Having spent much of my career as a 'user', I applaud
getting users more involved in the process. However I do
have several concerns.
1. WRT membership - will the group be limited to only
'users'? How wlll 'user' be defined? Almost all, if not all,
vendors are also users. I presume the new TC membership will
be open to all OASIS members - but either way it should
state who can participate. It should say something about how
it will maintain the 'user' focus.
2. WRT "neutral forum for monitoring and influencing
cybersecurity standards (STIX, TAXII, CSAF, OpenC2, and
others)": "and others" is vague. Is the scope of the group
all past/current/future TC's in the 'security category'?
There are currently 14. I think being specific would reduce
scope arguments in the future. Maybe change "and other" to
"and others in the security category" and hyberlink the
words security category to
https://www.oasis-open.org/committees/tc_cat.php?cat=security.
3. WRT 'influencing ... without directly participating'
and 'direct mechanism for obtaining user feedback on
technical disputes'. This is both inefficient and dangerous.
It's bad (my opinion) if it discourages participation in
actually doing the work in the group writing the spec. I
have spend many years in many standards bodies and one of my
main complaints is lack of user involvement - usually I was
the sole user voice. If this will increase user involvement,
then it's good. But I'm worried it gives the appearance of
increasing user involvement while actually decreasing user
involvement where it is needed most - in the group writing
the spec. I don't want OASIS to become like the ITU where
almost all the time is spent liasoning between groups and
then having to have joint meetings to get anything done. The
way to avoid that problem is clear division of
responsibilities with each group having the membership and
charter to get done what is needed. I don't think we can
afford to have "vendor TC's" and "User TC's". I am ok with
the 'tracking' aspect. I'm ok if the intent is just to have
one monthly 'executive summary' meeting to cover the
security waterfront, for the purpose of alerting to what's
going on so the members could then participate in the
relevant TC writing the spec. But wording should change to
reflect that. I think it's dangerous to do "influencing from
elsewhere" in lieu of participating where the spec is being
written.
4. WRT "The Cybersecurity Standards User Council will
pursue liaison relationships with end user communities
represented by organizations such as
FIRST.org,
National Council of ISACs, and other groups". It appears to
me that OASIS has been relatively anal about 'pay to play' -
ie you have to be a member to participate. Although I
applaud gathering input from outside the OASIS community, I
think we need to be careful that it's not to give them a
vote/veto/infuence; but instead it is to 'inform' the
membership so the membership can make informed decisions,
and its to encourage those organizations (and their members)
to participate in OASIS if they want their voices heard
directly.
Although I've created alot of text, I really am for doing
it. I just think we have to be careful to frame it
correctly.
Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC
that generates this mail. Follow this link to all your TCs in
OASIS at: