This document is a response from OASIS, a global standards consortium, to the European Commission's public consultation on cloud computing. OASIS provides details about its organization and work producing data standards. It discusses issues around clarity of rights and responsibilities for cloud users and providers. OASIS also comments on topics like jurisdiction, interoperability, public sector use of clouds, and future research needs like improved identity management and testing tools to foster cloud adoption.

1. European Commission Public Consultation on Cloud Computing
Response of OASIS (www.oasis-open.org)
30 August 2011
1. Are you responding for a Company?
Yes.
2. Size in number of employees?
18. See question 6.
3. Sector?
Computing & Internet. See question 7.
4. Country where legally established?
United States.
5. Are you a Public Administration?
No.
6. Size in number of employees?
OASIS is a global standards consortium, with 18 employees and about 5000 participants
representing over 600 companies & individuals. We have advised our own members about
this inquiry, in case they wish to respond. Of course, their opinions are their own, and this
response does not represent the views of any of our member companies, governments or
individuals, but only the observations of OASIS professional staff.
7. Sector?
OASIS produces data standards for Computing & Internet activity in industry and
governments.
8. Country where legally established?
OASIS is a not-for-profit corporation established in the United States, with representatives
also in (among other places) China, France, Japan, the Netherlands and Switzerland.

2. 9. If you are not a company or a public administration, are you …
(Not applicable.)
10. If other, please explain.
(Not applicable.)
11. If you are a user of cloud services, please describe your current use of cloud computing.
What kind of problems do you encounter when using cloud computing solutions in the EU?
Elsewhere?
OASIS' operates as a global venue for collaborative voluntary standards development,
across many time zones, borders and languages, depend heavily on remote access and
participation capabilities. These include database-driven administration and archiving of our
technical committees' work, collaborative workspaces, and enterprise e-mail, the majority of
which are provided by third party services providers on a cloud or similar remote platform.
12. If you are a potential user but not active yet: What are the main reasons for not (or not
yet) using cloud computing?
In some cases, we have elected to purchase self-installed and self-hosted software for
mission-critical functions, and declined the alternative of purchasing cloud-based software-as-
a-service”. Sometimes this business decision was made in order to retain greater control
over the installation. In other cases, when we chose against a cloud service, our main reason
was greater certainty about the survivability of our access to our data if the software provider
failed.
13. If you are a provider of cloud services: Please describe your offer. What kind of barriers
do you face in providing your cloud computing services within the EU? Elsewhere?
We are not a traditional provider of computing services. However, as a widely-used open
standards consortium that hosts market-driven standards projects, our principal “products” are
forums and publications about data structure rules and consensus.
Many of our projects affect or provide guidance to cloud computing practices, generally
including our cybersecurity, electronic identity, SOA and web services, and content
management and semantic projects. (See the question below on “existing or emerging
standards” for a longer list.)
Among other things, OASIS also participates in and has provided experts to the
Standards and Interoperability for eInfrastructure implemeNtation InitiAtive (SIENA) project
(http://www.sienainitiative.eu/), and hosts the International Cloud Symposium (ICS) near
London in October, 2011 (http://events.oasis-open.org/home/cloud/2011), at which many of
these issues will be addressed.

3. Clouds for users
1. Do you feel that in the cloud services you are currently using or have been evaluating (or
are providing), the rights and responsibilities of both user and provider are clear?
Yes.
2. Please comment.
As a group of computing experts, OASIS may not be a typical corporate consumer of
cloud-based services: our degree of understanding of cloud-related contractual duties may
be unusual.
However, clarity is the not same thing as balance. Cloud service offerings often are mass
market offerings, made under terms wholly defined by the seller. While we may understand
the terms of cloud service contracts clearly, they may not always be attractive, marketable or
feasible.
3. Are you aware of the applicable jurisdiction in different types of disputes that could arise
during your provision or use (or potential future use) of specific cloud offerings?
Yes.
4. Is there an alternative approach to the determination of jurisdiction that may work better
for both users and providers?
Yes.
5. If yes, please comment.
As the differences among legal and regulatory requirements in different jurisdictions
become more clear, user preferences may respond to them, creating a “market” for the more
favorable legal frameworks. We already are aware of some instances where cloud services
users attempt to choose their governing law by preferring hosts venued in some locations
rather than others.
The demands of some states that a global Internet service establish local servers also
point to the significance, in some minds, of physical location and jurisdiction.
Governments may wish to consider how to better cooperate, in applying laws to multi-
national entities who serve global customer bases from a given set of locations. Is it possible
to work towards a multi-national reciprocity model, where the exact location of a service's
server becomes less significant?
6. Please comment.
[No answer.]
7. Do you feel that the question of liability in cross-border situations is clear for cloud users
and cloud providers?
No.

