“Since I wrote last week about MCP and the need for a more structured standards development process, this week I feel like diving into what it really means to build an open standard.“
Unfortunately, “open standard” is one of those terms that gets thrown around a lot and often means entirely too many different things. For some, it just means the spec is readable online. For others, it’s about process transparency or whether the license is royalty-free. Depending on who you ask, “open” might refer to access, governance, IP rights, implementation freedom, or all of the above.
This fuzziness isn’t just academic. In the world of digital identity, especially as we build wallets, verifiable credentials, and cross-border trust frameworks, how we define and implement open standards will directly shape who gets to participate, how systems interoperate, and whether anyone can avoid vendor lock-in.
So, let’s unpack it. What is an open standard? And why does it matter so much right now?
A Digital Identity Digest
Rethinking Digital Identity: What ARE Open Standards?
Play Episode
Pause Episode
Mute/Unmute Episode
Rewind 10 Seconds
1x
Fast Forward 30 seconds
00:00
/
00:12:59
Subscribe
Share
Amazon
Apple Podcasts
CastBox
Listen Notes
Overcast
Pandora
Player.fm
PocketCasts
Podbean
RSS
Spotify
TuneIn
YouTube
iHeartRadio
RSS Feed
Share
Link
Embed
You can Subscribe and Listen to the Podcast on Apple Podcasts, or wherever you listen to Podcasts.
And be sure to leave me a Rating and Review!
What does “open standard” actually mean?
Ask five people what makes a standard “open,” and you might get five different answers.
Some will say it’s all about access: It’s open if you can download and read the spec without paying. Others will focus on governance: It’s open if the development process is public and inclusive. Still others might zero in on intellectual property: If you can implement it without navigating a minefield of patents, it qualifies.
The ITU-T’s Definition
The ITU-T, a United Nations-recognized standards body, offers a fairly comprehensive definition. According to them, open standards are:
“Made available to the general public and developed (or approved) and maintained via a collaborative and consensus-driven process. They facilitate interoperability and data exchange among different products or services and are intended for widespread adoption.”
They expand this definition to include concepts like transparent development, due process, balanced input, fair access to intellectual property, and long-term maintenance. It’s a solid framework, widely used in international policy discussions.
But there’s another approach that resonates more strongly with how the Internet itself was built and continues to evolve.
The OpenStand Principles
In 2012, five key organizations—the IEEE, IETF, IAB, W3C, and the Internet Society—affirmed a shared set of values known as the OpenStand Principles. These principles describe the processes that gave us the web, email, DNS, and secure communications protocols. In other words, they’re battle-tested.
The OpenStand Principles emphasize five core commitments:
Cooperation – Standards organizations should respect each other’s autonomy and work together.
Adherence to core development principles – Including due process, broad consensus, transparency, balance, and openness.
Collective empowerment – Standards should support innovation, interoperability, scalability, and benefit humanity.
Availability – Specifications must be accessible and implementable under fair terms, from royalty-free to FRAND.
Voluntary adoption – No mandates, no lock-in. Market success is determined by the quality of the work, not regulatory decree.
These principles prioritize practical interoperability, technical merit, and inclusive participation, not just public availability.
And yes, I’ll admit I’m biased. My work and the ecosystems I care about have benefited enormously from the OpenStand model. It’s one of the reasons the Internet scaled globally. Go, team Internet!
So, while the ITU-T definition is solid, OpenStand captures something deeper: a living, working model of how open collaboration can shape resilient, scalable infrastructure.
That model, of open, resilient collaboration, is directly relevant to digital identity.
Why this matters for digital identity
Digital identity isn’t just another software problem. It is critical infrastructure that sits at the intersection of public services, private platforms, and individual autonomy. It needs to work across borders, industries, and decades (there are so many dimensions) and do so securely, ethically, and interoperably.
Open standards are the only viable foundation for that kind of future. And I doubt many people would argue that point. Of course, that is only true until you ask what “open” means.
