Wednesday 25 September 2019

Accessing and Inspecting Draft IEEE Standards

This is going to be a quick blog post on how you can access IEEE standards. I'll also show how you can follow ongoing discussions, at least to some extend.

Why Inspect Drafts

Security protocols tend to fail when they are developed behind closed doors. They also fail when it's too hard to join discussions. We saw this with WPA3: its Dragonfly handshake was standardized in the IEEE 802.11 standard back in 2011, and there was little involvement of security researchers at the time. Only when attempts were made to standardize Dragonfly for TLS, was there significant feedback and criticism due to the much more open nature of TLS.

Official Solutions

Technically, anyone can give comments on draft IEEE standards by paying money. This is called the IEEE-SA Public Review. During a period of 60 days, you can buy a draft version of the standard. You can then submit a comment, and the working group that is responsible for the standard is required to give a reply:
"The Working Group will consider your comments and provide a response. You will be able to view the responses in the IEEE SA Public Review system."
While this is something, most researchers won't use this. The biggest obstacle is that you don't know whether it will be interesting to analyze the standard before buying it. A lot of times you take a quick skim at a new standard, and come to the conclusion that there's nothing worth to research. This can have multiple reasons: the standard looks secure, it's outside your area of expertise, researching it will be more time consuming than expected, and so on.

One might assume that another option is becoming an IEEE member. However, IEEE membership alone does not give access to standards under development. And even if it did, it would have the same problem as the IEEE-SA Public Review: few will become a member merely to quickly take a look at a standard.

Published standards can be downloaded for free after 6 months through the IEEE GET Program. While this is certainly useful, waiting 6 months is too much. After this time it's no longer possible to influence the standards, and vendors will already be implementing it.

Unofficial Solution: Send a Mail!

There's one other way to research and discuss upcoming IEEE standards:
  1. Most working groups (802.11, 802.15, 802.19, etc) publicly host their their working documents. This includes presentations that propose new extensions, draft amendments, meeting notes, and so on. You can search through these with google using "search terms site:mentor.ieee.org". It can be difficult to understand amendments this way, but it allows you to determine what they are working on, and if it would be interesting to research.
  2. If there is something you want to give feedback on, or research in more detail, you can try emailing the people that are working on it. E-mail addresses should be available in the documents you find on mentor.ieee.org Hopefully they can then bring you up-to-date on the latest progress in the draft standard.
This unfortunately isn't an official solution. You need some luck with finding and understanding publicly available documents, and finding IEEE members that want to discuss things with you. Nevertheless, this has worked for me in the past. Already having done research in this area will help (e.g. research on already published versions of the standard).

A Better Future?

Before dashing out too much criticism, let's remember a similar situation in academia: a large number of papers are locked behind paywalls. We're slowly changing this by having more open access policies, but unfortunately large and systematic change takes time. The same will be true for industry standards: major changes will take time. Fortunately, there are some steps we can take right now: researchers can contact the IEEE, or more precisely IEEE members that are working on new standards, and ask for access to draft standards. Likely they'll be happy to discuss things and get feedback, and this might slowly result in more collaboration.

Perhaps one solution is that members of organizations such as the International Association for Cryptologic Research (IACR) can become IEEE members without having to pay fees. Or at least have a membership type where you can only inspect standards. Such collaborations would make it easier for academics to inspect standards, while still having some control over who can access them.