Culture

Dueling security standards: The good, the bad and the ugly

A few weeks ago, Bill Gates grabbed the center stage at the RSA conference to provide an aggressive Microsoft state of the security union message to the crowd. One of the many things he highlighted was Microsoft's InfoCard, a method for sharing and protecting personal information on the web.

InfoCard only works if it is supported by both the user (i.e. client) and business site (i.e. server). If everyone agrees to this relationship, users win with better protection of their personal information because they control who gets to see what and all communications are encrypted. Businesses benefit by getting out of the personal data protection business. Everything is automated and secure on a transaction by transaction basis.

It's been two weeks since this announcement so the time is certainly right for a competitive offering. This week, IBM got together with Novell and Parity Communications in announcing an open source alternative dubbed "Project Higgins." (Author's note: I have no idea about the origin of this name by suddenly have a strong desire to rent old Rex Harrison DVDs).

Many pundits wonder if either model is viable questioning the value for users or web developers. Not me. If I can automate the process of inputting my data into multiple web forms and keep it out of the hands of others, I'm all for it. Ditto for the zillions of e-businesses who want to sell stuff over the web but avoid the need to become data security experts in the process.

There were over 130 data breaches last year impacting 55 million Americans. Based upon this alone, why in the world wouldn't you want to do this? (Author's note: I realize that I've just opened a perfect opportunity for someone to respond by calling me an ignorant idiot or some such vitriol).

So if this does take off, as I suspect it will, what about the coming religious war between the InfoCard and Higgins Card camps? That's easy. As much as the UNIX/Linux/Apple crowd hates to hear it, some businesses actually run quite well using Windows. InfoCard is a no-brainer. Others who would bare arms in order to defend the honor of Java, CORBA, Apache, or open source will jump on the Higgins bandwagon.

Personally, I have no beef with either camp. Choices are a good thing. Debate is a healthy way to hear multiple points of view.

Two standards are manageable, three is a crowd and four or more gets to be a time-consuming mess that benefits vendors at the expense of user security. I hope that other standards bodies and vendors can line up behind one of these two choices. Call me cynical but I doubt whether this will happen.