A standard celebration

Opinion
Apr 21, 20033 mins

It might be clichéd to say that one of the best things about standards is that there are so many to choose from, but it’s also still very sadly true.

Over the past five years, both in this column and in the Identity Management newsletter I write for Network World Fusion, I’ve often decried the proliferation of committees, organizations and ad hoc groups purporting to be the standards bearers for identity. I came down hard on Sun when it called the first meeting of what became the Liberty Alliance project to create a federated identity standard, seemingly as a knee-jerk reaction to Microsoft’s announced plans for its Passport technology.

Even after the Liberty group developed its first specification (and did it in record time, for a “standards body”), I still thought it would be best to have the effort at least blessed by one of the existing standards groups. Because Liberty’s spec was based in large part on the Security Assertion Markup Language (SAML) developed by the Security Services Technical Committee at the Organization for the Advancement of Structured Information Standards, I felt that OASIS would be the right venue for federated identity work.

Therefore I’m very gratified to see that the Liberty Alliance has turned over the specification – called the Identity Federation Framework – to OASIS, where it will be used to help further the development of SAML. This, in turn, will be used to help create future specifications at Liberty.

Some have alleged that the Liberty move was a pre-emptive strike against IBM and Microsoft, which are seen to be championing a competing federated identity specification, but there is no reason to believe that the two standards – which actually take a different focus – will not interoperate. Both can use the SAML standard, both are based on the SOAP protocol and both are being shepherded through the standardization process by OASIS, now that Liberty has submitted its documents.

And while there are still two distinct OASIS technical committees working on the two standards, there also is another committee – whose members include IBM, Microsoft and Sun – that works to ensure cooperation and interoperability among the various OASIS groups that impinge on the security arena.

It looks like competing standards are beginning to coalesce into something that the industry can use, at least in the area of identity management, and that’s worth celebrating.

Tip of the week

The Liberty spec is two-pronged, incorporating both a technology framework and a business/legal framework. Ping Identity is one of the few companies involved in both aspects. Check its Web site for details, working demos and more.