other standards things that are important

Hiya,

 From time to time we get liaison statements from other
standards groups that ask the IETF to do stuff, e.g. to
go bother a bunch of IETF folks to produce a response
detailing the work being done on topic "foo."

Sean and I would like to get a feeling for how you
perceive those different organisations' work so we
can consume an appropriate amount of effort (ours
and those we hassle) in responding, and on the basis
of something a bit better than just our own hunches
and opinions.

So, I'd appreciate it if you could reply with an email
naming other security related standards development
activities and giving each marks from 10 related to
their importance to the Internet.

Basis of the marks-from-10 is we normalise ourselves
at 5; 1 is really really bad and 10 is the best it
can be. Take into account both technical excellence
and pragmatic importance. Doesn't matter if the
activity concerned is a producer of stuff we use, or
a consumer of our stuff, we may have to deal with
them in any case. Try be as specific as you can, say
at the level equivalent to an IETF WG if possible.

An example response might look like:

Re: other standards things that are important

>>>>> "Stephen" == Stephen Farrell <stephen.farrell <at> cs.tcd.ie> writes:
    Stephen> From time to time we get liaison statements from other
    Stephen> standards groups that ask the IETF to do stuff, e.g. to go
    Stephen> bother a bunch of IETF folks to produce a response
    Stephen> detailing the work being done on topic "foo."

Any standard that doesn't have an open URL that anyone can read, is not,
in my opinion, a useful standard.   So I regard any entity that wants to
us review their document, so that they can then sell it to people, is
suspect.

In particular, since few run-of-the-mill developers out there will ever
pay to read that document, it's relevance to the internet is almost nil.
(Sure, they might be told, "implement 802.1x" by their boss, but if
given the task of "make sure our product has access control on the
networking", they won't consider technology in documents that they can
not read) 

--

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr <at> sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 

>>>>> "Stephen" == Stephen Farrell <stephen.farrell <at> cs.tcd.ie> writes:

Re: other standards things that are important

Michael Richardson <mcr+ietf <at> sandelman.ca> writes:

>>>>>> "Stephen" == Stephen Farrell <stephen.farrell <at> cs.tcd.ie> writes:
>     Stephen> From time to time we get liaison statements from other
>     Stephen> standards groups that ask the IETF to do stuff, e.g. to go
>     Stephen> bother a bunch of IETF folks to produce a response
>     Stephen> detailing the work being done on topic "foo."
>
> Any standard that doesn't have an open URL that anyone can read, is not,
> in my opinion, a useful standard.

+1

Btw, it would make it easier to answer the initial question if we had
the names of at least a few organizations that you were thinking of.

/Simon

Re: other standards things that are important

Sent from my iPad

On Apr 4, 2012, at 4:17 AM, "Michael Richardson" <mcr+ietf <at> sandelman.ca> wrote:

> 
>>>>>> "Stephen" == Stephen Farrell <stephen.farrell <at> cs.tcd.ie> writes:
>    Stephen> From time to time we get liaison statements from other
>    Stephen> standards groups that ask the IETF to do stuff, e.g. to go
>    Stephen> bother a bunch of IETF folks to produce a response
>    Stephen> detailing the work being done on topic "foo."
> 
> Any standard that doesn't have an open URL that anyone can read, is not,
> in my opinion, a useful standard.   So I regard any entity that wants to
> us review their document, so that they can then sell it to people, is
> suspect.
> 
> In particular, since few run-of-the-mill developers out there will ever
> pay to read that document, it's relevance to the internet is almost nil.
> (Sure, they might be told, "implement 802.1x" by their boss, but if
> given the task of "make sure our product has access control on the
> networking", they won't consider technology in documents that they can
> not read) 
I did have to read IEEE standard when I implemented 802.1X in the year 2001-2002. To make sure our product has
access control on the networking, we created a regional standard version of 802.1X.
> 
> 
> -- 
> ]       He who is tired of Weird Al is tired of life!           |  firewalls  [
> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[

Re: other standards things that are important

On 04/04/2012 01:22 PM, Simon Josefsson wrote:
> Michael Richardson<mcr+ietf <at> sandelman.ca>  writes:
>
>>>>>>> "Stephen" == Stephen Farrell<stephen.farrell <at> cs.tcd.ie>  writes:
>>      Stephen>   From time to time we get liaison statements from other
>>      Stephen>  standards groups that ask the IETF to do stuff, e.g. to go
>>      Stephen>  bother a bunch of IETF folks to produce a response
>>      Stephen>  detailing the work being done on topic "foo."
>>
>> Any standard that doesn't have an open URL that anyone can read, is not,
>> in my opinion, a useful standard.
>
> +1
>
> Btw, it would make it easier to answer the initial question if we had
> the names of at least a few organizations that you were thinking of.

Fair enough. (You're the 2nd to ask)

Look at the "From" list on [1]

Cheers,
S

[1] https://datatracker.ietf.org/liaison/

>
> /Simon
> _______________________________________________

Fwd: NIST Request for Comments on Proposed Changes to FIPS 186-3: The Digital Signature Standard

Not sure if everyone who cares gets this or not so here ya go.

