OASIS Common Security Advisory Framework (CSAF) TC

 View Only
  • 1.  Re: ISO vs. ITU

    Posted 01-09-2023 15:40
    Hi Thomas - Well that's how you kick off the new year! Very exciting. I have copied Jamie to contrast and compare ISO versus ITU. He manages our liaison relationships and share thoughts on why you want to go with one versus the other. I will say that STIX and TAXII have been submitted to ITU and that seems to be where other security/cybersecurity standards have gone. But I don't have the background that Jamie has. In my experience, I have not seen us submit OASIS Standards to multiple SDOs. I think that could cause some confusion as to which ones take precedence, for example in issuing regulations. In terms of how it works, this is explained in the Liaison Policy at https://www.oasis-open.org/policies-guidelines/liaison/#submitwork . In a nutshell: - The TC will draft a document providing the terms of submission to the other organization. This is a short, 2 page form and I can send you examples that you can use as guidance. The template is in the policy document. - You then request a Special Majority Vote to approve submitting the terms to the OASIS President as a request that OASIS makes this submission. - Assuming the vote passes, we review the terms to ensure all is in order (Of course it will be because we'll have gone back and forth on it while you work on it) and then I will circulate it to the OASIS members for a 30 day review period. - At the end of that period, assuming all is in order and no comments came in that need addressing, OASIS will make the submission. At that point, the receiving organization's processes will take over and we will just monitor. Note that the terms will make clear that the TC retains responsibility for maintaining the Standard. You also commit to submit future updates to the organization as well. Let me know if you have questions on this. /chet On Mon, Jan 9, 2023 at 9:49 AM Schmidt, Thomas < thomas.schmidt@bsi.bund.de > wrote: Hi Chet, The CSAF TC is looking into submitting CSAF 2.0 to a) ISO or b) ITU or c) both. Could you please provide some insights for the TC how the options a, b and c would work and what the necessary next steps would be? Which one would you recommend and why? Feel free to reply to directly or to the TC's mailing list. Best wishes, Thomas -- Thomas Schmidt -- Chet Ensign Chief Technical Community Steward OASIS Open +1 201-341-1393 chet.ensign@oasis-open.org www.oasis-open.org


  • 2.  [csaf] Re: ISO vs. ITU

    Posted 01-18-2023 18:16
    Hi Jamie, could you please tell us which OASIS standards / specifications have been submitted to a) ISO b) ITU? Which one would you recommend for CSAF and why? Best regards, Thomas


  • 3.  Re: [csaf] Re: ISO vs. ITU

    Posted 01-18-2023 20:03
    Hi, upfront: The standards submitted by OASIS to ISO seem to end up as ISO/IEC standards which is kind of buy one get one for free (as marketing aspect). While OASIS administration is preparing the list of submitted standards, I can bring in some information that I found on my TC archives or per search engine: 0) I will get in contact with Mike Pizzo and Ralf Handl the two acting Co-Chairs of the OData TC to ensure that we really did not have to send some person into ISO/IEC meetings as regular liaison. 1) The OASIS standards of the TCs I was or am an active member of and that are on the free of cost list (catalog ref https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html ) are: - AMQP ( ISO/IEC 19464:2014) - MQTT ( ISO/IEC 20922:2016) - OData ( ISO/IEC 20802-1:2016 and  ISO/IEC 20802-2:2016) I do not remember any submission that lead to an ISO/IEC Standard where one has to pay for the PDF version (ebXML - I think regrep was my very first TC as member - I am sure I was not active during the submission phase  there) 2) Other free of cost ISO standards related: - SPDX ( ISO/IEC 5962:2021) - Open Systems Interconnect (OSI)  - Linux Standard Base (LSB) - trusted platform module - NFC Security 3) I can personally speak for the OData ISO/IEC submission experience which was a good one. During these Years (from the beginning of the TC to the submission and later) I acted as ODATA TC secretary and my family name then was Drees (in case you wonder why there is no Stefan Hagen on the ballots referred to below ;-) Here are the links to the two ballots (one for every part) again as publicly accessible URLs): -  https://www.oasis-open.org/committees/download.php/54215/ballot_3469.html  (Part 1: Core) -  