EKR writes about the politics of standardizing shipping containers.
His punchline:
Remember, this is a rectangular metal box with fittings at the corners. What makes standards-setting complicated isn't primarily that the technical issues are difficult--though they certainly can be--but that they require coordination between multiple players who often have radically different incentives.
I would go a stage further. The simplicity of the problem is what allowed the solution to be so complex. Anyone can have an opinion about a rectangular box with fittings at each corner. The number of degrees of freedom is huge. Its not just the size that can vary, its the weight and the number that can be stacked on top of each other and so on and so on.
Fortunately the number of people who have an opinion on cryptographic security protocols is rather smaller. We tend to suffer from the opposite problem, in many cases the problems we are trying to solve are over constrained. It is not always possible to do what we want to do and maintain compatibility with the past.
This is why I beleive that the dual track strategies adopted in many recent standards initiatives are the correct approach. Email authentication has adopted a two track approach: SPF/SenderiID to provide a fast route to market, DKIM to provide solid cryptographic authentication. A similar pattern is emerging in the case of federated identity" OpenID provides an infrastructure that is backwards compatible, CardSpace asks 'what if we start from a blank sheet of paper and decide to go for total security and total usability as goals'?
Commentators frequently misread these divergent approaches as repeats of the standards wars of the 1990s. The difference is that in the past the parallel efforts tried to work out how to leave a scorched earth for the alternative proposal, today we look for ways in which to re-integrate in the future.
