Soatok DreamseekerMay 30, 2025

Hot take: ISO standards do not meaningfully matter to me, because an extremely impoverished, unbanked person cannot freely access their contents from a smartphone or library computer.

Therefore, I go out of my way to avoid referring to them or relying on them in anyway.

Show threadMatilda LoveMay 30, 2025

@soatok ISO standards are behind a fuckin paywall?

jesus christ

Show threadSoatok DreamseekerMay 30, 2025
@matildalove always have been
Show threadJoxean Koret (@matalaz)May 30, 2025
@soatok @matildalove You can often get almost final drafts "legally", but yeah, they have always been paywalled...
Show threadPhil M0OFXMay 30, 2025
@joxean @soatok @matildalove Most of the world's standards are. ISO, BS, ANSI... It's a pain in the butt.
My local library used to have a BSOL subscription but that's been culled - only available at one library, and only with one of the librarians watching over you so you don't download anything... it's absurd.
They'd be more accessible if they had a bookshelf full of the printed copies.
Show threadSophie SchmiegAug 5, 2025
@philpem @joxean @soatok @matildalove one big reason that NIST standards dominate cryptography is because they are public domain. Turns out, if you want people to use your stuff, you better tell them how to write stuff compatible with it.
Show threadBilly O'NealAug 5, 2025

@sophieschmieg @philpem @joxean @soatok @matildalove NIST's process seems very much like the ISO process, except rather than selling copies of the standard to pay for it, it's funded by the US government.

(I've only participated in the ISO process myself so I'm sure there are details that are different, but the kind of proposal mechanism looked very similar for e.g. SHA-3 from the outside)

Show threadSophie SchmiegAug 5, 2025
@malwareminigun @philpem @joxean @soatok @matildalove
NIST has a team that actually writes the standards. The cryptographic competitions are as far as I know the exception to the rule (and even there, NIST puts substantial effort into evaluating and writing the final standard compared to the submissions), as far as I know ISO standards are written by volunteers, more similar to IETF standards than to NIST.
Show thread⠠⠵ avuko

@sophieschmieg @malwareminigun @philpem @joxean @soatok @matildalove

Waitwut

“ as far as I know ISO standards are written by volunteers”.

So written by volunteers, and then paywalled? Do they want to be Elsevier when they grow up?!

Aug 6, 2025 at 8:12pmWeb
Show threadBilly O'NealAug 6, 2025
@avuko @sophieschmieg @philpem @joxean @soatok @matildalove The volunteers are usually employed by people who care about the standard. For example, I attended WG21 (the C++ committee) meetings while employed by Microsoft as one of the maintainers of the standard library.
Show threadSophie SchmiegAug 6, 2025

@malwareminigun @avuko @philpem @joxean @soatok @matildalove

They are arguably worse than Elsevier: at least with journals, you can buy institutional access to their entire portfolio at a huge discount over paying for every single paper separately. With ISO, you can't. You literally have to buy access to every single standard, and you are not allowed to share one copy of the standard between multiple engineers.

Show threadBilly O'NealAug 6, 2025
@sophieschmieg @avuko @philpem @joxean @soatok @matildalove (tries to merge threads) https://infosec.exchange/@malwareminigun/114978790326798718
Billy O'Neal (@[email protected])

@[email protected] It's one of those problems everyone hates but nobody has good solutions for. ISO provides the lawyers + legal framework to allow competitors to work together on a standard without being sued into oblivion under anti-trust laws, and lawyers have to get paid for somehow. There are standards that have left ISO, the most notable being POSIX. I'm not sure how that works.

Infosec Exchange