Hi Hannes, Good point, the comments as an expert reviewer were not published, nor was the response. However in the development of the framework from the Cyber Security Executive order, NIST did publish all of the contributions. I was heavily involved in that for EMC, although I did not have time to attend the workshops that followed.
Responses, I believe, just go directly to the submitter. We, as a company, have had comments rejected (different document) and have submitted them again for subsequent revisions of the documents. The explanations were reasonable, although we didn't necessarily agree and the instance I am referring to is not something that would cause a security concern. The IETF's level of transparency exceeds many other standards development organizations. Thanks, Kathleen -----Original Message----- From: Hannes Tschofenig [mailto:[email protected]] Sent: Friday, October 25, 2013 10:31 AM To: Moriarty, Kathleen; Joseph Lorenzo Hall; Stephen Kent; perpass Subject: Re: [perpass] Standards in the age of pervasive suspicion Hi Kathleen, in my mail below I had shared one example of how the process in other parts of the world look like and actually defended NIST to a certain extend. However, I had some experience with NIST myself, for example with the NSTIC work. I am sure there are other on the list who have had experience with other initiatives, such as the SmartGrid. Take your experience described below and compare it with the IETF. Have your comments been published somewhere and are they accessible to the public? What is the decision process for incorporating comments from different sources? What is the dispute resolution process? Ciao Hannes On 10/25/2013 03:51 PM, Moriarty, Kathleen wrote: > As the final expert reviewer on a fairly recent NIST publication > (about 1 year ago), I will attest to their good practices. They do > work on standards collaboratively, take open calls for feedback and > then provide responses to those who comment. > > I wound up reading the document 5 different times, providing feedback > in each instance that was typically accepted and all responses were > reasonable. They do make an effort to find an expert in the area of > the standard publication as well. > > I did not read the full thread, so sorry if any of this was > out-of-context, but I thought the first-hand experience and their use > of a final external reviewer might be helpful for some to understand. > > Best regards, Kathleen > > -----Original Message----- From: [email protected] > [mailto:[email protected]] On Behalf Of Hannes Tschofenig > Sent: Friday, October 25, 2013 3:59 AM To: Joseph Lorenzo Hall; > Stephen Kent; perpass Subject: Re: [perpass] Standards in the age of > pervasive suspicion > > On 10/23/2013 08:31 PM, Joseph Lorenzo Hall wrote: >> NIST appears to have learned from this that the standardization >> process has to be equally as transparent as the >> competition/cryptanalysis process. That's a very good thing. > > There is still something to learn for NIST when it comes to good > standardization principles, such as those outlined by OpenStand > http://open-stand.org/principles/ > > I am sure you have seen the related post from the IAB on this topic: > http://www.iab.org/2013/10/23/comments-from-the-iab-on-nist-sp-800-90a > -proceeding/ > > But it would be unfair to just complain about NIST when many other > government bodies aren't any better. I will share one story I > experienced recently with the European Commission (EC) created Network > and Information Security (NIS) platform. This group was created in > response to the proposed regulation on CyberSecurity by the EC. > > The responsible persons from the EC decided to organize a f2f meeting > early June to get their work started. Around 150 persons from all > sectors in the industry showed up to the meeting (mostly from bigger > cooperations who have public policy people in Brussels) since the > meeting was announced short notice. > > The meeting was lead by Giuseppe Abbamonte and he ran the meeting in > the style expressed at their webpage: "the Commission will select the > platform participants, with a view to ensuring a balanced and > manageable representation of the different stakeholders." > > At the end of the meeting he came up with the idea that there should > be 3 groups with maximum 20 persons each and he will nominate the > persons for those groups. > > I dared to suggest to follow a model like in the IETF with open > participation. He shouted at me and said that this will never happen. > The argument was that this has never worked in the EC so far. > > Of course the folks in the participating people in the room quickly > noticed that 3x20 by no means leads to 150 and so more than half of > the participants of the f2f meeting wouldn't be allowed to participate > in the work. (I ignore those who weren't able to show up at the f2f > meeting or smaller enterprises who don't have the budget to fly to > Brussels just to chat.) I am sure most of them had no expectation that > it would lead to something useful but they at least wanted to follow > it and jump it when it completely goes into the wrong direction. > > An hour later the model was changed and larger groups were allowed; > that's still far away from an IETF type of participation style. > > These are the types of groups who are supposed to develop solutions to > improve the security of the Internet. > > Ciao Hannes > > > _______________________________________________ perpass mailing list > [email protected] https://www.ietf.org/mailman/listinfo/perpass > > _______________________________________________ perpass mailing list > [email protected] https://www.ietf.org/mailman/listinfo/perpass > _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