As our systems evolve, it’s clear that not all “open” is created equal. The technical community frequently uses the term, but how it plays out in practice depends heavily on the organization behind the spec, its governance structure, and who gets a say.
Let’s look at a few examples from the current identity landscape:
ISO/IEC standards are authoritative but not always accessible
The ISO standards process is generally respected and deeply formal. Specifications like ISO/IEC 18013-5, which governs mobile driver’s licenses (mDLs), influence national legislation and industry roadmaps. In some countries, these specs are published for free if required by law. Others adopt them by reference without making the actual text available. In most cases, you’ll need to pay to read the document.
Participation isn’t open in the way many expect from Internet standards. To shape an ISO spec, you need to be part of your country’s official delegation or aligned with a recognized partner organization. It’s possible, but it’s gated. And that makes it harder for smaller implementers, civil society groups, or under-resourced countries to engage meaningfully.
FIDO2: open specs from a closed process
The FIDO Alliance, whose work underpins passkeys and other strong authentication technologies, operates with a “pay-to-play” model. To participate in discussions and vote on specifications, you must be a paying member of the FIDO Alliance.
However, once published, the specifications are free, publicly available, and widely adopted. In that sense, FIDO hits an important open standards benchmark: interoperability is possible without licensing barriers or paywalls. But governance remains closed to non-members, raising questions about transparency and balance.
OpenID4VC: open contributions, gated decisions
The OpenID Foundation is producing specifications for verifiable credentials and decentralized identity (e.g., OpenID4VC). Their process is somewhat hybrid: anyone can join the mailing lists, submit proposals, and contribute to discussions. However, only members can vote on final decisions, and membership requires payment.
This model blends inclusivity with formal governance. It’s more open than ISO but still includes structural limitations that can shape who ultimately steers the spec.
W3C Digital Credentials API: public input, but participation friction
Then there’s the W3C, where the Digital Credentials API is currently under development. It started in a Community Group, a setting where anyone could join calls, propose changes, and contribute. But Community Groups can’t produce official W3C Recommendations. The work had to move to a formal Working Group to do that.
In a W3C Working Group, you either need to be:
A member of a W3C Member organization (which usually involves a fee),
Or an invited expert (which requires an application and approval).
The general public can still file GitHub issues and read the documents. That’s more openness than many standards bodies offer, but it’s not full participation. There’s friction between visibility and influence, especially for newcomers or smaller players.
So… what counts as “open”?
With so many variations on “open,” it’s easy to fall into a purity trap where only the most idealistic, frictionless processes count. But that’s not realistic or fair.
Creating standards—real, robust, production-ready standards—takes work. Not just from the people writing specs or implementing test suites but also from the organizations that host the mailing lists, convene the calls, maintain the repositories, manage intellectual property frameworks, and, yes, pay the legal bills.
All of that takes resources. And as much as we’d like to imagine that open standards are forged purely through the goodwill of the global community, the truth is that most standards efforts today rely on a mix of volunteer labor, organizational backing, and structured funding models, some of which include paid memberships.
A new balance test
So no, we can’t simply demand that every standard be written by volunteers and hosted for free. That’s not how sustainable infrastructure gets built. But we can and should ask hard questions about transparency, participation, and accessibility.
Is the spec publicly available without a paywall?
Can you implement it without having to negotiate a license?
Are diverse voices meaningfully represented in its development?
Do the outcomes reflect shared infrastructure goals or just strategic product roadmaps?
We don’t need to shut down funding models. But we need to ensure those models don’t shut people out.
The goal isn’t to achieve some idealized version of openness. It’s to build systems that are accountable, adaptable, and inclusive. Standards that reflect a common foundation, not a competitive moat. And that’s a goal we can work toward, even in a world where time and money are very real constraints.
Open-ish is still better than closed
As much as we can and should debate the limits of openness in today’s standards processes, it’s worth remembering that things could be a lot worse. While many digital identity specifications land somewhere in the middle, open to read, semi-open to influence, gated in terms of governance, that’s still miles ahead of truly closed standards.
