Hi Kathleen,
as you mentioned, the process used by NIST far exceeds what other
organizations do today. They also employ a lot of great technical people
(and we got to know some of them better) and so there is less risk that
the work goes into a wrong direction. This is the reason why we trusted
their recommendations.
While there is still room for improvement many other organizations even
have to get to that level.
I think the OpenStand document is a good template. While it is written
with a focus on traditional standardization in mind I believe it has
much broader applicability.
Ciao
Hannes
On 10/25/2013 04:46 PM, Moriarty, Kathleen wrote:
Hi Hannes,
Good point, the comments as an expert reviewer were not published,
nor was the response. However in the development of the framework
from the Cyber Security Executive order, NIST did publish all of the
contributions. I was heavily involved in that for EMC, although I
did not have time to attend the workshops that followed.
Responses, I believe, just go directly to the submitter. We, as a
company, have had comments rejected (different document) and have
submitted them again for subsequent revisions of the documents. The
explanations were reasonable, although we didn't necessarily agree
and the instance I am referring to is not something that would cause
a security concern.
The IETF's level of transparency exceeds many other standards
development organizations.
Thanks, Kathleen
-----Original Message----- From: Hannes Tschofenig
[mailto:[email protected]] Sent: Friday, October 25, 2013
10:31 AM To: Moriarty, Kathleen; Joseph Lorenzo Hall; Stephen Kent;
perpass Subject: Re: [perpass] Standards in the age of pervasive
suspicion
Hi Kathleen,
in my mail below I had shared one example of how the process in other
parts of the world look like and actually defended NIST to a certain
extend.
However, I had some experience with NIST myself, for example with the
NSTIC work. I am sure there are other on the list who have had
experience with other initiatives, such as the SmartGrid.
Take your experience described below and compare it with the IETF.
Have your comments been published somewhere and are they accessible
to the public? What is the decision process for incorporating
comments from different sources? What is the dispute resolution
process?
Ciao Hannes
On 10/25/2013 03:51 PM, Moriarty, Kathleen wrote:
As the final expert reviewer on a fairly recent NIST publication
(about 1 year ago), I will attest to their good practices. They
do work on standards collaboratively, take open calls for feedback
and then provide responses to those who comment.
I wound up reading the document 5 different times, providing
feedback in each instance that was typically accepted and all
responses were reasonable. They do make an effort to find an
expert in the area of the standard publication as well.
I did not read the full thread, so sorry if any of this was
out-of-context, but I thought the first-hand experience and their
use of a final external reviewer might be helpful for some to
understand.
Best regards, Kathleen
-----Original Message----- From: [email protected]
[mailto:[email protected]] On Behalf Of Hannes Tschofenig
Sent: Friday, October 25, 2013 3:59 AM To: Joseph Lorenzo Hall;
Stephen Kent; perpass Subject: Re: [perpass] Standards in the age
of pervasive suspicion
On 10/23/2013 08:31 PM, Joseph Lorenzo Hall wrote:
NIST appears to have learned from this that the standardization
process has to be equally as transparent as the
competition/cryptanalysis process. That's a very good thing.
There is still something to learn for NIST when it comes to good
standardization principles, such as those outlined by OpenStand
http://open-stand.org/principles/
I am sure you have seen the related post from the IAB on this
topic:
http://www.iab.org/2013/10/23/comments-from-the-iab-on-nist-sp-800-90a
-proceeding/
But it would be unfair to just complain about NIST when many other
government bodies aren't any better. I will share one story I
experienced recently with the European Commission (EC) created
Network and Information Security (NIS) platform. This group was
created in response to the proposed regulation on CyberSecurity by
the EC.
The responsible persons from the EC decided to organize a f2f
meeting early June to get their work started. Around 150 persons
from all sectors in the industry showed up to the meeting (mostly
from bigger cooperations who have public policy people in Brussels)
since the meeting was announced short notice.
The meeting was lead by Giuseppe Abbamonte and he ran the meeting
in the style expressed at their webpage: "the Commission will
select the platform participants, with a view to ensuring a
balanced and manageable representation of the different
stakeholders."
At the end of the meeting he came up with the idea that there
should be 3 groups with maximum 20 persons each and he will
nominate the persons for those groups.
I dared to suggest to follow a model like in the IETF with open
participation. He shouted at me and said that this will never
happen. The argument was that this has never worked in the EC so
far.
Of course the folks in the participating people in the room
quickly noticed that 3x20 by no means leads to 150 and so more than
half of the participants of the f2f meeting wouldn't be allowed to
participate in the work. (I ignore those who weren't able to show
up at the f2f meeting or smaller enterprises who don't have the
budget to fly to Brussels just to chat.) I am sure most of them had
no expectation that it would lead to something useful but they at
least wanted to follow it and jump it when it completely goes into
the wrong direction.
An hour later the model was changed and larger groups were
allowed; that's still far away from an IETF type of participation
style.
These are the types of groups who are supposed to develop solutions
to improve the security of the Internet.
Ciao Hannes
_______________________________________________ perpass mailing
list [email protected]
https://www.ietf.org/mailman/listinfo/perpass
_______________________________________________ perpass mailing
list [email protected]
https://www.ietf.org/mailman/listinfo/perpass
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