If there were any change that impacted on IETF protocols that'd
be good to know,

Thanks,
Stephen.

-------- Original Message --------
Subject: NIST Request for Comments on Proposed Changes to FIPS 186-3: 
The Digital Signature Standard
Date: Thu, 12 Apr 2012 11:21:48 -0400
From: Caswell, Sara J. <sara.caswell <at> nist.gov>
To: stephen.farrell <at> cs.tcd.ie <stephen.farrell <at> cs.tcd.ie>

**************** PLEASE DO NOT REPLY TO THIS EMAIL ****************

NIST requests comments on proposed changes to Federal Information 
Processing Standard 186-3, the Digital Signature Standard. The Federal 
Register Notice requests that electronic comments be sent by May 25, 
2012 to:

fips_186-3_change_notice <at> nist.gov<mailto:fips_186-3_change_notice <at> nist.gov?Subject=186-3%20Change%20Notice>, 
with 186-3 Change Notice in the subject line.

The Federal Register 
Notice<http://csrc.nist.gov/fedreg/2012/frn_vol77_no69_tues-april-10-2012.pdf> 
for this proposed change notice for FIPS 186-3 can be accessed by 
clicking the link "Federal Register Notice".

Re: other standards things that are important

As an aside for those who aren't aware, IEEE 802 (and some other IEEE standards) are available free of charge 
<http://standards.ieee.org/about/get/> six months after they issue.

Brian

On Apr 4, 2012, at 3:45 PM, Tina TSOU wrote:

> 
> 
> Sent from my iPad
> 
> On Apr 4, 2012, at 4:17 AM, "Michael Richardson" <mcr+ietf <at> sandelman.ca> wrote:
> 
>> 
>>>>>>> "Stephen" == Stephen Farrell <stephen.farrell <at> cs.tcd.ie> writes:
>>   Stephen> From time to time we get liaison statements from other
>>   Stephen> standards groups that ask the IETF to do stuff, e.g. to go
>>   Stephen> bother a bunch of IETF folks to produce a response
>>   Stephen> detailing the work being done on topic "foo."
>> 
>> Any standard that doesn't have an open URL that anyone can read, is not,
>> in my opinion, a useful standard.   So I regard any entity that wants to
>> us review their document, so that they can then sell it to people, is
>> suspect.
>> 
>> In particular, since few run-of-the-mill developers out there will ever
>> pay to read that document, it's relevance to the internet is almost nil.
>> (Sure, they might be told, "implement 802.1x" by their boss, but if
>> given the task of "make sure our product has access control on the
>> networking", they won't consider technology in documents that they can

Re: other standards things that are important

> As an aside for those who aren't aware, IEEE 802 (and some other IEEE
> standards) are available free of charge
> <http://standards.ieee.org/about/get/> six months after they issue.

Even if it's an "aside", I think it's fair to point out here that
IEEE's terms are substantially more restrictive than "an open URL that
anyone can read".  For example, I'm not allowed to put them anywhere my
usual backup regimen applies, because that involes a backup copy on-net
and a second backup copy offsite.  They also are licensed only for
personal use (whatever that means; the terms-of-use do not explain).
I'm not even sure whether I'd be allowed to convert it to plain text
(which is normally the first thing I do with PDFs; plain text is far
more useful for most of my purposes for most PDFs).

Also, their development process _is_ closed, meaning that the results
will be heavily biased towards benefits for their membership rather
than benefits for the world at large, for the Internet, or for the
state of the art.

So I'm with Michael on this one.  The IEEE is slightly better than some
other (fully pay-to-play) `standards' organizations, but it's got a
long way to go before I would consider it acceptable for IETF purposes,
and before I would consider reviewing their documents without pay.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse <at> rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Fwd: NIST Request for Comments: 2nd Public Draft, SP 800-130: A Framework for Designing Cryptographic Key Management Systems

I often get these and somebody on this light might find this of interest.

As Stephen once noted on of these: if there were any change that 
impacted on IETF protocols that'd be good to know.

spt

-------- Original Message --------
Subject: 	NIST Request for Comments: 2nd Public Draft, SP 800-130: A
Framework for Designing Cryptographic Key Management Systems
Date: 	Wed, 18 Apr 2012 14:24:56 -0400
From: 	Caswell, Sara J. <sara.caswell <at> nist.gov>
To: 	turners <at> ieca.com <turners <at> ieca.com>

*Second Public Draft, Special Publication 800-130, /A Framework for
Designing Cryptographic Key Management Systems/*

Public Comment Period: April 13, 2012 through July 30, 2012.

Email Comments to: ckmsdesignframework <at> nist.gov

Second Public Draft Details:

NIST requests comments on SP 800-130, A Framework for Designing
Cryptographic Key Management Systems. This is a revision of the document
that was provided for public comment in June 2010. Comments are
requested by July 30, 2012 and should be sent to
ckmsdesignframework <at> nist.gov, with "Comments on SP 800-130" in the
subject line. Another document, SP 800-152, which provides a basic
profile of this framework document for the Federal government, will be