Posted 9:03 AM

Standards, we have standards

My friend Jackson Shaw (formerly of Zoomit, Microsoft and now with Quest) opined recently about an article in Network World. He quoted Christopher Paidhrin (Chief Security Officer, Southwest Washington Medical Center) as looking to "recommend the adoption of an international standards body model for identity management, where differing technologies and solutions could build on a common set of protocols, encryption algorithms and interfaces to vastly simplify the individual's experience".

Shaw notes "I think we already have many of the standards in place that we need today like SAML, WS-*, LDAP, DSML, AES, PKCS, etc. Many of these standards are IETF, NIST or industry standards versus international standards like those set by the ISO." and reminds us that X.500 and DAP were international standards which are, today, honored mostly in the breach.

Echoing many technologists who have gone before, Jackson pleads: "We don't need more standards - we need vendors to use the standards that exist today and build better products."

In fact what we need are fewer standards. There's currently a raging discussion on the OpenID email discussion list about the need to pay to register an i-Name. While I personally still aren't sold on the concept of i-Names, the need to pay to register isn't any where near the top of my list of objections. What is at the top is the question why do we need to even institute this "standard" when there are other things which do the same job equally well?

It's about time that vendors (and i-Name's Cordance and NeuStar could start) took a long hard look at the standards process and started using existing systems rather than creating new ones. Better, users should resist adopting new standards unless they provide a significant improvement over the older way of doing something. It's time to take a stand.