WEBVTT

00:00.000 --> 00:10.400
All right, cool. Hi, again, for those of you that are earlier. So my name is Toby

00:10.400 --> 00:17.640
Langeon. I run a small consulting firm where I focus on open source standards. And so

00:17.640 --> 00:21.880
while today, I'm going to talk to you about open source compatible standards or open

00:21.880 --> 00:26.760
source compatible standardization. This is a very much sort of like mashed up longer

00:26.760 --> 00:32.360
talk. The slides are the longer slides are available online if you want the whole thing.

00:32.360 --> 00:36.600
So I'm going to give you a tiny bit of context. Talk about the interplay between standards

00:36.600 --> 00:41.640
and legislation. Talk about open stand, which is a related successful earlier attempt

00:41.640 --> 00:47.200
at creating something that is open source compatible close enough. And define a bit more

00:47.200 --> 00:52.040
precisely what I mean by open source compatible standards and sort of offer a way to move

00:52.040 --> 01:00.320
forward. So context, there is a rush towards standardization of open source security best

01:00.320 --> 01:08.120
practices. Thanks to cyber resilience act. And there is a bit of a friction because

01:08.120 --> 01:15.800
the organizations who are responsible for the standardization of this legislation and the

01:15.800 --> 01:20.720
related legislation are essentially publishers. Like their business model is selling

01:20.720 --> 01:27.480
standards. And this is a gross approximation, but it's good enough to have this conversation.

01:27.480 --> 01:32.600
And if the standards need to be sold, then it's usually hard to make them freely available.

01:32.600 --> 01:39.440
And so of course that is hardly compatible with the way that open source is developed

01:39.440 --> 01:45.040
and maintained. And so we have a problem not only for creating those standards in the first

01:45.040 --> 01:50.520
place, but also for then consuming them. And this is not a new problem, but now

01:50.520 --> 01:56.760
like there's a forcing function to try and address this. So there's been a really long

01:56.760 --> 02:04.200
history of interplay between standardization and legislation. Originally it was driven

02:04.200 --> 02:11.480
in the industrial age by safety concerns. When you had dangerous machines that were built

02:11.480 --> 02:19.640
like trains and things like this. So that was kind of like a forcing function for this

02:19.720 --> 02:25.800
interplay, interoperability issues, trade, competition. And that really drove governments

02:25.800 --> 02:31.160
to push for standardization from the industrial revolution onwards. And that was really,

02:31.160 --> 02:36.440
really, really accelerated with the first World War. And you know, the other aspect of this

02:36.440 --> 02:42.520
is the liability risk. Has driven practitioners to essentially adopt standards or best practices

02:42.520 --> 02:46.840
because it is really nice to be able to say when you get sued for something that goes off

02:46.840 --> 02:51.800
way wrong, that you've actually done your job properly. You can point to a document that shows

02:51.800 --> 02:58.840
that. So you really have these two sort of like original aspects. And this has been since

02:58.840 --> 03:08.520
formalized in Europe through the new legislative framework where essentially it was recognized

03:08.600 --> 03:19.400
that from the perspective of legislators, it was best to leave the formalization of best practices,

03:19.400 --> 03:24.920
to the actual people doing it and have some form of interplay and structure to make sure that

03:24.920 --> 03:32.840
that was done in a proper way. And so that enabled moving faster and being able to adapt to

03:33.400 --> 03:39.640
technological innovation faster than it would if it was only legislation. And yeah, and it's been

03:39.640 --> 03:45.240
you know, formalized in Europe like through the new legislative framework and by adopting the concept

03:45.240 --> 03:51.400
of harmonized standards, which are approved by the European Commission and create a presumption of

03:51.400 --> 03:57.880
conformity. So if you implement them, that helps you essentially say that you are meeting the legal

03:57.960 --> 04:11.080
requirements, legal compliance requirements. So of course the impact of formalizing the role of

04:11.080 --> 04:19.000
standards was legislation essentially creates distinction that if standards become part of legislation

04:19.000 --> 04:27.640
and aren't really accessible, then legislation itself isn't. And this was successfully argued

04:27.640 --> 04:41.560
in court recently. And the solutions that were designed for this, of course have to kind of

