Hi Kathleen,
in my mail below I had shared one example of how the process in other
parts of the world look like and actually defended NIST to a certain
extend.
However, I had some experience with NIST myself, for example with the
NSTIC work. I am sure there are other on the list who have had
experience with other initiatives, such as the SmartGrid.
Take your experience described below and compare it with the IETF. Have
your comments been published somewhere and are they accessible to the
public? What is the decision process for incorporating comments from
different sources? What is the dispute resolution process?
Ciao
Hannes
On 10/25/2013 03:51 PM, Moriarty, Kathleen wrote:
As the final expert reviewer on a fairly recent NIST publication
(about 1 year ago), I will attest to their good practices. They do
work on standards collaboratively, take open calls for feedback and
then provide responses to those who comment.
I wound up reading the document 5 different times, providing feedback
in each instance that was typically accepted and all responses were
reasonable. They do make an effort to find an expert in the area of
the standard publication as well.
I did not read the full thread, so sorry if any of this was
out-of-context, but I thought the first-hand experience and their use
of a final external reviewer might be helpful for some to
understand.
Best regards, Kathleen
-----Original Message----- From: [email protected]
[mailto:[email protected]] On Behalf Of Hannes Tschofenig
Sent: Friday, October 25, 2013 3:59 AM To: Joseph Lorenzo Hall;
Stephen Kent; perpass Subject: Re: [perpass] Standards in the age of
pervasive suspicion
On 10/23/2013 08:31 PM, Joseph Lorenzo Hall wrote:
NIST appears to have learned from this that the standardization
process has to be equally as transparent as the
competition/cryptanalysis process. That's a very good thing.
There is still something to learn for NIST when it comes to good
standardization principles, such as those outlined by OpenStand
http://open-stand.org/principles/
I am sure you have seen the related post from the IAB on this topic:
http://www.iab.org/2013/10/23/comments-from-the-iab-on-nist-sp-800-90a-proceeding/
But it would be unfair to just complain about NIST when many other
government bodies aren't any better. I will share one story I
experienced recently with the European Commission (EC) created
Network and Information Security (NIS) platform. This group was
created in response to the proposed regulation on CyberSecurity by
the EC.
The responsible persons from the EC decided to organize a f2f meeting
early June to get their work started. Around 150 persons from all
sectors in the industry showed up to the meeting (mostly from bigger
cooperations who have public policy people in Brussels) since the
meeting was announced short notice.
The meeting was lead by Giuseppe Abbamonte and he ran the meeting in
the style expressed at their webpage: "the Commission will select the
platform participants, with a view to ensuring a balanced and
manageable representation of the different stakeholders."
At the end of the meeting he came up with the idea that there should
be 3 groups with maximum 20 persons each and he will nominate the
persons for those groups.
I dared to suggest to follow a model like in the IETF with open
participation. He shouted at me and said that this will never
happen. The argument was that this has never worked in the EC so
far.
Of course the folks in the participating people in the room quickly
noticed that 3x20 by no means leads to 150 and so more than half of
the participants of the f2f meeting wouldn't be allowed to
participate in the work. (I ignore those who weren't able to show up
at the f2f meeting or smaller enterprises who don't have the budget
to fly to Brussels just to chat.) I am sure most of them had no
expectation that it would lead to something useful but they at least
wanted to follow it and jump it when it completely goes into the
wrong direction.
An hour later the model was changed and larger groups were allowed;
that's still far away from an IETF type of participation style.
These are the types of groups who are supposed to develop solutions
to improve the security of the Internet.
Ciao Hannes
_______________________________________________ perpass mailing list
[email protected] https://www.ietf.org/mailman/listinfo/perpass
_______________________________________________ perpass mailing list
[email protected] https://www.ietf.org/mailman/listinfo/perpass
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