4. 8. Why?
There often is a definitive answer. In order to learn it, though, a buyer or user must
navigate and analyze long textual conditions which may not be clear to average readers: the
terms may not be obvious, conspicuous or easy to comprehend. It seems likely that many
consumers of many cloud computing services do not know anything about the legal
conditions under which they consume the service.
However, exclusive jurisdiction clauses are not a new development. Service contracts
where providers specify that they may only be sued in their home jurisdiction long predate
cloud computing. Many transactions in the commercial (“B2B”) sector address the application
of cross-border law to multi-party situations without difficulty.
The economics of cloud computing services may not always adapt well to traditional legal
resolution. In a tangible commercial shipping contract -- goods and services exchanged in
high-denomination transactions -- the amount at stake may support significant costs to
resolve disputes. In contrast, cloud computing services often are offered in small,
componentized units, and often on an inexpensive or even free basis. Traditional high-cost
litigation & contract enforcement methods may not be efficient for resolving disputes about a
large volume of small-value data transactions.
Legislative Framework
1. Do you think there are updates to the current EU Data Protection Directive that could
further facilitate Cloud Computing while preserving the level of protection?
[No answer.]
2. If yes, please explain.
[No answer]
3. Are you aware of specificities in Member State data protection rules, or other legislation,
that prevent you from using/providing cloud services within the EU?
Yes.
4. If yes, please detail.
In some cases, we are interested is in conducting message exchanges that produce
legally enforceable transactions or agreements. This sometimes will require that the entities
who exchange messages, or their representatives, are able to associate binding assurances
of identity and contractual assent – the electronic equivalent of signatures. But the technical
standards for acceptable and enforceable electronic signatures vary from state to state, and
the requirements of the laws may not apply well to existing technology alternatives. For
example, the European Directive on Electronic Signatures (1999/93/EC), and certain member
state enactments such as the German “SigG” Law Governing Framework Conditions for
Electronic Signatures (Bundesgesetzblatt – BGBl, Teil I S. 876, 21 May 2001), describe and
favor some specific anticipated “advanced” technologies that were anticipated as desirable, at

5. the time, but may or may not have developed into feasible, widely available options, in the
decade since then.
5. From your perspective, would it be useful if model Service Level Agreements or End User
Agreement existed for cloud services so that certain basic terms and conditions could easily
be incorporated into the contractual agreements.
Yes.
6. If no, why not?
[Note our caution about mandated solutions, below.]
7. If yes, further thoughts about how this might work.
Model forms, as such, probably would be very helpful in the still-early commercial and
legal development of the industry and its transaction forms.
However, a prescriptive set of forms that is imposed on transactions, rather than one that
evolves from market practices, might quell the natural market development of risk allocation
options and new service models, as clouds evolve. Government traditionally provides some
market stability though fair trade / anti-deceptive-practice laws, regulation of clarity and
personal privacy, and mechanisms for cross-border dispute resolution. Those functions,
properly carried out, ought to facilitate a robust cloud computing market of services, allowing
various economic models and technology offerings to circulate and compete.
Embracing interoperability
1. Please describe interoperability or (data) portability issues you have encountered when
using/providing cloud services or are otherwise aware of.
In the case of commercial databases, limited early data export capabilities eventually
gave way to widespread shared service interfaces and formats (like ODBC, JDBC and XML).
We expect that widespread adoption of cloud computing will be enabled in the same way by
open standards. Users will be able to confidently rely on cloud services, when there are
widely-known and freely-available methods for data exchange and for service discovery and
service invocation. These will reduce the risk of vendor lock-in, and reduce the costs of re-
tooling in order to add a new supplier. Realizing those benefits will require the use of stable
standards, created in an open process, with well-established licensing terms and disclosure,
and housed by reliable, vendor-neutral development environments.
2. Which existing or emerging standards support interoperability across clouds and portability
of data (from one cloud to another)? Please list and describe.
Quite a few may apply. Among others,
(a) Interoperable data content & semantic meaning is supported by OASIS'
OpenDocument, DITA, CMIS, QUOMOS, UnitsML, XRI/XRD & Search Web Services;
W3C's HTML, XML & RDF; and CLIF (ISO/IEC 24707);

