Site icon Spherical Cow Consulting

Rethinking Digital Identity: What ARE Open Standards?

Heather Flanagan
open doors, open standards

open doors, open standards

Since I wrote last week about MCP and the need for a more structured standards development process, this week I feel like diving into what it really means to build an open standard.

Unfortunately, “open standard” is one of those terms that gets thrown around a lot and often means entirely too many different things. For some, it just means the spec is readable online. For others, it’s about process transparency or whether the license is royalty-free. Depending on who you ask, “open” might refer to access, governance, IP rights, implementation freedom, or all of the above.

This fuzziness isn’t just academic. In the world of digital identity, especially as we build wallets, verifiable credentials, and cross-border trust frameworks, how we define and implement open standards will directly shape who gets to participate, how systems interoperate, and whether anyone can avoid vendor lock-in.

So, let’s unpack it. What is an open standard? And why does it matter so much right now?

A Digital Identity Digest
Rethinking Digital Identity: What ARE Open Standards?
https://episodes.castos.com/681522ece1a7b2-97033376/2069884/c1e-0j52dakj518t1xmm7-34d6w05ph6p4-vadzhx.mp3
/

You can Subscribe and Listen to the Podcast on Apple Podcasts, or wherever you listen to Podcasts.

And be sure to leave me a Rating and Review!

What does “open standard” actually mean?

Ask five people what makes a standard “open,” and you might get five different answers.

Some will say it’s all about access: It’s open if you can download and read the spec without paying. Others will focus on governance: It’s open if the development process is public and inclusive. Still others might zero in on intellectual property: If you can implement it without navigating a minefield of patents, it qualifies.

The ITU-T’s Definition

The ITU-T, a United Nations-recognized standards body, offers a fairly comprehensive definition. According to them, open standards are:

“Made available to the general public and developed (or approved) and maintained via a collaborative and consensus-driven process. They facilitate interoperability and data exchange among different products or services and are intended for widespread adoption.”

They expand this definition to include concepts like transparent development, due process, balanced input, fair access to intellectual property, and long-term maintenance. It’s a solid framework, widely used in international policy discussions.

But there’s another approach that resonates more strongly with how the Internet itself was built and continues to evolve.

The OpenStand Principles

In 2012, five key organizations—the IEEE, IETF, IAB, W3C, and the Internet Society—affirmed a shared set of values known as the OpenStand Principles. These principles describe the processes that gave us the web, email, DNS, and secure communications protocols. In other words, they’re battle-tested.

The OpenStand Principles emphasize five core commitments:

  1. Cooperation – Standards organizations should respect each other’s autonomy and work together.
  2. Adherence to core development principles – Including due process, broad consensus, transparency, balance, and openness.
  3. Collective empowerment – Standards should support innovation, interoperability, scalability, and benefit humanity.
  4. Availability – Specifications must be accessible and implementable under fair terms, from royalty-free to FRAND.
  5. Voluntary adoption – No mandates, no lock-in. Market success is determined by the quality of the work, not regulatory decree.

These principles prioritize practical interoperability, technical merit, and inclusive participation, not just public availability.

And yes, I’ll admit I’m biased. My work and the ecosystems I care about have benefited enormously from the OpenStand model. It’s one of the reasons the Internet scaled globally. Go, team Internet!

So, while the ITU-T definition is solid, OpenStand captures something deeper: a living, working model of how open collaboration can shape resilient, scalable infrastructure.

That model, of open, resilient collaboration, is directly relevant to digital identity.

Why this matters for digital identity

Digital identity isn’t just another software problem. It is critical infrastructure that sits at the intersection of public services, private platforms, and individual autonomy. It needs to work across borders, industries, and decades (there are so many dimensions) and do so securely, ethically, and interoperably.

Open standards are the only viable foundation for that kind of future. And I doubt many people would argue that point. Of course, that is only true until you ask what “open” means.

As our systems evolve, it’s clear that not all “open” is created equal. The technical community frequently uses the term, but how it plays out in practice depends heavily on the organization behind the spec, its governance structure, and who gets a say.

