Comment by bborud

> (I'm at a loss to explain what benefit comes from being assigned an ISO standard versus putting a HTML document on the Internet.)

From the article:

"[ISO certification] should foster even broader adoption of OpenID Connect by enabling deployments in jurisdictions around the world that have legal requirements to use specifications from standards bodies recognized by international treaties, of which ISO is one."

Any sort of government or similarly "official" organization loves to refer to ISO standard XXXX instead of writing out a summary of the standard when they document things.

Sometimes you see the same thing with organizations referring to web RFCs. It's likely because of a general culture of "don't try to invent new things if you already have a reference for it", although it doesn't really tend to make those documents readable.

> (I'm at a loss to explain what benefit comes from being assigned an ISO standard versus putting a HTML document on the Internet.)

Single source of truth. The internet has been plagued by numerous incompatible implementations of the same thing. There are numerous tests [0] showing incompatibility between simple serialization format JSON. How many times have you heard "Yeh, nice feature, but virtually nothing implements it"? A standard becomes whatever majority of highly adopted implementations do instead of formal specification. This is what you get for putting a HTML document on the internets. ISO standardization somewhat reduced this effect.

> but I don't think there's a meaningful "toll gate" in this case: the standards are already free and public

Major problem with ISO standards is that they cross-reference each other. It's rare NOT to find definition "X as defined in ISO 12345". Complex product may need to reference hundreds of ISO standards.

Somewhat tautologically I agree with you as in reality things are probably going to be implemented referencing tutorial subtly incompatible tutorials on the internet but will claim ISO compatibility.

[0]: https://www.getlazarus.org/json/tests/

> I don't think there's a meaningful "toll gate" in this case: the standards are already free and public

See Adobe and PDF: PDF 1.7 was available gratis from Adobe and also (“technically identical to”) an ISO standard. At the time, people expressed concerns about ISO’s paywalls and Adobe reassured them there was an agreement to ensure that wouldn’t happen. Indeed it did not... until PDF 2.0 came along, developed at the ISO, and completely paywalled.

I seem to remember (but don’t quote me on that) that AVIF and JPEG XL standards were at one point downloadable free of charge. In any case, they aren’t today.

There is an RFC for OAuth 2 interestingly enough: https://www.rfc-editor.org/rfc/rfc6749

Historically the IETF has been reluctant to get involved with Identity (and hence authentication) for various reasons. There are a few standards bodies in this area and they all have their strengths and weaknesses (the presentation by Heather Flanagan someone linked to elsewhere in the thread gives a good introduction).

Even some RFCs are basically available as ISO standards and vice versa, e.g. for time/date formats you almost never need to buy ISO8601 and can just read RFC3339 (which is technically a 'profile' of ISO8601).