[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: IIC Charter
Greetings! While the IIC sounds like an interesting TC, I have several comments/questions about its charter. It isn't clear what this TC intends to work on. For example: > The purpose of the OASIS Identity in the Clouds TC is to collect and harmonize definitions, terminologies and vocabulary of Cloud Computing. That sounds like a worthwhile task but standardizing a vocabulary for an entire field would at a minimum require the participation by a majority of the *existing* major players. Like Amazon, Google, Microsoft, Oracle, just to name some off the top of my head, there are others. Statements like: > The TC will collect use cases to help identify gaps in existing Identity Management standards. The uses cases will be used to identify gaps in current standards and investigate the need for profiles for achieving interoperability with in current standards. Additionally, the use cases will be used to perform risk and threat analyses, leading to suggestions for how to means to then and mitigate identified risks and the threats and vulnerabilities. don't help much because it fails to identify what standards are going to be investigated for these alleged "gaps." Nor how creating yet another vocabulary (different from the ones already in use) is actually going to make things better. I suppose I was expecting the scope statement to narrow things down but there I find: > The TC may identify existing definitions, terminologies and vocabulary of Identity in the context of Cloud Computing for harmonizing the definitions, terminologies and vocabulary as the TC determines. Well..., either the TC is going to try to harmonize the terms used by other standards, a task of dubious value other than for mapping purposes, or its not. The "may identify" and other "may" statements makes me feel like the TC proposers have yet to reach agreement on the goals of the TC. Post-charter approval is a very bad time to reach a consensus on the purpose of a TC. Trust me on this one. It just doesn't work well. Voice of experience. Note I am not saying that any or all of these goals aren't worthy ones and certainly worth being pursued in OASIS. But, say what the TC will or won't do up front. Or as I say in my reviews of OASIS standards, don't be timid about what a standard requires. Right or wrong, say it clearly and distinctly. BTW, under the non-normative information I am *not* encouraged by: > (2)(a) Identification of similar or applicable work that is being done in other OASIS TCs or by other organizations, why there is a need for another effort in this area and how this proposed TC will be different, and what level of liaison will be pursued with these other organizations. That is part of the normal background work that *precedes* the proposal of an OASIS TC. In detail. How else are we to decide if the proposed work overlaps already existing work in other forums? Or that it should be suggested that the TC expand or contract it charter to take in an issue not being addressed elsewhere? A revision of this charter should: 1) Identify all existing standards and organizations that have standards that the proposers think are relevant to identity issues in the Cloud. (If this isn't already known, withdraw the charter and wait until it and other issues are resolved before re-submitting.) 2) Illustrate, one or two examples, of the alleged "gaps" in existing work. 3) State with certainty what the TC would *do* about those gaps. Not that it "may" do this, that or the other thing, maybe. That isn't the characteristic of a standard or a standards TC. 4) Define the relationship of the work product of the proposed TC to the existing standards. 5) List the organizations (possibly cover this under #1) that are relevant and who already have liaisons with OASIS. So to put OASIS on notice that it may need additional liaisons at the organizational level. Identify among the proposers, members of those other organizations. 6) For specific issues, like risk assessment, a topic of some currency, identify specific government agencies concerned with those issues and broaden the base of the TC at the outset. Protecting credit card data in a cloud may seem like a big issue, but monitoring the use of cloud computing for weapons development is something entirely different. Some of those agencies have spent years doing nothing but thinking about identity and security issues. Really should take advantage of that experience, at least the parts of it that they can share. Very worthwhile work that merits more of a workup than it has gotten for this charter. Hope everyone is having a great week! Patrick -- Patrick Durusau patrick@durusau.net Chair, V1 - US TAG to JTC 1/SC 34 Convener, JTC 1/SC 34/WG 3 (Topic Maps) Editor, OpenDocument Format TC (OASIS), Project Editor ISO/IEC 26300 Co-Editor, ISO/IEC 13250-1, 13250-5 (Topic Maps)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]