On 10/23/2013 08:31 PM, Joseph Lorenzo Hall wrote:
NIST appears to have learned from this that the standardization
process has to be equally as transparent as the
competition/cryptanalysis process. That's a very good thing.
There is still something to learn for NIST when it comes to good
standardization principles, such as those outlined by OpenStand
http://open-stand.org/principles/
I am sure you have seen the related post from the IAB on this topic:
http://www.iab.org/2013/10/23/comments-from-the-iab-on-nist-sp-800-90a-proceeding/
But it would be unfair to just complain about NIST when many other
government bodies aren't any better. I will share one story I
experienced recently with the European Commission (EC) created Network
and Information Security (NIS) platform. This group was created in
response to the proposed regulation on CyberSecurity by the EC.
The responsible persons from the EC decided to organize a f2f meeting
early June to get their work started. Around 150 persons from all
sectors in the industry showed up to the meeting (mostly from bigger
cooperations who have public policy people in Brussels) since the
meeting was announced short notice.
The meeting was lead by Giuseppe Abbamonte and he ran the meeting in the
style expressed at their webpage: "the Commission will select the
platform participants, with a view to ensuring a balanced and manageable
representation of the different stakeholders."
At the end of the meeting he came up with the idea that there should be
3 groups with maximum 20 persons each and he will nominate the persons
for those groups.
I dared to suggest to follow a model like in the IETF with open
participation. He shouted at me and said that this will never happen.
The argument was that this has never worked in the EC so far.
Of course the folks in the participating people in the room quickly
noticed that 3x20 by no means leads to 150 and so more than half of the
participants of the f2f meeting wouldn't be allowed to participate in
the work. (I ignore those who weren't able to show up at the f2f meeting
or smaller enterprises who don't have the budget to fly to Brussels just
to chat.) I am sure most of them had no expectation that it would lead
to something useful but they at least wanted to follow it and jump it
when it completely goes into the wrong direction.
An hour later the model was changed and larger groups were allowed;
that's still far away from an IETF type of participation style.
These are the types of groups who are supposed to develop solutions to
improve the security of the Internet.
Ciao
Hannes
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
