Beta vs VHS: Here We Go Again
By David Dorf-Oracle on Mar 26, 2009
If you believe that standards are a good thing, then are multiple standards even better? Most people recall the battle over video recording technologies. Round one was Beta vs VHS with Blu-Ray battling HD-DVD in round two. On the surface these cage matches appeared to have a clear winner, but I would argue that all of us really lost. During the battle, many people refused to choose a side, so the industry was crippled for years. Once a winner was declared, prices fell, adoption increased, and resources were put to better use looking for the next innovative technology.
On the flip side, some would say that competing standards lead to better products. Nurture both standards then let the market decide which is best. That approach works fine when there's a clear difference, but when we're talking about shoe sizes, for example, there really isn't additional value from one standard to the next. (I took my young sons to buy shoes the other day -- what a disaster. Not only did the shoes use multiple size scales, but they weren't in a standard place on the box. Clearly I don't buy shoes often.)
Another standards battle is brewing, but this time of a technical nature. In response to the need for encryption across distributed locations (read "stores"), Arshad Noor created an open-source key management system called StrongKey. Then he submitted the underlying XML messages to OASIS and created the EKMI committee to form a standard. After two years of work with other companies on the committee such as Visa, the DoD, Red Hat, and Wells Fargo, the Symmetric Key Services Markup Language (SKSML) was finally published in January, 2009. This was a nice step forward for the industry, and was especially helpful to retail given the focus on PCI. But no notable heavyweights endorsed the standard, as described in this Information Week article.
So soon after the SKSML specification was finalized, another group of vendors created a competing standard and formed the OASIS KMIP committee. What's strange about this arrangement is that both standards exist within OASIS. Most other competing standards are between competing standards organizations. This caused Arshad to withdraw as chair, although both committees continue to exist.
I don't know the detailed differences between the EKMI and KMIP charters, but I think its safe to say that retailers aren't getting any additional clarity around enterprise key management standards, and that's not good.