Re: [ekmi] RE: Point of clarification on OASIS process

[Benjamin Tomhave <tomhave@secureconsulting.net>]

Hi Mary,

The core problem here is a fundamental lack of due diligence. You said:
"Based on my conversations the co-proposers are very much aware of the
existing work and feel that their needs can best be met by forming a new
technical committee." For this to be true, then the proposers of the new
charter would have had to have spoken with the EKMI TC to determine if
they were, in fact, better off going their own way. That they have
stated to you that they believe their work is better off independent is
not adequate, and should not be acceptable to OASIS, given that the KMIP
founders never spoke to the EKMI TC, nor have they actively participated
in the EKMI TC. How do they know that their work is so incompatible
without having a conversation?

This proposed charter for KMIP has not been adequately researched. Due
diligence has not been performed. As such, OASIS should not allow the TC
to form until these concerns have been addressed. If OASIS does not do
so, then it creates a situation where two OASIS TCs may end up doing
identical work, creating more confusion than already exists in this
area. I find it unsettling that OASIS would strongly defend an
improperly vetted charter that goes against the very mission of the
organization.

Thank you,

-ben

-- 
Benjamin Tomhave, MS, CISSP
falcon@secureconsulting.net
LI: http://www.linkedin.com/in/btomhave
Blog: http://www.secureconsulting.net/
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/

[ Random Quote: ]
"Kids, you tried your best and you failed miserably. The lesson is,
never try."
Homer Simpson