https://www.oasis-open.org/committees/download.php/54216/ballot_2677.html  (Part 2: OData JSON Format) The electronic formats (PDF) for both parts are free per catalog of all freely available electronic format standards at ISO: -  https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html per direct links (present in the catalog page): -  https://standards.iso.org/ittf/PubliclyAvailableStandards/c069208_ISO_IEC_20802-1_2016.zip  (Part 1: Core) -  https://standards.iso.org/ittf/PubliclyAvailableStandards/c069209_ISO_IEC_20802-2_2016.zip  (Part 2: OData JSON Format) and the printed hardcopy of course costs which to me is not a paywall but a price for the extra effort that goes into producing an exemplar per order and in my company we always retrieve the electronic documents as they are much more helpful for implementing. -  https://www.iso.org/standard/69208.html  (Part 1: Core) -  https://www.iso.org/standard/69209.html  (Part 2: OData JSON Format) OASIS Press Release on the publication per ISO/IEC: -  https://www.oasis-open.org/news/pr/iso-iec-jtc-1-approves-oasis-odata-standard-for-open-data-exchange/ Mike Pizzo on our Market outreach site data.org on that topic: -  https://www.odata.org/blog/OData-Published-as-an-ISO-Standard/ Looking back to the submission text I find our draft per (publicly accessible URL): -  https://www.oasis-open.org/committees/document.php?document_id=53050&wg_abbrev=odata which as a text was kind of short and sweat: # - - - 8< - - - Submission request to advance OData v4.0 and OData JSON Format v4.0 to an International Standard Date: May 16, 2013 Any submission request delivered to the OASIS President under this policy must be in writing, and must include the following: The name(s) of the submission requester(s), that is, the TC, the Member Section, or the OASIS Organizational Members that support the submission request as described in section 1(d). OASIS OData (Open Data Protocol) Technical Committee The name of the intended receiving standards organization. The request may also suggest the committee or group in that organization which should process that submission. ISO/IEC JTC 1 Secretariat (no particular JTC 1 Subcommittee is identified at this time) The intended status or outcome that the request seeks from the receiving organization's process; and a short description of the receiving organization's approval process, including estimated time required, stages of approval and who votes at each stage. Intended status: Advance OData v4.0 and OData JSON Format v4.0 OASIS Standards incorporating OASIS Approved Errata to an ISO/IEC International Standard Process: ISO/IEC JTC 1 PAS Transposition Process involving a Draft International Standard (DIS) ballot followed by a Ballot Resolution Meeting (BRM) (if there are comments during ballots), and potentially a Final DIS (FDIS) Ballot. Stages of approval: http://www.iso.org/iso/home/standards_development/resources-for-technical-work/stages_table.htm%23s40 An explanation of how the submission will benefit OASIS. Advancing OData v4.0 and OData JSON Format v4.0 to an international standard draws international attention to the work done by OASIS and to the organization itself, and governments/regulators may be more inclined to use the standard because of its ISO/IEC status. This will help nurture and expand the ongoing liaisons with ISO/IEC JTC 1. Further, this submission will help maintain OASIS in good standing as a recognized ISO/IEC JTC 1 PAS submitter organization. The expected licensing, copyright and other intellectual property terms that will be used by the receiving organization in regard to the submission. ISO/IEC JTC 1 will expect that OASIS will abide by the ISO/IEC/ITU-T Common Patent Policy (indicated by at least notifying ISO/IEC of any patent declarations in the required Explanatory Report), and will provide ISO/IEC with sufficient copyright license to modify and publish the resulting ISO/IEC Standard. As these items have already been agreed with ISO/IEC JTC 1 when OASIS was approved as a PAS Submitter, no new issues are expected. A statement of the intended future plans for versioning and maintenance of the OASIS Standard and/or Approved Errata for that standard, and the expected roles of OASIS and the receiving organization. This must include clear statements of the rules of the receiving organization applicable to maintenance of an approved submitted standard, and to future versions of that standard; any requirements regarding the submission of future versions; and a description of how OASIS and the submission requesters expect to comply