I've got standards coming out my wazoo
Wednesday, June 16, 2010 at 12:18PM There’s an old joke on a parody of medical shows in which a young woman lies in a hospital bed, hooked up to tons of tubes and wires, and when the nurse asks what’s wrong with her, the doctor replies, “She has a complicated disease developed by specialists.”
Nothing gets experts more giddy than creating terms that get wrapped up in acronyms. At conferences, in meetings, on blogs, they will build and enhance guidelines and standards that they can put their names to, publish papers about, and practically wet themselves with glee if they get used in product development.
Not to say that all these standards are worthless, although an awful lot of them end up gathering virtual dust on the virtual shelf. Some of them are even great ideas, but they just don’t catch on, for whatever reason, and this includes within the IAM realm.
In the higher education arena, we have more than our share of these. Services Provisioning Markup Language (SPML) gets tossed around a lot. It’s actually a great notion. It’s Esperanto for making provisioning calls between requesters and target systems that don’t otherwise speak the same tongue. Some of the smaller “provisioning” companies fall back on it all the time. “Hey, you don’t need that big provisioning package, just use us, we skip the expensive connectors in favor of SPML.”
The problem there is, not too damn many packaged apps support SPML. So they end up falling back on flat files or, as with help desk apps, e-mail integration.
CARML (Client Attribute Request Markup Language) defines attributes and privacy requisites for an app. AAPML (Attribute Authority Policy Markup Language) defines which data elements, usually relevant to IdM, are available to applications, and how these elements can be used. Which fields in my own profile am I allowed to edit?
When you already have it figured out between parties what data to use and how to use it, you’re all set. But we’re moving slowly toward an environment in which we all talk standards instead of contractually-defined protocols, you can use these kinds of standards to specify what data you will make available, and the rules for using it.
The higher education space just loves creating standards. Hardly anybody seems to use them, but they’re there. Ever heard of eduPerson? eduClass? Shibboleth? They’re in use, but not in the volume you’d expect, considering how much they get talked about.
DSML is for using HTTP to talk to LDAP. It’s a cool idea that hasn’t caught on much.
Which ones seem to be the most relevant? How about XACML (Extensible Access Control Markup Language)? It describes who can access which resources. It can introduce a user to a system, as well as store policies. I know a guy who actually contributed to that standard, and it’s a nice thing to have on the resume. A million years ago I contributed to a conversation about a standard that eventually turned into another standard that’s HEAVILY in use, but my contribution was so ridiculously minute that I don’t even really bring it up much. It’s like saying, “See that skyscraper over there? I buffed the floor in the lobby before they let the first tenant in.”
Which brings me to … SAML. I won’t even tell you what it stands for, because you should know already, you boob. But without it, we’d be stuck with some less wonderful standards for federation. Everybody in the space knows about SAML. See, sometimes these things actually take off.
Years ago I came up with some of my own:
- ENAML: federation for dentists
- SPAML: to tell your email server which stuff goes directly to Trash
- FLIM-FLAML: order before midnight tonight
- EGGS_N_HAML: for ordering your breakfast over the Cloud
Standards are good things, but only in small numbers. They take forever to get adopted, and you sure don’t want to be the first one on your block to dedicate engineering resources to supporting one. Remember S-HTTP (not to be confused with HTTPS)? Yeah, I thought not. The way to avoid a further glut of acronyms in this goofy business is to set the bar higher. When I stage my benign fascist takeover, the first thing I will do, after the flogging of the lawyers, and the cloning of Heather Locklear, is to establish a law stating that, before you can launch a new acronym, you must be able to recite all the other acronyms, explain what they mean, name at least one vendor supporting each one, explain why yours is worth a s___, and then get hit in the head with a stick.