6. (b) Reliable data exchanges, wide-area identity management & access control are
supported by OASIS' XACML, ID-Cloud, WS-Trust, XSPA, ebXML Messaging, WS-
ReliableMessaging, SOA-RM, S-RAMP and ebXML Registry (some of which have been
cloud-optimized); OpenID and the Kantara ID-FF; and
(c) Appropriate security & privacy are supported by OASIS' SAML, WS-Security &
PMRM, IETF's OAuth and W3C's P3P.
One caution: browser-session-centric models from the consumer (B2C) sphere may have
limited application to complex cloud (B2B and G2B) requirements.
3. What are the most important standards that are currently missing but which you feel are
necessary to insure interoperability and portability? Please describe in detail the aspects
they should cover.
Many of the needed functionalities for robust interoperable cloud services already exist, in
established SOA, virtualization, transaction management and other computing and business
process methods. It's important to acknowledge that implementation of capabilities in “the
cloud” often does not require a completely new set of technical or business systems.
In a highly-distributed, highly-heterogenous ecosystem of cloud computing services,
choosing stable open standards is a necessary part of the solution.
As an additional suitability filter, it may also prove important to employ only standards that
are relatively free of obstacles to adoption. Aggregated chains of networked data transactions
among strangers and newcomers, triggering the economic benefits of an open networked
market, are much more likely to occur if the base standards which participants must embrace
are:
(a) clear and easy to deploy;
(b) well documented;
(c) relatively free of licensing complexity or cost;
(d) capable of optionality to support multiple platforms and designs; and
(e) readily testable.
As noted above, the lack of existing widely-agreed federatable standards for identity
provisioning and management retards the spread of markets of high-value data transactions,
by impairing the ability of users to enter into reliable, repeated data exchanges with
identifiable counterparties.
Public sector clouds
1. What can the public sector do as a cloud user to support the emergence of best
practices?
(a) Publish and circulate its own RfPs and bid documents as models.
(b) Require the use of vendor-neutral, interoperable methods that support the open
standards ecology.
(c) Participate actively (as some government agencies already do) as instigators and
contributors to the development and maintenance of those shared resources (like
standards projects and common repositories).
(d) Deploy its own data architectures on a service-based, open-API model that
models and encourages virtuous re-use.

