We need a process flow for specs to become standards

[camaleon2016]

We need a process for a spec created in a Project to become a standard. We can build out what this looks like, but there should a way for the TAC to be kept in the loop properly as spec go before any standards process.

[lehors]

To be clear: this is about submitting an OpenSSF specification to a formal standards body such as JTC1.
I agree that we should decide what approval this requires. I don't know that we need to have a complicated process but this should at least have the approval from the TAC.

[sevansdell]

related: #337? two opportunities for improving tac process documentation related to specs.

[SecurityCRob]

has there been any progress on this issue?

[SecurityCRob]

Jory will be visiting us on 3Sept to discuss this and how we can move forward together on Standardization!

[SecurityCRob]

There are currently 4 specs that we should consider going through the standardization process:
1.) SLSA - https://github.com/slsa-framework/slsa
2.) sigstore - https://github.com/sigstore/
3.) OpenVEX - https://github.com/openvex
4.) OSV - https://github.com/ossf/osv-schema

[david-a-wheeler]

The EU typically prefers international standards. The EU's CRA has given many organizations an extra reason to be interested in formal standards.

So... I think we're going to see more interest in the days ahead in implementing these processes to convert specifications into international standards. Jory is exactly the right person to talk to about this.

[david-a-wheeler]

The Linux Foundation's Joint Development Foundation (JDF) specifically exists to help turn specifications into international standards. You don't need to re-invent that part (and you don't want to :-) ).

Getting the TAC's agreement that it's ready for the process seems valuable.