with those rules. The OASIS OData Technical Committee will continue to maintain the OData v4.0 and OData JSON Format v4.0 OASIS Standards and produce future revisions of them. For this specific submission (OData v4.0 and OData JSON Format v4.0 OASIS Standards incorporating OASIS Approved Errata) to ISO/IEC JTC 1, OASIS will request to be named the à ÅJTC 1 designated maintenance groupà and will follow the required maintenance procedures (including Systematic Review). In the course of time, if there are substantive changes to OData v4.0 and OData JSON Format v4.0 (either via the Approved Errata process or through a new version), OASIS may submit the modified document (or future version) to ISO/IEC JTC 1 at some point in the future. # - - - 8< - - - Hope this helps, Stefan On Wed, Jan 18, 2023, at 19:15, Schmidt, Thomas wrote: Hi Jamie, could you please tell us which OASIS standards / specifications have been submitted to a) ISO b) ITU? Which one would you recommend for CSAF and why? Best regards, Thomas Stefan Hagen, Emmetten, Nidwalden, Switzerland. orcid: https://orcid.org/0000-0003-4206-892X read: https://stefan-hagen.website talk: maybe write: stefan@hagen.link


  • 4.  Re: [csaf] Re: ISO vs. ITU

    Posted 01-18-2023 21:35
    Thanks for your comments, Stefan; a few further thoughts are inserted below. James Bryce Clark General Counsel & CPO OASIS Open jamie.clark@oasis-open.org Xing LinkedIn Twitter Mastodon Setting the standard for open collaboration . On Wed, Jan 18, 2023 at 12:02 PM Stefan Hagen <stefan@hagen.link> wrote: Hi, upfront: The standards submitted by OASIS to ISO seem to end up as ISO/IEC standards which is kind of buy one get one for free (as marketing aspect). True of some (PAS submissions), but not all (for example, we do work directly with a few receptive topical ISO TCs). While OASIS administration is preparing the list of submitted standards, I can bring in some information that I found on my TC archives or per search engine: 0) I will get in contact with Mike Pizzo and Ralf Handl the two acting Co-Chairs of the OData TC to ensure that we really did not have to send some person into ISO/IEC meetings as regular liaison. We did not. PAS submissions are very binary, and based on an up-or-down vote after a written submission. As a result they usually require little direct contact with JTC_1 stakeholders (although there are times when anticipating objections may change that practice). 1) The OASIS standards of the TCs I was or am an active member of and that are on the free of cost list (catalog ref https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html ) are: - AMQP ( ISO/IEC 19464:2014) - MQTT ( ISO/IEC 20922:2016) - OData ( ISO/IEC 20802-1:2016 and ISO/IEC 20802-2:2016) We also submitted others through the PAS channel, including ISO/IEC 19845 and ISO/IEC 26300, noted in my list in this thread. I do not remember any submission that lead to an ISO/IEC Standard where one has to pay for the PDF version . (ebXML - I think "regrep" was my very first TC as member - I am sure I was not active during the submission phase there) ebXML: OMG we were so young. JTC 1 allows submitters to make free publication a condition of PAS submission, in most cases. But bear in mind that, for any OASIS standard, if we submit it to any SDO for their reapproval or endorsement, it continues to be the same work, available for free, from our website, regardless. 2) Other free of cost ISO standards related: [list omitted] I think many of those also are ISO/IEC PAS works. JTC_1's PAS process, in which BigTech companies have significant influence, is somewhat less detailed in its examination of process fairness and openness than some other of the de jure SDOs. Thus, it can be a more permissive process, but also arguably one with less filters. 3) I can personally speak for the OData ISO/IEC submission experience which was a good one. During these Years (from the beginning of the TC to the submission and later) I acted as ODATA TC secretary and my family name then was Drees (in case you wonder why there is no Stefan Hagen on the ballots referred to below ;-) Here are the links to the two ballots (one for every part) again as publicly accessible URLs): - https://www.oasis-open.org/committees/download.php/54215/ballot_3469.html (Part 1: Core) - https://www.oasis-open.org/committees/download.php/54216/ballot_2677.html (Part 2: OData JSON Format) The electronic formats (PDF) for both parts are free Agreed, OData went very smoothly. TC chairs Ram Jeyaraman and Ralf Handl were very helpful. It also can