Mary McRae wrote:
> Hi Ben,
> 
>   Let me try to address your concerns one by one.
> 
> Re: observer status
>   An OASIS member is able to join any OASIS TC as either a "Member" or
> "Observer." Those with observer status are not visible to the outside world;
> the only advantage an observer has over anyone else who is either an OASIS
> member but not part of the group, or a non-OASIS member, is that they are
> subscribed read-only to the email list. All work of a TC (email lists,
> document repository, meeting minutes, etc.) is always publicly accessible;
> that is to say that anyone has the same access as an observer. A non-member
> would need to actively monitor the email archives to keep up with the
> discussions. 
> 
> Re: membership in other committees/organizations
>   I would expect someone with an interest in a particular area to be
> involved in as many related groups as possible and to keep apprised of all
> ongoing activities. We certainly see that OASIS members are often involved
> in multiple TCs that are related in some way as well as numerous other
> organizations doing similar work. It's often from a solid understanding of
> the existing work that one can identify gaps or alternative solutions that
> their organization may see as having greater potential than those currently
> available/in development. Alternatively their employer may be a proponent of
> one approach over another and therefore participation is restricted.
> 
> Re: due diligence
>   Based on my conversations the co-proposers are very much aware of the
> existing work and feel that their needs can best be met by forming a new
> technical committee. While non-members can't speak in a TC meeting, there is
> nothing to prevent a group of individuals from getting together and talking,
> should they so choose. You must also remember, however, that in this
> particular case you are not speaking about an individual who is representing
> his or her own interest, but someone who is representing the interest of his
> or her employer, as is the case for many OASIS members, including
> consultants who may be participating on behalf of one or more of their
> clients.
> 
> Re: convergence
>   There is nothing prohibiting any or all the members of the EKMI TC from
> joining the proposed KMIP TC when it is formed; I personally would recommend
> it if you are interested to help shape its development. I would also hope
> that if the members of this group are not actively participating in similar
> work occurring elsewhere that they are at least following its progress
> (either as observers or by reading publicly-accessible mail archives,
> document repositories, etc.). It may be appropriate (and likely) that a
> liaison relationship between the two committees be established. It is not
> uncommon to find what once appeared to be separate and competing interests
> to be integrated in the future. 
> 
> In the end neither I, nor anyone on staff at OASIS, is a subject matter
> expert in this particular area. I do believe that everyone involved in these
> efforts - whether it be EKMI, KMIP, or that of another organization - *is* a
> subject matter expert. And they have different opinions as to whether the
> work is duplication, a variant, a superset, or something altogether
> different. I am not attempting to dismiss your arguments; in fact these very
> questions are raised when a group first proposes to bring work to OASIS.
> There have been occasions where a proposing group hasn't been aware of other
> ongoing work or has not seen the relationship between their work and that of
> a related group. We try to expose those connections where we can. We let our
> members help out as well by having the ability to submit comments on the
> proposed charter, and give the proposing group the opportunity to revise the
> proposal as they feel is appropriate before the final Call for Participation
> is issued. That said, at the end of the day, everyone may not be happy, but
> at least they had the opportunity to be heard and make their views known.
> 
> Regards,
> 
> Mary
> 
> 
>> -----Original Message-----
>> From: Benjamin Tomhave [mailto:tomhave@secureconsulting.net]
>> Sent: Saturday, February 21, 2009 7:07 PM
>> To: mary.mcrae@oasis-open.org
>> Cc: 'Arshad Noor'; 'ekmi'
>> Subject: Re: [ekmi] RE: Point of clarification on OASIS process
>>
>> Hi Mary,
>>
>> Thank you for taking the time to respond in detail. I think many of us
>> appreciate the desire to allow competing standards to ensure that the
>> public is given the best possible choices. However, where I think I
>> disagree with you is in the particulars of the charter process here.
>> Specifically, the way you've explained things, and the way that the
>> KMIP
>> charter has been launched, suggests that OASIS is, wittingly or not,
>> enabling gamesmanship on the part of a vendor who does not seem to be
>> acting in good faith.
>>
>> In point of fact, the convener of the KMIP TC is an observer of the
>> EKMI
>> TC, as well as a believed member of the IEEE P1619.3 committee that is
>> also developing a key management standard. Due to the observer status,
>> this individual is not allowed to participate in the EKMI TC, which I
>> think is where we have an interesting dilemma. Rather than become a
>> member of and express their viewpoint in the EKMI TC, they've instead
>> splintered off without performing due diligence to create a competing
>> standard.
>>
>> It's this last point of due diligence where I am particularly
>> concerned,
>> and where I hope you and the OASIS board might look to make changes
>> going forward. Any proposed technical committee should be required to
>> first evaluate existing committees to determine whether or not overlap,
>> or congruency, will exist with their proposed charter. In the case
>> where
>> there is apparent overlap or congruency, the proposers should be
>> required to engage an existing committee to first evaluate the
>> opportunity to contribute to the existing project in the way they
>> desire, and to allow the convened TC an opportunity to identify new