Let’s look at a few examples from the current identity landscape:

ISO/IEC standards are authoritative but not always accessible

The ISO standards process is generally respected and deeply formal. Specifications like ISO/IEC 18013-5, which governs mobile driver’s licenses (mDLs), influence national legislation and industry roadmaps. In some countries, these specs are published for free if required by law. Others adopt them by reference without making the actual text available. In most cases, you’ll need to pay to read the document.

Participation isn’t open in the way many expect from Internet standards. To shape an ISO spec, you need to be part of your country’s official delegation or aligned with a recognized partner organization. It’s possible, but it’s gated. And that makes it harder for smaller implementers, civil society groups, or under-resourced countries to engage meaningfully.

FIDO2: open specs from a closed process

The FIDO Alliance, whose work underpins passkeys and other strong authentication technologies, operates with a “pay-to-play” model. To participate in discussions and vote on specifications, you must be a paying member of the FIDO Alliance.

However, once published, the specifications are free, publicly available, and widely adopted. In that sense, FIDO hits an important open standards benchmark: interoperability is possible without licensing barriers or paywalls. But governance remains closed to non-members, raising questions about transparency and balance.

OpenID4VC: open contributions, gated decisions

The OpenID Foundation is producing specifications for verifiable credentials and decentralized identity (e.g., OpenID4VC). Their process is somewhat hybrid: anyone can join the mailing lists, submit proposals, and contribute to discussions. However, only members can vote on final decisions, and membership requires payment.

This model blends inclusivity with formal governance. It’s more open than ISO but still includes structural limitations that can shape who ultimately steers the spec.

W3C Digital Credentials API: public input, but participation friction

Then there’s the W3C, where the Digital Credentials API is currently under development. It started in a Community Group, a setting where anyone could join calls, propose changes, and contribute. But Community Groups can’t produce official W3C Recommendations. The work had to move to a formal Working Group to do that.

In a W3C Working Group, you either need to be:

The general public can still file GitHub issues and read the documents. That’s more openness than many standards bodies offer, but it’s not full participation. There’s friction between visibility and influence, especially for newcomers or smaller players.

So… what counts as “open”?

With so many variations on “open,” it’s easy to fall into a purity trap where only the most idealistic, frictionless processes count. But that’s not realistic or fair.

Creating standards—real, robust, production-ready standards—takes work. Not just from the people writing specs or implementing test suites but also from the organizations that host the mailing lists, convene the calls, maintain the repositories, manage intellectual property frameworks, and, yes, pay the legal bills.

All of that takes resources. And as much as we’d like to imagine that open standards are forged purely through the goodwill of the global community, the truth is that most standards efforts today rely on a mix of volunteer labor, organizational backing, and structured funding models, some of which include paid memberships.

A new balance test

So no, we can’t simply demand that every standard be written by volunteers and hosted for free. That’s not how sustainable infrastructure gets built. But we can and should ask hard questions about transparency, participation, and accessibility.

We don’t need to shut down funding models. But we need to ensure those models don’t shut people out.

The goal isn’t to achieve some idealized version of openness. It’s to build systems that are accountable, adaptable, and inclusive. Standards that reflect a common foundation, not a competitive moat. And that’s a goal we can work toward, even in a world where time and money are very real constraints.

Open-ish is still better than closed

As much as we can and should debate the limits of openness in today’s standards processes, it’s worth remembering that things could be a lot worse. While many digital identity specifications land somewhere in the middle, open to read, semi-open to influence, gated in terms of governance, that’s still miles ahead of truly closed standards.

And yes, closed standards still exist, even in 2025.

Some of the world’s most critical systems rely on technical specifications that aren’t publicly available, freely implementable, or open to broad contribution.

Closed doors in standards

For example:

In that light, the “open-ish” systems start to look less like compromise and more like progress.

Schrödinger’s standards, both open and closed?

Yes, it can be frustrating that you need to be a member to vote at the OpenID Foundation. Yes, it’s not ideal that the FIDO Alliance limits participation to paying organizations. And yes, W3C Working Groups aren’t truly open in the democratic sense once you leave the Community Group stage.

But in all these cases, the resulting specifications are:

That’s not perfect openness, but it’s a long way from closed. And it’s a path we can keep improving.