help when, as with OData, the specification can demonstrate that it enjoys some use in production from known developers. OASIS rules usually confirm that is the case, before making external submissions; Not all SDO PAS submitters follow that path. per catalog of all freely available electronic format standards at ISO: - https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html per direct links (present in the catalog page): - https://standards.iso.org/ittf/PubliclyAvailableStandards/c069208_ISO_IEC_20802-1_2016.zip (Part 1: Core) - https://standards.iso.org/ittf/PubliclyAvailableStandards/c069209_ISO_IEC_20802-2_2016.zip (Part 2: OData JSON Format) and the printed hardcopy of course costs which to me is not a paywall but a price for the extra effort that goes into producing an exemplar per order and in my company we always retrieve the electronic documents as they are much more helpful for implementing. - https://www.iso.org/standard/69208.html (Part 1: Core) - https://www.iso.org/standard/69209.html (Part 2: OData JSON Format) OASIS Press Release on the publication per ISO/IEC: - https://www.oasis-open.org/news/pr/iso-iec-jtc-1-approves-oasis-odata-standard-for-open-data-exchange/ Mike Pizzo on our Market outreach site data.org on that topic: - https://www.odata.org/blog/OData-Published-as-an-ISO-Standard/ Looking back to the submission text I find our draft per (publicly accessible URL): - https://www.oasis-open.org/committees/document.php?document_id=53050&wg_abbrev=odata which as a text was kind of short and sweat: Much of the text below is rote recitations that comply with ISO/IEC requirements, our (few) conditions of submission, and any license compatibility issues. Our submission text has changed a bit, but not much, in the 10 years since then. We use somewhat similar language for other bodies, such as ITU. One aspect that can be seen in the text below is that most receiving bodies want to know who maintains the standard after its re-approval. Will OASIS keep the pen and keep revising it? That's a datum in which OASIS has some interests as well; each TC may wish to consider its planned future arc of work, when planning for an external submission. # - - - 8< - - - Submission request to advance OData v4.0 and OData JSON Format v4.0 to an International Standard Date: May 16, 2013 Any submission request delivered to the OASIS President under this policy must be in writing, and must include the following: The name(s) of the submission requester(s), that is, the TC, the Member Section, or the OASIS Organizational Members that support the submission request as described in section 1(d). OASIS OData (Open Data Protocol) Technical Committee The name of the intended receiving standards organization. The request may also suggest the committee or group in that organization which should process that submission. ISO/IEC JTC 1 Secretariat (no particular JTC 1 Subcommittee is identified at this time) The intended status or outcome that the request seeks from the receiving organization's process; and a short description of the receiving organization's approval process, including estimated time required, stages of approval and who votes at each stage. Intended status: Advance OData v4.0 and OData JSON Format v4.0 OASIS Standards incorporating OASIS Approved Errata to an ISO/IEC International Standard Process: ISO/IEC JTC 1 PAS Transposition Process involving a Draft International Standard (DIS) ballot followed by a Ballot Resolution Meeting (BRM) (if there are comments during ballots), and potentially a Final DIS (FDIS) Ballot. Stages of approval: http://www.iso.org/iso/home/standards_development/resources-for-technical-work/stages_table.htm%23s40 An explanation of how the submission will benefit OASIS. Advancing OData v4.0 and OData JSON Format v4.0 to an international standard draws international attention to the work done by OASIS and to the organization itself, and governments/regulators may be more inclined to use the standard because of its ISO/IEC status. This will help nurture and expand the ongoing liaisons with ISO/IEC JTC 1. Further, this submission will help maintain OASIS in good standing as a recognized ISO/IEC JTC 1 PAS submitter organization. The expected licensing, copyright and other intellectual property terms that will be used by the receiving organization in regard to the submission. ISO/IEC JTC 1 will expect that OASIS will abide by the ISO/IEC/ITU-T Common Patent Policy (indicated by at least notifying ISO/IEC of any patent declarations in the required Explanatory Report), and