Greetings!
While the IIC sounds like an interesting TC, I have several
comments/questions about its charter.
It isn't clear what this TC intends to work on.
For example:
> The purpose of the OASIS Identity in the Clouds TC is to collect and harmonize definitions, terminologies and vocabulary of Cloud Computing.
That sounds like a worthwhile task but standardizing a vocabulary for an
entire field would at a minimum require the participation by a majority
of the *existing* major players. Like Amazon, Google, Microsoft, Oracle,
just to name some off the top of my head, there are others.
Statements like:
> The TC will collect use cases to help identify gaps in existing Identity Management standards. The uses cases will be used to identify gaps in current standards and investigate the need for profiles for achieving interoperability with in current standards. Additionally, the use cases will be used to perform risk and threat analyses, leading to suggestions for how to means to then and mitigate identified risks and the threats and vulnerabilities.
don't help much because it fails to identify what standards are going to
be investigated for these alleged "gaps." Nor how creating yet another
vocabulary (different from the ones already in use) is actually going to
make things better.
I suppose I was expecting the scope statement to narrow things down but
there I find:
> The TC may identify existing definitions, terminologies and vocabulary of Identity in the context of Cloud Computing for harmonizing the definitions, terminologies and vocabulary as the TC determines.
Well..., either the TC is going to try to harmonize the terms used by
other standards, a task of dubious value other than for mapping
purposes, or its not. The "may identify" and other "may" statements
makes me feel like the TC proposers have yet to reach agreement on the
goals of the TC.
Post-charter approval is a very bad time to reach a consensus on the
purpose of a TC. Trust me on this one. It just doesn't work well. Voice
of experience.
Note I am not saying that any or all of these goals aren't worthy ones
and certainly worth being pursued in OASIS. But, say what the TC will or
won't do up front. Or as I say in my reviews of OASIS standards, don't
be timid about what a standard requires. Right or wrong, say it clearly
and distinctly.
BTW, under the non-normative information I am *not* encouraged by:
> (2)(a) Identification of similar or applicable work that is being done in other OASIS TCs or by other organizations, why there is a need for another effort in this area and how this proposed TC will be different, and what level of liaison will be pursued with these other organizations.
That is part of the normal background work that *precedes* the proposal
of an OASIS TC. In detail. How else are we to decide if the proposed
work overlaps already existing work in other forums? Or that it should
be suggested that the TC expand or contract it charter to take in an
issue not being addressed elsewhere?
A revision of this charter should:
1) Identify all existing standards and organizations that have standards
that the proposers think are relevant to identity issues in the Cloud.
(If this isn't already known, withdraw the charter and wait until it and
other issues are resolved before re-submitting.)
2) Illustrate, one or two examples, of the alleged "gaps" in existing work.
3) State with certainty what the TC would *do* about those gaps. Not
that it "may" do this, that or the other thing, maybe. That isn't the
characteristic of a standard or a standards TC.
4) Define the relationship of the work product of the proposed TC to the
existing standards.
5) List the organizations (possibly cover this under #1) that are
relevant and who already have liaisons with OASIS. So to put OASIS on
notice that it may need additional liaisons at the organizational level.
Identify among the proposers, members of those other organizations.
6) For specific issues, like risk assessment, a topic of some currency,
identify specific government agencies concerned with those issues and
broaden the base of the TC at the outset. Protecting credit card data in
a cloud may seem like a big issue, but monitoring the use of cloud
computing for weapons development is something entirely different.
Some of those agencies have spent years doing nothing but thinking about
identity and security issues. Really should take advantage of that
experience, at least the parts of it that they can share.
Very worthwhile work that merits more of a workup than it has gotten for
this charter.
Hope everyone is having a great week!
Patrick
--
Patrick Durusau
patrick@durusau.net
Chair, V1 - US TAG to JTC 1/SC 34
Convener, JTC 1/SC 34/WG 3 (Topic Maps)
Editor, OpenDocument Format TC (OASIS), Project Editor ISO/IEC 26300
Co-Editor, ISO/IEC 13250-1, 13250-5 (Topic Maps)