7. (e) Simplify its own copyright & similar licensure terms, where applicable, to remove
transactional-complexity barriers to reuse.
2. Please elaborate in particular on public procurement of cloud services.
Government use of cloud services for critical functions raises some additional possible
jurisdictional issues. Multiple nations have sought local server co-location from various global
data providers in the last few years -- often unsuccessfully, and presumably driven in part by a
desire for physical jurisdictional ability to enforce their rights against the services. A
preferable solution may be: (a) the development of service models and remediation methods
that give a purchasing government some reasonable remedies & assurance of reliability and
recovery, regardless of service provider location; and (b) significant demands for more
portable and replicable data & services, so that a purchasing government can readily maintain
multiply redundant backup capabilities, as protection against the risks of any one provider.
3. In particular, can the deployment of eGovernment and eScience infrastructures by the
public sector act as an example for other sectors?
E-government service offerings often serve as early lead instances of data transactions
that provide models for other sectors to follow. The strong roles of government agencies in
the initial development of the Internet itself, as well as automated supply chain and invoicing
transactions and e-health transactions, evidence this. If public administrations insist on, and
help measure and define, levels of predictability, reliability and interoperability, those
instances may serve as positive models that influence the commercial markets for cloud
services as well.
4. Please list Member State initiatives in the area of Cloud Computing that you are aware of.
Many of our standards and experts have been involved at the regional level on large-
scale, Commission-promoted projects like PEPPOL (http://www.peppol.eu/), eCODEX
(http://www.ecodex.eu/), SIENA (http://www.sienainitiative.eu/) and SPOCS (http://www.eu-
spocs.eu/). While these are not technology research projects, they are deployment plans,
each of which assume wide-spread data and transaction promulgation that necessarily relies
in large part on cloud methodologies and services.
5. Do you think they are [adequate / go too far / not enough]?
[No answer.]
6. Please elaborate.
[No answer.]
7. How can Member States best cooperate to create interoperability solutions and shared
best practices?
By participating in, and donating their relevant nonconfidential use cases to, open
standardization projects.

8. Future Research and Innovation programmes
1. Which are the most important technical aspects of cloud computing that researchers are
currently working on?
While the list of useful research fields in this general topic area is long, as a data
standards organization, we are particularly interested in:
(a) common models for data registries, directories and repositories, in support of
complex transaction models and data governance;
(b) federated identity provisioning and management, to enable reliable electronic
interchanges with reasonably known parties;
(c) data transformation, modeling, mapping and interface methods that may help
bring about greater interoperability and data portability across diverse systems (and better
service recovery); and
(d) tools and methods that make conformance and interoperability tests more widely
available and useable.
2. Beyond these, do you see technical problems/limitations of current cloud service offerings
that will require further research in the coming years?
Yes.
3. Please elaborate.
Interoperability and conformance testing is a sine qua non requirement of growing open
markets of transactional capabilities that rely on shared data structures (like open standards).
But the prevailing model is one of large, relatively expensive testing, episodically gated by
software release schedules. As the desire to participate in data exchanges spreads to a
much larger group of new and diverse entrants, we will experience a need for easier, simpler
and self-help-oriented testing and validation mechanisms. Research to design and facilitate
the evolution of services and tools for "DIY" or "nanotesting" would be helpful to widespread
adoption and market growth.
Also, current computing security models, to a large extent, were developed in the context
of centralized controls and select trusted systems. The different risks and needs of widely-
distributed and loosely-coupled data transactions, in a cloud environment, are still in early
stages of definition. So cloud-based services do not yet always have the benefit of widely-
known and widely-implemented security guidance.
4. Should public R&I funding be used to establish prototypes of new cloud infrastructures?
Yes.
5. If yes, please describe types of projects/prototypes you would see as useful, and explain
why.
Ideally, public authorities would develop cloud capabilities to fulfill their own business and
policy functions more effectively. These, if well documented and designed, could serve
"double duty" also as prototypes and models for further similar developments in other sectors.

9. Global solutions for global problems
1. What are the most important Cloud Computing solutions that have to be discussed at the
global level? Please list and explain.
(a) Identify pre-existing standards-based solutions already in use, likely in sets with
multiple possible combinations, in the areas of security, content representation, access
control (identity/privacy), and service deployment & access, to demonstrate the
immediate feasibility of reliable, interoperable cloud functions.
(b) Seek collaboration on vocabulary, identifier and data architecture resources for
use in wide-scale service discovery and service invocation.
(c) International cooperation (including reciprocity and comity) on practical
resolutions to cloud computing jurisdictional issues.
(d) Promote automatable representation of policy and rule constraints on cloud
transactions & exchanges.
2. What would be the right fora/approaches to tackle them? Please expand.
Carefully-scoped and government-encouraged cooperative work by established open
standards bodies with relevant expertise.
Respectfully submitted,
James Bryce Clark, General Counsel, for OASIS