will provide ISO/IEC with sufficient copyright license to modify and publish the resulting ISO/IEC Standard. As these items have already been agreed with ISO/IEC JTC 1 when OASIS was approved as a PAS Submitter, no new issues are expected. A statement of the intended future plans for versioning and maintenance of the OASIS Standard and/or Approved Errata for that standard, and the expected roles of OASIS and the receiving organization. This must include clear statements of the rules of the receiving organization applicable to maintenance of an approved submitted standard, and to future versions of that standard; any requirements regarding the submission of future versions; and a description of how OASIS and the submission requesters expect to comply with those rules. The OASIS OData Technical Committee will continue to maintain the OData v4.0 and OData JSON Format v4.0 OASIS Standards and produce future revisions of them. For this specific submission (OData v4.0 and OData JSON Format v4.0 OASIS Standards incorporating OASIS Approved Errata) to ISO/IEC JTC 1, OASIS will request to be named the à ÅJTC 1 designated maintenance groupà and will follow the required maintenance procedures (including Systematic Review). In the course of time, if there are substantive changes to OData v4.0 and OData JSON Format v4.0 (either via the Approved Errata process or through a new version), OASIS may submit the modified document (or future version) to ISO/IEC JTC 1 at some point in the future. # - - - 8< - - - Hope this helps, Stefan * * * Stefan Hagen, Emmetten, Nidwalden, Switzerland. orcid: https://orcid.org/0000-0003-4206-892X read: https://stefan-hagen.website talk: maybe write: stefan@hagen.link


  • 5.  Re: [csaf] Re: ISO vs. ITU

    Posted 01-18-2023 21:35
    Thanks for your comments, Stefan; a few further thoughts are inserted below. James Bryce Clark General Counsel & CPO OASIS Open jamie.clark@oasis-open.org Xing LinkedIn Twitter Mastodon Setting the standard for open collaboration . On Wed, Jan 18, 2023 at 12:02 PM Stefan Hagen <stefan@hagen.link> wrote: Hi, upfront: The standards submitted by OASIS to ISO seem to end up as ISO/IEC standards which is kind of buy one get one for free (as marketing aspect). True of some (PAS submissions), but not all (for example, we do work directly with a few receptive topical ISO TCs). While OASIS administration is preparing the list of submitted standards, I can bring in some information that I found on my TC archives or per search engine: 0) I will get in contact with Mike Pizzo and Ralf Handl the two acting Co-Chairs of the OData TC to ensure that we really did not have to send some person into ISO/IEC meetings as regular liaison. We did not. PAS submissions are very binary, and based on an up-or-down vote after a written submission. As a result they usually require little direct contact with JTC_1 stakeholders (although there are times when anticipating objections may change that practice). 1) The OASIS standards of the TCs I was or am an active member of and that are on the free of cost list (catalog ref https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html ) are: - AMQP ( ISO/IEC 19464:2014) - MQTT ( ISO/IEC 20922:2016) - OData ( ISO/IEC 20802-1:2016 and ISO/IEC 20802-2:2016) We also submitted others through the PAS channel, including ISO/IEC 19845 and ISO/IEC 26300, noted in my list in this thread. I do not remember any submission that lead to an ISO/IEC Standard where one has to pay for the PDF version . (ebXML - I think "regrep" was my very first TC as member - I am sure I was not active during the submission phase there) ebXML: OMG we were so young. JTC 1 allows submitters to make free publication a condition of PAS submission, in most cases. But bear in mind that, for any OASIS standard, if we submit it to any SDO for their reapproval or endorsement, it continues to be the same work, available for free, from our website, regardless. 2) Other free of cost ISO standards related: [list omitted] I think many of those also are ISO/IEC PAS works. JTC_1's PAS process, in which BigTech companies have significant influence, is somewhat less detailed in its examination of process fairness and openness than some other of the de jure SDOs. Thus, it can be a more permissive process, but also arguably one with less filters. 