Why are there 9-gajillion identity standards?
A response in the comment section to my last post entitled, "The many players at IIW", asks (paraphrasing): Why are there so many identity protocols, standards and specs? Then answers: Because the vendors all want their own standard. And concludes with: We need an "ethernet" standard for identity.
I wanted to answer this because I think its important to understand how the identity marketplace is evolving.
1. While in the past (notably Liberty and the WS-* stack), there has been some vendor fighting over identity standards, I do not believe that is the case today.
2. In reality, today's landscape of identity standards is really working toward solutions of interoperability (as is evidenced by the work that happened at the IIW).
3. To be fair, Microsoft (via the main vehicle of Kim Cameron) has been leading the charge for interoperable identity systems.
4. The plethora of identity standards, protocols and systems owes as much to the diversity of functionality being sought as anything else. For example, the URL-based identity guys are wanting something that accomplishes very specific things with a low barrier to adoption, while the federated web services guys (WS-Trust) are wanting infrastructure that can handle very sensitive, high-risk transactions. These differences are not easily glossed over, and finding a ground of interoperability is a tough thing.
5. Do we need an "ethernet" standard for identity? Yes, we do -- eventually. However, I believe we're several years from seeing that level of consolidation around a standard -- mostly because of the radically different functionality that is being sought. Believe it or not, identity infrastructure is a little more complex than ethernet protocols.
6. While "users" want an identity system to just appear, the reality is that there's a lot of hard work to be done to *add* identity to our network infrastructure.
7. That "hard work" is crossing a wide spectrum that ranges from user-centric identity all the way to identity-based Network Access Control (think Cisco, Juniper, et. al). Now imagine having URL-based identity work with application-level identity management and network-based identity. Yikes.
8. The good news is that we *will* get there. The reason is simple: we have to. Identity has become an absolutely necessary core component of network infrastructure, and the drive to integrate it into that infrastructure will relentlessly march forward until the marketplace gets what it needs.