04:41.560 --> 04:48.040
preserve the business model of the existing standard organizations. And so while it's, you know,

04:48.040 --> 04:53.240
to some degree a step forward, it also doesn't really solve the underlying problem of standardization

04:53.240 --> 05:01.960
of software and opens with in particular. All of this is in very broad strokes to set the context

05:01.960 --> 05:07.640
just to be clear, because of the time constraints. And there are nuances in all of these different

05:07.640 --> 05:23.080
points. So before, so yeah, so, like this tension between the business models of traditional

05:23.080 --> 05:34.360
standard organizations and the needs of the IT industry have existed for a long time. And in 2012,

05:34.360 --> 05:41.880
IEEE, the Internet Architecture Board, ITF, ISEC, and W3C created this concept called OpenStand,

05:41.880 --> 05:49.480
which was essentially a way to formalize and market the way that they were doing standards,

05:50.360 --> 05:57.480
which was built in a much more open way and also made in general freely available.

05:57.880 --> 06:04.520
And in technology and in the IT sector, in general, when people talk about standards, that's what they

06:04.520 --> 06:12.200
think of. But this is very different from the standards from the European standard organizations.

06:12.200 --> 06:18.200
It's not the processes and the outputs are very different, and their legal significance is also very different.

06:18.280 --> 06:28.360
So, what is an open source compatible standard? Well, essentially, it's what is an open stand,

06:29.560 --> 06:37.320
which is a well- understood world system that's been very successful for lots of organizations

06:37.320 --> 06:44.040
in the past. And it's open stand plus these essentially these three things, right?

06:44.040 --> 06:52.680
The output of the process itself has to have some form of permissive, open-source-seed-like

06:52.680 --> 06:59.400
license, regardless of what it is, right? Notably so it can be forked. This might be unpleasant for

06:59.400 --> 07:06.120
some organizations, but actually making sure that standards can be worked on elsewhere if they're

07:06.120 --> 07:11.400
stalled somewhere has proven to be very, very useful in the past on a number of occasions.

07:12.280 --> 07:17.320
That's not an necessity, but it's something that's very useful. The second, of course, is that the

07:17.320 --> 07:24.920
standard has to be available for free in an open format. And then, oh, there are four points,

07:24.920 --> 07:30.440
so you just don't see it for here, because it's green on green. Sorry. The third point is that it must

07:30.440 --> 07:36.200
be royalty free. It must not be incumbent by patents, right? You cannot force upon the open source

07:36.200 --> 07:42.360
community standards that would require like paying patents of fees to just implement them.

07:43.560 --> 07:49.800
And then, lastly, the participation model, like how you build the standards themselves has to

07:49.800 --> 07:57.720
essentially be compatible with the way. Was an open ecosystem that's international and across

07:57.720 --> 08:04.680
lots of different trades. So, one of the things is we actually have a pretty good definition

08:05.000 --> 08:10.120
of this that's been around. Oh, really? Oh, sorry. So, I'm going to wrap it up in a second.

08:10.120 --> 08:18.520
I thought my timer was right. Okay. So, yes. So, the open source initiative has a nearly

08:18.520 --> 08:22.840
perfect definition since 2006, which is called the open standards requirement for software. I

08:22.840 --> 08:27.880
encourage you to go have a look at it. We really, apparently, are not very good at marketing this,

08:27.880 --> 08:32.920
right? Because I hadn't heard of it. And so, you know, to close the point, I think we have a

08:32.920 --> 08:37.960
really big opportunity right now. Was OSI's definition, we have a pretty good definition of what

08:37.960 --> 08:44.520
we need. With open standards, we have a playbook of actually how to push something forward like this.

08:45.240 --> 08:50.600
The CRA related standardization effort that I'm like very much in the weeds that are right now

08:50.600 --> 08:57.560
gives us like in the trenches way to experience this and and feel the pain and figure out solutions.

08:57.560 --> 09:04.280
And there was an upcoming revision of regulation 1025, which gives us this window of opportunity to try

09:04.280 --> 09:11.160
and make the European Synodization process more compatible with open source and software in general.

09:11.160 --> 09:13.160
Thank you.