Having spent much of my career as a 'user', I applaud getting users more involved in the process. However I do have several concerns.
1. WRT membership - will the group be limited to only 'users'? How wlll 'user' be defined? Almost all, if not all, vendors are also users. I presume the new TC membership will be open to all OASIS members - but either way it should state who can participate.
It should say something about how it will maintain the 'user' focus.
2. WRT "neutral forum for monitoring and influencing cybersecurity standards (STIX, TAXII, CSAF, OpenC2, and others)": "and others" is vague. Is the scope of the group all past/current/future TC's in the 'security category'? There are currently 14. I think
being specific would reduce scope arguments in the future. Maybe change "and other" to "and others in the security category" and hyberlink the words security category to
https://www.oasis-open.org/committees/tc_cat.php?cat=security.
3. WRT 'influencing ... without directly participating' and 'direct mechanism for obtaining user feedback on technical disputes'. This is both inefficient and dangerous. It's bad (my opinion) if it discourages participation in actually doing the work in
the group writing the spec. I have spend many years in many standards bodies and one of my main complaints is lack of user involvement - usually I was the sole user voice. If this will increase user involvement, then it's good. But I'm worried it gives the
appearance of increasing user involvement while actually decreasing user involvement where it is needed most - in the group writing the spec. I don't want OASIS to become like the ITU where almost all the time is spent liasoning between groups and then having
to have joint meetings to get anything done. The way to avoid that problem is clear division of responsibilities with each group having the membership and charter to get done what is needed. I don't think we can afford to have "vendor TC's" and "User TC's".
I am ok with the 'tracking' aspect. I'm ok if the intent is just to have one monthly 'executive summary' meeting to cover the security waterfront, for the purpose of alerting to what's going on so the members could then participate in the relevant TC writing
the spec. But wording should change to reflect that. I think it's dangerous to do "influencing from elsewhere" in lieu of participating where the spec is being written.
4. WRT "The Cybersecurity Standards User Council will pursue liaison relationships with end user communities represented by organizations such as
FIRST.org, National Council of ISACs, and other groups". It appears to me that OASIS has been relatively anal about 'pay to play' - ie you have to be a member to participate. Although I applaud gathering input from outside the
OASIS community, I think we need to be careful that it's not to give them a vote/veto/infuence; but instead it is to 'inform' the membership so the membership can make informed decisions, and its to encourage those organizations (and their members) to participate
in OASIS if they want their voices heard directly.
Although I've created alot of text, I really am for doing it. I just think we have to be careful to frame it correctly.
Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php