I came across an interesting eWeek Blog entry. In it, Michael Vizard makes some interesting points about lack of standards in Identity Management. He makes some valid points in that there is no real standard for creating physical means proving identity. While a comprehensive framework makes sense for physical provisioning and Access Management, I have some concerns. If we have a published framework for creating Access Management tokens, that makes it that much easier to compromise those standards.
Mitigating this concern is the fact that there are several ways to ensure the validity of the issued token. The FIPS standard cited in the blog entry makes heavy use of PKI technologies. I would assume other hashed attributes would be a part of the token as well.
My other primary concern is that the examples that Vizard cites are both governmental in nature. It would make much more sense to me if there was a public sector standard cited as well.
It will be interesting to see how this develops in both the public and private sectors.