IIC Charter

[Patrick Durusau <patrick@durusau.net>]

Greetings!

While the IIC sounds like an interesting TC, I have several 
comments/questions about its charter.

It isn't clear what this TC intends to work on.

For example:

> The purpose of the OASIS Identity in the Clouds TC is to collect and harmonize definitions, terminologies and vocabulary of Cloud Computing.
That sounds like a worthwhile task but standardizing a vocabulary for an 
entire field would at a minimum require the participation by a majority 
of the *existing* major players. Like Amazon, Google, Microsoft, Oracle, 
just to name some off the top of my head, there are others.

Statements like:

> The TC will collect use cases to help identify gaps in existing Identity Management standards. The uses cases will be used to identify gaps in current standards and investigate the need for profiles for achieving interoperability with in current standards. Additionally, the use cases will be used to perform risk and threat analyses, leading to suggestions for how to means to then and mitigate identified risks and the threats and vulnerabilities.
don't help much because it fails to identify what standards are going to 
be investigated for these alleged "gaps." Nor how creating yet another 
vocabulary (different from the ones already in use) is actually going to 
make things better.

I suppose I was expecting the scope statement to narrow things down but 
there I find:

> The TC may identify existing definitions, terminologies and vocabulary of Identity in the context of Cloud Computing for harmonizing the definitions, terminologies and vocabulary as the TC determines.
Well..., either the TC is going to try to harmonize the terms used by 
other standards, a task of dubious value other than for mapping 
purposes, or its not. The "may identify" and other "may" statements 
makes me feel like the TC proposers have yet to reach agreement on the 
goals of the TC.

Post-charter approval is a very bad time to reach a consensus on the 
purpose of a TC. Trust me on this one. It just doesn't work well. Voice 
of experience.

Note I am not saying that any or all of these goals aren't worthy ones 
and certainly worth being pursued in OASIS. But, say what the TC will or 
won't do up front. Or as I say in my reviews of OASIS standards, don't 
be timid about what a standard requires. Right or wrong, say it clearly 
and distinctly.

BTW, under the non-normative information I am *not* encouraged by:

> (2)(a) Identification of similar or applicable work that is being done in other OASIS TCs or by other organizations, why there is a need for another effort in this area and how this proposed TC will be different, and what level of liaison will be pursued with these other organizations.
That is part of the normal background work that *precedes* the proposal 
of an OASIS TC. In detail. How else are we to decide if the proposed 
work overlaps already existing work in other forums? Or that it should 
be suggested that the TC expand or contract it charter to take in an 
issue not being addressed elsewhere?

A revision of this charter should:

1) Identify all existing standards and organizations that have standards 
that the proposers think are relevant to identity issues in the Cloud. 
(If this isn't already known, withdraw the charter and wait until it and 
other issues are resolved before re-submitting.)

2) Illustrate, one or two examples, of the alleged "gaps" in existing work.

3) State with certainty what the TC would *do* about those gaps. Not 
that it "may" do this, that or the other thing, maybe. That isn't the 
characteristic of a standard or a standards TC.

4) Define the relationship of the work product of the proposed TC to the 
existing standards.

5) List the organizations (possibly cover this under #1) that are 
relevant and who already have liaisons with OASIS. So to put OASIS on 
notice that it may need additional liaisons at the organizational level.

Identify among the proposers, members of those other organizations.

6) For specific issues, like risk assessment, a topic of some currency, 
identify specific government agencies concerned with those issues and 
broaden the base of the TC at the outset. Protecting credit card data in 
a cloud may seem like a big issue, but monitoring the use of cloud 
computing for weapons development is something entirely different.

Some of those agencies have spent years doing nothing but thinking about 
identity and security issues. Really should take advantage of that 
experience, at least the parts of it that they can share.

Very worthwhile work that merits more of a workup than it has gotten for 
this charter.

 Hope everyone is having a great week!

Patrick

-- 
Patrick Durusau
patrick@durusau.net
Chair, V1 - US TAG to JTC 1/SC 34
Convener, JTC 1/SC 34/WG 3 (Topic Maps)
Editor, OpenDocument Format TC (OASIS), Project Editor ISO/IEC 26300
Co-Editor, ISO/IEC 13250-1, 13250-5 (Topic Maps)