📩 Want to stay updated? I write about digital identity and related standards—because someone has to keep track of all this! Subscribe to get a notification when new blog posts go live. No spam, just announcements of new posts. [Subscribe here

Transcript

[00:00:00]
Welcome to the Digital Identity Digest, the audio companion to the blog at Spherical Cow Consulting. I’m Heather Flanagan, and every week I break down the evolving world of digital identity — from credentials and standards to browser quirks and policy challenges.
If you work with digital identity but don’t have time to follow every specification or hype cycle, you’re in the right place.

🔍 What Is an Open Standard?

[00:00:26]
Last week, I explored the Model Context Protocol (MCP) and why we need a better approach to standards development. Today, let’s dive deeper and ask a foundational question: what does it mean to build an open standard?

The phrase “open standard” is used often — and differently — by many:

[00:01:17]
And this isn’t just a philosophical debate — it affects real-world outcomes in digital identity systems, from wallets and credentials to international trust frameworks. Open standards define who participates, how systems interoperate, and whether we avoid vendor lock-in.

📖 Defining “Open” — Multiple Perspectives

[00:01:41]
Ask five experts, and you’ll get five different definitions:

[00:02:10]
The ITU-T, a UN-recognized standards body, defines an open standard as:

“Made available to the general public, developed via a collaborative, consensus-driven process, facilitates interoperability, and intended for widespread adoption.”

They also stress:

🌐 The OpenStand Principles: Internet DNA

[00:03:01]
Another influential model comes from the OpenStand Principles, endorsed in 2012 by:

These organizations helped build the foundational architecture of the internet.

[00:03:31]
OpenStand emphasizes:

[00:04:14]
This model values technical merit, global scale, and inclusive participation — not just a downloadable PDF.

🛠 Why It Matters for Digital Identity

[00:04:35]
Digital identity isn’t “just software.” It’s infrastructure at the crossroads of:

It must work across borders, industries, and time, and do so securely, ethically, and interoperably.
And for that, open standards are non-negotiable.

🏛 Examining the Standards Bodies

[00:05:14]
Let’s look at how open actually plays out in the real world:

🔹 ISO

[00:05:17]
The ISO/IEC standards process is formal and respected. Specs like ISO 18013‑5 (for mobile driver’s licenses) guide legislation and roadmaps.

🔹 FIDO Alliance

[00:06:12]
Known for passkeys and strong authentication, FIDO uses a pay-to-play model.

🔹 OpenID Foundation

[00:06:52]
Behind OpenID Connect and now working on OpenID for Verifiable Credentials.

🔹 W3C

[00:07:34]
W3C’s Digital Credentials API is a good case study.

Public input is welcome, but influence is limited.

⚖ Balancing Idealism and Practicality

[00:08:32]
So, what really counts as open?
There’s a danger in idealism — assuming only frictionless, volunteer-driven models are acceptable.

[00:08:59]
In reality, standards require:

We can’t demand “free everything” — but we can demand fairness in access and influence.

Ask these questions:

🚧 When Standards Aren’t Open

[00:09:35]
Not all standards are even partially open:

[00:10:09]
So yes — some open processes have flaws. But compared to that? Even “imperfect open” is progress.

🔍 A Positive Example: The Cyrus Foundation

[00:10:46]
A good example of a modern, open-leaning approach is the Cyrus Foundation:

[00:11:31]
Their code and process are public and transparent, with contributions welcomed from across the ecosystem.

Full disclosure: I serve as an advisor to Cyrus — but only because they’re getting it right.

[00:11:47]
The point isn’t that Cyrus is unique. What matters is their model — balancing practicality with open values, avoiding reinvented cryptography, and treating identity infrastructure as a shared foundation.

✅ The Path Forward

[00:12:08]
And the good news? This future is already happening. We just need to keep showing up for it.

🙌 Wrapping Up

[00:12:23]
Thanks for listening to this episode of the Digital Identity Digest. If this helped clarify or spark interest, consider:

[00:12:42]
Stay curious. Stay engaged. And let’s keep these conversations going.

Exit mobile version