3) I can personally speak for the OData ISO/IEC submission experience which was a good one. During these Years (from the beginning of the TC to the submission and later) I acted as ODATA TC secretary and my family name then was Drees (in case you wonder why there is no Stefan Hagen on the ballots referred to below ;-) Here are the links to the two ballots (one for every part) again as publicly accessible URLs): - https://www.oasis-open.org/committees/download.php/54215/ballot_3469.html (Part 1: Core) - https://www.oasis-open.org/committees/download.php/54216/ballot_2677.html (Part 2: OData JSON Format) The electronic formats (PDF) for both parts are free Agreed, OData went very smoothly. TC chairs Ram Jeyaraman and Ralf Handl were very helpful. It also can help when, as with OData, the specification can demonstrate that it enjoys some use in production from known developers. OASIS rules usually confirm that is the case, before making external submissions; Not all SDO PAS submitters follow that path. per catalog of all freely available electronic format standards at ISO: - https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html per direct links (present in the catalog page): - https://standards.iso.org/ittf/PubliclyAvailableStandards/c069208_ISO_IEC_20802-1_2016.zip (Part 1: Core) - https://standards.iso.org/ittf/PubliclyAvailableStandards/c069209_ISO_IEC_20802-2_2016.zip (Part 2: OData JSON Format) and the printed hardcopy of course costs which to me is not a paywall but a price for the extra effort that goes into producing an exemplar per order and in my company we always retrieve the electronic documents as they are much more helpful for implementing. - https://www.iso.org/standard/69208.html (Part 1: Core) - https://www.iso.org/standard/69209.html (Part 2: OData JSON Format) OASIS Press Release on the publication per ISO/IEC: - https://www.oasis-open.org/news/pr/iso-iec-jtc-1-approves-oasis-odata-standard-for-open-data-exchange/ Mike Pizzo on our Market outreach site data.org on that topic: - https://www.odata.org/blog/OData-Published-as-an-ISO-Standard/ Looking back to the submission text I find our draft per (publicly accessible URL): - https://www.oasis-open.org/committees/document.php?document_id=53050&wg_abbrev=odata which as a text was kind of short and sweat: Much of the text below is rote recitations that comply with ISO/IEC requirements, our (few) conditions of submission, and any license compatibility issues. Our submission text has changed a bit, but not much, in the 10 years since then. We use somewhat similar language for other bodies, such as ITU. One aspect that can be seen in the text below is that most receiving bodies want to know who maintains the standard after its re-approval. Will OASIS keep the pen and keep revising it? That's a datum in which OASIS has some interests as well; each TC may wish to consider its planned future arc of work, when planning for an external submission. # - - - 8< - - - Submission request to advance OData v4.0 and OData JSON Format v4.0 to an International Standard Date: May 16, 2013 Any submission request delivered to the OASIS President under this policy must be in writing, and must include the following: The name(s) of the submission requester(s), that is, the TC, the Member Section, or the OASIS Organizational Members that support the submission request as described in section 1(d). OASIS OData (Open Data Protocol) Technical Committee The name of the intended receiving standards organization. The request may also suggest the committee or group in that organization which should process that submission. ISO/IEC JTC 1 Secretariat (no particular JTC 1 Subcommittee is identified at this time) The intended status or outcome that the request seeks from the receiving organization's process; and a short description of the receiving organization's approval process, including estimated time required, stages of approval and who votes at each stage. Intended status: Advance OData v4.0 and OData JSON Format v4.0 OASIS Standards incorporating OASIS Approved Errata to an ISO/IEC International Standard Process: ISO/IEC JTC 1 PAS Transposition Process involving a Draft International Standard (DIS) ballot followed by a Ballot Resolution Meeting (BRM) (if there are comments during ballots), and potentially a Final DIS (FDIS) Ballot. Stages of approval: http://www.iso.org/iso/home/standards_development/resources-for-technical-work/stages_table.htm%23s40 An explanation of how the submission will benefit OASIS. Advancing OData v4.0 and OData JSON Format v4.0 to an international standard draws international attention to the work done by OASIS and to the organization itself, and governments/regulators may be more inclined to use the standard because of its ISO/IEC status. This will