a buyer and manager of social collaboration platforms, you will have to bet on which vendors seem to be making the right choices and forming the right partnerships. You also have to judge how important social application integration is to your organization now and in the near future. For example, is close integration with another web application essential, or is it enough for users to be able to click a link that takes them to it?
Bottom line: Do you insist on compliance with certain standards, or can you afford to relax and let these things sort themselves out?
How to cope with immature technologies
No social collaboration platform exhibits the maturity that you can expect from a database management system. For that matter, the level of standardization between database management systems shouldn’t be exaggerated.
The social authorization standard OAuth is probably the most widely accepted of all social application integration standards, but implementations in software products and cloud services vary in the extensions that they implement.
The current OAuth 2.0 specification is more “official” than some of the others mentioned here, having been defined through a standards track process of the Internet Engineering Task Force (IETF), the body behind basic Internet standards like TCP/IP and HTTP.
Yet the section on Interoperability in the OAuth 2.0 specification begins with a disclaimer:
OAuth 2.0 provides a rich authorization framework with well-defined security properties. However, as a rich and highly extensible framework with many optional components, on its own, this specification is likely to produce a wide range of non-interoperable implementations.
In addition, this specification leaves a few required components partially or fully undefined (e.g., client registration, authorization server capabilities, endpoint discovery). Without these components, clients must be manually and specifically configured against a specific authorization server and resource server in order to interoperate.
In other words, adhering to the specification may be a good starting point, but when the developers of two applications want to integrate with each other, they still have to agree on a specific approach to applying OAuth. Nailing down those details is to be the subject of future work by the specification’s authors.
How to recognize de facto standards
A de facto standard is one that exists in practice, because it is commonly treated as a standard regardless of what any committee may say.
The Facebook platform for developers is not a standard the way OAuth is (although it actually incorporates OAuth). Instead, the platform — also known as Facebook’s Open Graph — is simply the way Facebook does things and defines some of the things developers will have to do, too, if they want to give their apps access to the social network’s more than 1 billion active users.
Because Facebook has done so much to influence expectations about what a social network should be, some enterprise social networking players have chosen to model their application integration frameworks more on Facebook than on standards more influenced by enterprise architects, such as OpenSocial.
The Open Graph Protocol is a component of the Facebook platform that looks a little more like an open source or web standards project, with its specifications available on a freestanding website. However, if you want to participate in discussions about the future of the specification, you have to do so in a Facebook Group rather than an IETF mailing list.
The Open Graph Protocol defines a series of metadata specifications for web pages and applications defining how they should be displayed on Facebook. Other social software can parse the same data to achieve a Facebook-like look.
The web has long been influenced by de facto standards, defined by practice and common usage, as opposed to de jure standards set by committee.
Adobe created the PDF file format in 1993 without participation from any standards body, but because the associated Adobe Reader was freely available, PDFs became a standard for printable web documents and e-books. Eventually it became so pervasive that in 2005, PDF/A got the blessing of the International Standards Organization as a de jure standard.
HTML started out as a de facto standard, as did many browser-specific extensions of HTML that eventually became standardized. However, for many years, creating web applications that would display and function properly in multiple browsers was extremely painful. Only recently did web standards advocates make their voices heard loudly enough to get the browser makers to play nice.
The same could prove to be true of social networking standards.