And yes, closed standards still exist, even in 2025.
Some of the world’s most critical systems rely on technical specifications that aren’t publicly available, freely implementable, or open to broad contribution.
Closed doors in standards
For example:
National identity systems in some countries are developed behind closed doors. Portions of India’s
Aadhaar system or certain Gulf nation digital IDs may be guided by specifications that are either not published or only accessible to government contractors. That makes transparency, auditability, and public trust harder to achieve.
Vendor-specific federation protocols have a long history in enterprise environments. Before the rise of open federated identity standards like SAML or OIDC, systems like Microsoft’s
WS-Federation created tightly coupled, proprietary identity flows. While still in use in some legacy contexts, these are controlled by the vendor, not a neutral standards body.
Biometric matching algorithms and data formats are another example. Many face or iris recognition technologies rely on proprietary encodings that are patented, licensed, or simply undisclosed. Even when governments use them, the standards involved may not be publicly accessible, let alone reviewable.
Even account provisioning APIs between enterprise SaaS providers can resemble closed standards. If your identity team has ever tried to automate user provisioning without access to well-documented SCIM endpoints, you’ve probably run into a “standard” that’s really just a private interface.
In that light, the “open-ish” systems start to look less like compromise and more like progress.
Schrödinger’s standards, both open and closed?
Yes, it can be frustrating that you need to be a member to vote at the OpenID Foundation. Yes, it’s not ideal that the FIDO Alliance limits participation to paying organizations. And yes, W3C Working Groups aren’t truly open in the democratic sense once you leave the Community Group stage.
But in all these cases, the resulting specifications are:
Freely available,
Implementable without proprietary dependencies, and
Increasingly shaped by diverse, global input.
That’s not perfect openness, but it’s a long way from closed. And it’s a path we can keep improving.
Want to stay updated? I write about digital identity and related standards—because someone has to keep track of all this! Subscribe to get a notification when new blog posts go live. No spam, just announcements of new posts. [Subscribe here]
Transcript
[00:00:00]
Welcome to the Digital Identity Digest, the audio companion to the blog at Spherical Cow Consulting. I’m Heather Flanagan, and every week I break down the evolving world of digital identity — from credentials and standards to browser quirks and policy challenges.
If you work with digital identity but don’t have time to follow every specification or hype cycle, you’re in the right place.
What Is an Open Standard?
[00:00:26]
Last week, I explored the Model Context Protocol (MCP) and why we need a better approach to standards development. Today, let’s dive deeper and ask a foundational question: what does it mean to build an open standard?
The phrase “open standard” is used often — and differently — by many:
Some say it simply means a spec is publicly readable.
Others emphasize transparency, royalty-free licensing, or governance processes.
Still others point to access, IP rights, or implementation freedom.
[00:01:17]
And this isn’t just a philosophical debate — it affects real-world outcomes in digital identity systems, from wallets and credentials to international trust frameworks. Open standards define who participates, how systems interoperate, and whether we avoid vendor lock-in.
Defining “Open” — Multiple Perspectives
[00:01:41]
Ask five experts, and you’ll get five different definitions:
Access-focused: If the standard is free to read, it’s open.
Process-focused: If it’s developed publicly and inclusively, it’s open.
IP-focused: If anyone can implement it without licensing hurdles, it’s open.
[00:02:10]
The ITU-T, a UN-recognized standards body, defines an open standard as:
“Made available to the general public, developed via a collaborative, consensus-driven process, facilitates interoperability, and intended for widespread adoption.”
They also stress:
Transparent development
Due process
Balanced input
Fair IP access
Long-term support
The OpenStand Principles: Internet DNA
[00:03:01]
Another influential model comes from the OpenStand Principles, endorsed in 2012 by:
IEEE
IETF
Internet Architecture Board
W3C
Internet Society
These organizations helped build the foundational architecture of the internet.
