OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

oasis-charter-discuss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [oasis-charter-discuss] Re: [EXT] [oasis-charter-discuss] Cyber User Council


It it inappropriate for standards groups to have
overlay entities representing particular market
sectors.   In addition to the borderline freaky,
abstruse name, will there be cyber provider councils,
cyber enterprise councils, cyber government councils, ..."

Pass this one by....


On 28-Apr-17 11:46 PM, Bret Jordan wrote:

I have a concern with this proposed TC. If an existing TC follows the OASIS rules, then they can not use any of the feedback that comes in from this other TC unless it goes through the public comment process. So it seems like this is creating something that gives a false sense of involvement.  

Put another way I do not see this new TC influencing anything.  If people want to influence a standard, they should get involved in that standard and actually influence it.  Per OASIS rules, if a group is outside of the TC, then it is outside of the TC.  

Now if OASIS was looking to create an actual security user forum outside of the paywall of OASIS that could be used as an incubator for standards, then I would fully support that. The way I could see that working is having a quarterly meeting where the various TC can talk about what it is they are doing and then ask the user community to review and then go provide feedback through the public comment system.  


From: oasis-charter-discuss@lists.oasis-open.org <oasis-charter-discuss@lists.oasis-open.org> on behalf of duncan@sfractal.com <duncan@sfractal.com>
Sent: Friday, April 28, 2017 8:30:24 PM
To: oasis-charter-discuss@lists.oasis-open.org
Subject: [EXT] [oasis-charter-discuss] Cyber User Council
Having spent much of my career as a 'user', I applaud getting users more involved in the process. However I do have several concerns.

1. WRT membership - will the group be limited to only 'users'? How wlll 'user' be defined? Almost all, if not all, vendors are also users. I presume the new TC membership will be open to all OASIS members  - but either way it should state who can participate. It should say something about how it will maintain the 'user' focus.

2. WRT "neutral forum for monitoring and influencing cybersecurity standards (STIX, TAXII, CSAF, OpenC2, and others)": "and others" is vague. Is the scope of the group all past/current/future TC's in the 'security category'? There are currently 14. I think being specific would reduce scope arguments in the future. Maybe change "and other" to "and others in the security category" and hyberlink the words security category to https://www.oasis-open.org/committees/tc_cat.php?cat=security.

3. WRT 'influencing ... without directly participating' and 'direct mechanism for obtaining user feedback on technical disputes'. This is both inefficient and dangerous. It's bad (my opinion) if it discourages participation in actually doing the work in the group writing the spec. I have spend many years in many standards bodies and one of my main complaints is lack of user involvement - usually I was the sole user voice. If this will increase user involvement, then it's good. But I'm worried it gives the appearance of increasing user involvement while actually decreasing user involvement where it is needed most  - in the group writing the spec. I don't want OASIS to become like the ITU where almost all the time is spent liasoning between groups and then having to have joint meetings to get anything done. The way to avoid that problem is clear division of responsibilities with each group having the membership and charter to get done what is needed. I don't think we can afford to have "vendor TC's" and "User TC's". I am ok with the 'tracking' aspect. I'm ok if the intent is just to have one monthly 'executive summary' meeting to cover the security waterfront, for the purpose of alerting to what's going on so the members could then participate in the relevant TC writing the spec. But wording should change to reflect that. I think it's dangerous to do "influencing from elsewhere" in lieu of participating where the spec is being written.

4. WRT "The Cybersecurity Standards User Council will pursue liaison relationships with end user communities represented by organizations such as FIRST.org, National Council of ISACs, and other groups". It appears to me that OASIS has been relatively anal about 'pay to play' - ie you have to be a member to participate. Although I applaud gathering input from outside the OASIS community, I think we need to be careful that it's not to give them a vote/veto/infuence; but instead it is to 'inform' the membership so the membership can make informed decisions, and its to encourage those organizations (and their members) to participate in OASIS if they want their voices heard directly.

Although I've created alot of text, I really am for doing it. I just think we have to be careful to frame it correctly.

Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]