W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 2001

Re: XML Signature is "evil" ;-))

From: Nyk Cowham <nyk@forumone.com>
Date: Sun, 9 Dec 2001 12:37:11 -0500
Cc: Svgdeveloper@aol.com, w3c-ietf-xmldsig@w3.org
To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Message-Id: <6050CEB2-ECCB-11D5-9F23-0050E4D0A116@forumone.com>
>>>> When I see an article that refers to "Draft Standard" (capitalised) 
>>>> stage for
>>>> a W3C specification, I have to ask if the author understands W3C 
>>>> process.
>>> On the other hand, if you know the first thing about IETF process 
>>> then you
>>> know that "Draft Standard" is the step after "Proposed Standard" and 
>>> before
>>> "Standard", and it's a lot more official than the word "Draft" makes 
>>> it
>>> sound.
>> The above was sent to me off list and raises, from my point of view, 
>> an issue
>> relating to IETF process which I hope isn't too off topic.
>> Some list members may be aware that a reason W3C issues 
>> "Recommendations"
>> rather than "Standards" is that W3C is a non-governmental body and, 
>> so I
>> understand, only inter-governmental bodies have an official right to 
>> issue
>> "Standards".
> The opinion of may people in the IETF is that the above is
> superstition.  In fact, the status of something as being mandated by
> government immediately makes some IETF people suspicous.  After all,
> if a network protocol was worth anything, people would use it
> spontaneously and the greatest strength of the early IETF efforts was
> that they were not even just purely voluntary but their adoption was
> activley discouraged by most civil governments.

Basically it comes down to quibbling over terminology. What makes a 
specification a standard is the degree to which compliance is a 
achieved, not how that compliance was achieved. For example, the Simple 
API for XML (SAX) is not a W3C Recommendation in the way that DOM is, 
but it is clearly a standard XML API in the sense that the majority of 
programmers and software component vendors have agreed to adopt it. 
Another example would be Sun's J2EE specification. Whether you call a 
standard a 'Standard', or a Recommendation or a Specification it is the 
level of compliance that is the only true measure.

>> What is IETF's viewpoint on issuing "Standards"? Is it, implicitly, 
>> claiming
>> that an IETF "Standard" is legitimately so named?
> Surely it's implict and obvious from the IETF documents which give the
> procedures for the issuance of what the IETF and virtually everyone
> else in the unvierse calls standards? Are you actually being so
> pedantic as to make a distinction based on the captialization in
> English of the word S/standard? How is this different from the PKCS
> series of Public Key Cryptogrpahic Standards issued by RSA or the
> zillions of other standards issued by consortia and companies? Given
> the demonstranted incompetance of governments at promulgating
> successful internetworking protocols, why should they have some magic
> monopoly on the word "standard"?

If you stop and think about it. the government couldn't possibly afford 
to rubber stamp every standard. Every sector, industry and professional 
group has a body of standards that are maintained by appropriate 
consortia, working groups and standards organizations, just for the 
government to give a nod of approval to all the standards that exist 
would cost billions each year to administer. In the US this nod of 
approval is usually delegated to the American National Standards 
Institute (ANSI), a private non-profit organization.

Governments will only intervene in the standards process where the 
mutual interests of commerce are threatened, the canonical example being 
'weights and measures' and the standard national currency that were 
first formalized in the Magna Carta:

"Let there be one measure for wine throughout our kingdom, and one 
measure for ale, and one measure for corn, namely 'the London quarter'; 
and one width for cloths whether dyed, russet or halberget, namely two 
ells within the selvedges. Let it be the same with weights as with 

And also within the US constitution:

"To coin money, regulate the value thereof, and of foreign coin, and fix 
the standard of weights and measures… "

Note the lack of capitalization on the word 'standard' :-)

>> I am not trying to start a flame war or any such thing. But it does 
>> seem
>> potentially confusing that IETF issues "Standards", given what I 
>> understand
>> to be the status of IETF.
> Although it was common in the early days of the IETF, I haven't heard
> anyone raise the issue you do for over five years. It's sort of
> refreshing, actually... If governments want to impress people who are
> impressed by governments, they should label their stuff "government
> standards" to avoid confusion.

In most cases this is abundantly clear already. The federal government 
via the Department of Commerce standards agency, the National Institute 
of Standard and Technology (NIST) publish standards for use with federal 
government computer systems (Federal Information Processing Standards or 
FIPS). The FIPS are published in the Federal Register and only govern 
standards for use within government agencies and private organizations 
that communicate with those systems; they do not restrict the standards 
activities of industry. In fact, NIST are legally mandated to adopt 
voluntary industry standards where they are available and only publish 
FIPS in the absence of such standards:

"In accordance with the National Technology Transfer and Advancement Act 
of 1995 (Public Law 104-113) and Administration policies, NIST supports 
the development of voluntary industry standards both nationally and 
internationally as the preferred source of standards to be used by the 
Federal government. The use of voluntary industry standards eliminates 
the cost to the government of developing its own standards, and furthers 
the policy of reliance upon the private sector to supply goods and 
services to the government." 

Clearly federal standards are considered the special case and not the 
norm. Voluntary standards constitute the vast majority of current 
standards with which even the federal government prefer to comply.

Nyk Cowham
Received on Sunday, 9 December 2001 12:37:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:36 UTC