As the final expert reviewer on a fairly recent NIST publication (about 1 year ago), I will attest to their good practices. They do work on standards collaboratively, take open calls for feedback and then provide responses to those who comment.
I wound up reading the document 5 different times, providing feedback in each instance that was typically accepted and all responses were reasonable. They do make an effort to find an expert in the area of the standard publication as well. I did not read the full thread, so sorry if any of this was out-of-context, but I thought the first-hand experience and their use of a final external reviewer might be helpful for some to understand. Best regards, Kathleen -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Hannes Tschofenig Sent: Friday, October 25, 2013 3:59 AM To: Joseph Lorenzo Hall; Stephen Kent; perpass Subject: Re: [perpass] Standards in the age of pervasive suspicion On 10/23/2013 08:31 PM, Joseph Lorenzo Hall wrote: > NIST appears to have learned from this that the standardization > process has to be equally as transparent as the > competition/cryptanalysis process. That's a very good thing. There is still something to learn for NIST when it comes to good standardization principles, such as those outlined by OpenStand http://open-stand.org/principles/ I am sure you have seen the related post from the IAB on this topic: http://www.iab.org/2013/10/23/comments-from-the-iab-on-nist-sp-800-90a-proceeding/ But it would be unfair to just complain about NIST when many other government bodies aren't any better. I will share one story I experienced recently with the European Commission (EC) created Network and Information Security (NIS) platform. This group was created in response to the proposed regulation on CyberSecurity by the EC. The responsible persons from the EC decided to organize a f2f meeting early June to get their work started. Around 150 persons from all sectors in the industry showed up to the meeting (mostly from bigger cooperations who have public policy people in Brussels) since the meeting was announced short notice. The meeting was lead by Giuseppe Abbamonte and he ran the meeting in the style expressed at their webpage: "the Commission will select the platform participants, with a view to ensuring a balanced and manageable representation of the different stakeholders." At the end of the meeting he came up with the idea that there should be 3 groups with maximum 20 persons each and he will nominate the persons for those groups. I dared to suggest to follow a model like in the IETF with open participation. He shouted at me and said that this will never happen. The argument was that this has never worked in the EC so far. Of course the folks in the participating people in the room quickly noticed that 3x20 by no means leads to 150 and so more than half of the participants of the f2f meeting wouldn't be allowed to participate in the work. (I ignore those who weren't able to show up at the f2f meeting or smaller enterprises who don't have the budget to fly to Brussels just to chat.) I am sure most of them had no expectation that it would lead to something useful but they at least wanted to follow it and jump it when it completely goes into the wrong direction. An hour later the model was changed and larger groups were allowed; that's still far away from an IETF type of participation style. These are the types of groups who are supposed to develop solutions to improve the security of the Internet. Ciao Hannes _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
