On 7/12/25 16:53, Paul Menzel wrote:

Dear Marcos, dear Valery, Am 11.07.25 um 08:35 schrieb Marcos Sanz:

...

...

Am 07.07.25 um 18:15 schrieb Valerie Aurora via opensource-wg:

...

I'm part of the team that is developing the CRA vertical standard for network management systems. Excuse my ignorance, but what is CRA? Cyber Resilience Act. Valerie seems to be involved in this (which I admire): https://www.etsi.org/newsroom/press-releases/2545-etsi-leverages- global-technical-expertise-to-support-the-eu-cyber-resilience-act

That's the one. :) Thanks for replying and for the compliment!

Thank you. I didn’t make the connection, that from that low a standardization progress follows. Being ignorant about standards, I wonder what the difference between a server and switch is supposed to be, and why “network management systems” and servers should be treated differently.

The short version is, "because the people who wrote the legislation thought they should be." :) More seriously, these categories are being clarified and redefined, and part of the work is using our technical expertise to define things better. They are also trying to distinguish different types and levels of risk. If someone compromises a single router, they can misroute or sniff traffic or MiM or inject garbage at that point. If someone compromises a network management system, they can order all the network devices it manages to update their config to trust and route through a malicious router, or simply go offline. Speaking of, I could still use someone with open source NMS experience interested in sitting in on a 2 hour meeting every 2 weeks for the next few months. Let me know if you are interested and I will tell you more. :) Valerie