help nurture and expand the ongoing liaisons with ISO/IEC JTC 1. Further, this submission will help maintain OASIS in good standing as a recognized ISO/IEC JTC 1 PAS submitter organization. The expected licensing, copyright and other intellectual property terms that will be used by the receiving organization in regard to the submission. ISO/IEC JTC 1 will expect that OASIS will abide by the ISO/IEC/ITU-T Common Patent Policy (indicated by at least notifying ISO/IEC of any patent declarations in the required Explanatory Report), and will provide ISO/IEC with sufficient copyright license to modify and publish the resulting ISO/IEC Standard. As these items have already been agreed with ISO/IEC JTC 1 when OASIS was approved as a PAS Submitter, no new issues are expected. A statement of the intended future plans for versioning and maintenance of the OASIS Standard and/or Approved Errata for that standard, and the expected roles of OASIS and the receiving organization. This must include clear statements of the rules of the receiving organization applicable to maintenance of an approved submitted standard, and to future versions of that standard; any requirements regarding the submission of future versions; and a description of how OASIS and the submission requesters expect to comply with those rules. The OASIS OData Technical Committee will continue to maintain the OData v4.0 and OData JSON Format v4.0 OASIS Standards and produce future revisions of them. For this specific submission (OData v4.0 and OData JSON Format v4.0 OASIS Standards incorporating OASIS Approved Errata) to ISO/IEC JTC 1, OASIS will request to be named the à ÅJTC 1 designated maintenance groupà and will follow the required maintenance procedures (including Systematic Review). In the course of time, if there are substantive changes to OData v4.0 and OData JSON Format v4.0 (either via the Approved Errata process or through a new version), OASIS may submit the modified document (or future version) to ISO/IEC JTC 1 at some point in the future. # - - - 8< - - - Hope this helps, Stefan * * * Stefan Hagen, Emmetten, Nidwalden, Switzerland. orcid: https://orcid.org/0000-0003-4206-892X read: https://stefan-hagen.website talk: maybe write: stefan@hagen.link


  • 6.  Submissions options (was) Re: [csaf] Re: ISO vs. ITU

    Posted 01-18-2023 20:46
    Hello and happy new year Thomas! (and TC experts) On track record: ISO via various committees has ebXML (7 parts and revisions over 15 years) and XLIFF . ISO/IEC JTC_1 via PAS direct submission has AMQP, MQTT, OData (2 revs), and UBL (update underway) , and in part ODF (see below) ISO/IEC JTC_1 through its committees structure has ODF (3 revs, update underway) and PMRM (in review). ITU through its SG17 has CAP (2 revs), SAML, XACML (2 revs), and STIX/TAXII (in review). There are a few more cooking, not announced yet; and there are some isolated cases of submissions elsewhere, such as when we shared/split standards with IEC, W3C, CEN, the UN, and others. Our Liaison Policy governs external submissions. We take the submitting TC's or OP's preferences into account, though there can be other concerns, like IPR fit (do the licenses adequately match the recipient host), receptivity (versus 'NIH' syndrome) , and willingness to accept our published work without changes. In the case of CSAF, we're committed our best-known threat intelligence submissions to ITU- T. Su bject to confirming their positive reception this Spring, a submission to its SG 17 might make the most sense. Our colleague Duncan Sparrell is acting as liaison to ITU for purposes of shepherding the STIX/TAXII submission, so he might be able to share more about CSAF's likely reception there. You asked about joint submissions. We've never seen it done successfully. T there are protocols for doing so, in annexes to the ITU-T and JTC_1 rules, but I am unaware of them being used in practice in our domain, and likely are more suitable to in-house development than approval of externally submitted works. Congratulations also to you, Omar and Diane on the great Dark Reading article. https://www.darkreading.com/threat-intelligence/csaf-is-the-future-of-vulnerability-management Cordially Jamie James Bryce Clark, General Counsel, OASIS Open, setting the standard for open collaboration On Wed, Jan 18, 2023 at 10:15 AM Schmidt, Thomas < thomas.schmidt@bsi.bund.de > wrote: Hi Jamie, could you please tell us which OASIS standards / specifications have been submitted to a) ISO b) ITU? Which one would you recommend for CSAF and why? Best regards, Thomas