>> prospective members and perspectives that may not have been otherwise
>> considered. This lack of requirement for due diligence actually
>> undermines the work of both the convened and proposed committees by
>> creating a line of exclusivity that prohibits optimal creativity and
>> development.
>>
>> In this specific case, there is reason to believe that RSA/EMC has
>> ideas
>> congruent with the work of the EKMI TC that they'd like to see
>> developed. It would have been highly appropriate for them, as observers
>> of the EKMI TC, to discuss those ideas in some venue with the EKMI TC
>> before launching their own competing TC. If the OASIS rules do not
>> allow
>> an observer to enter into these discussions, then the rules need to be
>> changed. Where you've claimed an opportunity for open competition, we
>> see a case of the development process being undermined. An observing
>> member of the TC, rather than contributing to the TC, has opted to form
>> a competing TC with what appears to be considerable overlap and
>> congruency. This should be a cause for concern to OASIS.
>>
>> OASIS, by it's own description, exists to drive "the development,
>> convergence and adoption of open standards for the global information
>> society." Yet in this case, by not requiring or permitting the
>> performance of due diligence, OASIS is actually working against
>> convergence within the key management space, creating division and
>> discord where there could, and probably should, be cooperation and
>> collaboration. This event seems to work completely contrary to the
>> objective of OASIS.
>>
>> It's unclear at this point if there is any way to address these
>> concerns
>> between EKMI and KMIP, but it would be highly valuable to convene a
>> joint call between the KMIP proposers and the EKMI TC to see if there
>> really is a reason for the two separate TCs to exist. If this is not
>> possible, particularly due to OASIS rules, then it would be my sincere
>> hope that the OASIS board would perform a critical review of this
>> situation with an eye toward making improvements so that similar
>> situations do not arise in the future. Convergence cannot occur if
>> conversations cannot be held.
>>
>> Thank you,
>>
>> -ben
>>
>> --
>> Benjamin Tomhave, MS, CISSP
>> falcon@secureconsulting.net
>> LI: http://www.linkedin.com/in/btomhave
>> Blog: http://www.secureconsulting.net/
>> Photos: http://photos.secureconsulting.net/
>> Web: http://falcon.secureconsulting.net/
>>
>> [ Random Quote: ]
>> "We cannot despair of humanity, since we ourselves are human beings."
>> Albert Einstein
>>
>> Mary McRae wrote:
>>> Hi Arshad,
>>>
>>>   Let me respond as the OASIS TC Administrator - my responsibilities
>> include
>>> overseeing all aspects of the TC Process and making sure it is
>> adhered to.
>>> It appears that the KMIP co-proposer group is very much aware of the
>>> existence of the EKMI TC and have referenced its work in their
>> proposed
>>> charter.
>>>
>>>   There is no OASIS policy prohibiting one TC from working in a
>> similar area
>>> to another; if that were the case we would not have both DocBook and
>> DITA
>>> TCs - while I can certainly differentiate between the two, many
>> can't, and
>>> both groups would argue that you don't really need the other. There
>> are
>>> similar examples in many other functional areas.  By permitting
>> multiple
>>> projects to grow in parallel, OASIS now has fostered several viable
>>> technologies, which have differentiated over time, each with its own
>> niche.
>>> Implementers often choose to use them in combinations the proposers
>> might
>>> not have expected.
>>>
>>>   A TC does not have veto rights over the creation of a new TC; in
>> fact, as
>>> long as the requisite number of co-proposers meeting our requirements
>> put
>>> forth a valid proposal it is accepted. I encourage the members to
>> submit
>>> comments on the proposed charter and anticipate that the co-proposers
>> are
>>> anxious to respond.
>>>
>>> Best regards,
>>>
>>> Mary
>>>
>>>> -----Original Message-----
>>>> From: Arshad Noor [mailto:arshad.noor@strongauth.com]
>>>> Sent: Tuesday, February 17, 2009 3:01 PM
>>>> To: 'James Bryce Clark'; Mary McRae; Dee Schur
>>>> Cc: Robin Cover; ekmi; laurent liscia
>>>> Subject: Point of clarification on OASIS process
>>>>
>>>> Jamie/Mary/Dee,
>>>>
>>>> As Robin may have indicated to you all, there is near unanimous
>>>> consensus in the EKMI TC (one member withheld his opinion because
>>>> he hadn't read the KMIP TC charter yet) that the KMIP TC charter
>>>> overlaps the EKMI TC's charter (the meeting notes should be out
>>>> as soon as Anil posts them).
>>>>
>>>> While OASIS process may allow the release of any new TC's charter
>>>> for discussion, the EKMI TC is, obviously, disappointed that this
>>>> new charter was released without any discussion with the EKMI TC
>>>> before-hand, to avoid potential embarrassment to EKMI TC members
>>>> and OASIS in the public arena.  After all, OASIS EKMI TC members
>>>> have only been working on this for 2+ years with laser-like vision
>>>> and focus and reached Committee Specification status, while the
>>>> IEEE effort has been floundering for lack of vision and the IETF
>>>> work is reviewing its own focus as it starts to overlap with the
>>>> EKMI work (they are even incorporating some SKSML concepts into
>>>> their own schema now).
>>>>
>>>> Now that the cat is out of the bag, the TC is interested in
>>>> understanding OASIS policy/process wrt duplicate/overlapping
>>>> charters of an existing TC and a potential new TC.  What is
>>>> legally possible now?
>>>>
>>>> Do OASIS rules permit the creation of the KMIP TC despite the
>>>> near-unanimous consensus amongst EKMI TC members that the KMIP
>>>> TC charter overlaps the EKMI TC's?
>>>>
>>>> Your answers will help the EKMI TC in understand what its options
>>>> are.
>>>>
>>>> Thank you.
>>>>
>>>> Arshad Noor
>>>> StrongAuth, Inc.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>> https://www.oasis-
>> open.org/apps/org/workgroup/portal/my_workgroups.php
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 
> 
>