[00:03:31]
OpenStand emphasizes:
Cooperation between standards bodies
Foundational principles: transparency, consensus, balance
Collective empowerment: interoperability, innovation, benefit to humanity
Availability: fair access, voluntary adoption
Success through utility, not mandates
[00:04:14]
This model values technical merit, global scale, and inclusive participation — not just a downloadable PDF.
Why It Matters for Digital Identity
[00:04:35]
Digital identity isn’t “just software.” It’s infrastructure at the crossroads of:
Public services
Private platforms
Personal autonomy
It must work across borders, industries, and time, and do so securely, ethically, and interoperably.
And for that, open standards are non-negotiable.
Examining the Standards Bodies
[00:05:14]
Let’s look at how open actually plays out in the real world:
ISO
[00:05:17]
The ISO/IEC standards process is formal and respected. Specs like ISO 18013‑5 (for mobile driver’s licenses) guide legislation and roadmaps.
Pros: Highly structured; impactful.
Cons: Often behind a paywall. Participation requires national delegation or official channels — not easy for small players.
FIDO Alliance
[00:06:12]
Known for passkeys and strong authentication, FIDO uses a pay-to-play model.
Participation requires paid membership.
Specs are free to access and implement once published.
No licensing restrictions = a big plus for developers.
OpenID Foundation
[00:06:52]
Behind OpenID Connect and now working on OpenID for Verifiable Credentials.
Mailing lists are open.
Only paying members can vote.
All specs are freely available, making this model more inclusive than ISO, though still tilted toward funded voices.
W3C
[00:07:34]
W3C’s Digital Credentials API is a good case study.
Community groups are fully open — but cannot produce official standards.
To become a W3C Recommendation, work must move to a Working Group.
Working Group participation requires either:
Organizational membership (with dues), or
Invitation as an expert
Public input is welcome, but influence is limited.
Balancing Idealism and Practicality
[00:08:32]
So, what really counts as open?
There’s a danger in idealism — assuming only frictionless, volunteer-driven models are acceptable.
[00:08:59]
In reality, standards require:
Legal review
Infrastructure support
Paid staff
Long-term maintenance
We can’t demand “free everything” — but we can demand fairness in access and influence.
Ask these questions:
Can you read and implement the spec without legal or financial barriers?
Are diverse voices represented?
Does the result serve shared infrastructure, or just a vendor’s agenda?
When Standards Aren’t Open
[00:09:35]
Not all standards are even partially open:
Some national ID systems are built on unpublished specs.
Many biometric formats are proprietary and patented.
Even SaaS provisioning APIs are often undocumented and closed.
[00:10:09]
So yes — some open processes have flaws. But compared to that? Even “imperfect open” is progress.
A Positive Example: The Cyrus Foundation
[00:10:46]
A good example of a modern, open-leaning approach is the Cyrus Foundation:
Building an open‑source digital identity wallet
Prioritizes public standards like:
OpenID for Verifiable Credentials
FIDO2
ISO 18013‑5
[00:11:31]
Their code and process are public and transparent, with contributions welcomed from across the ecosystem.
Full disclosure: I serve as an advisor to Cyrus — but only because they’re getting it right.
[00:11:47]
The point isn’t that Cyrus is unique. What matters is their model — balancing practicality with open values, avoiding reinvented cryptography, and treating identity infrastructure as a shared foundation.
The Path Forward
[00:12:08]
And the good news? This future is already happening. We just need to keep showing up for it.
Wrapping Up
[00:12:23]
Thanks for listening to this episode of the Digital Identity Digest. If this helped clarify or spark interest, consider:
Sharing it with a colleague
Connecting with me on
LinkedIn
Subscribing and rating the podcast
Visiting the full post at
sphericalcowconsulting.com
[00:12:42]
Stay curious. Stay engaged. And let’s keep these conversations going.
The post Rethinking Digital Identity: What ARE Open Standards? appeared first on Spherical Cow Consulting.