ONVIF Affirms No Policing, Abuse Away!

By John Honovich, Published Apr 08, 2014, 12:00am EDT (Info+)

Surely you have gotten emails or seen brochures from crappy companies who claim to be ONVIF conformant, even though they are not found on the ONVIF official list [link no longer available]. Or worse, two 'officially' conformant products have failed to work together.

You may wonder to yourself, "How can this be?"

And the more skeptical of you might even think, "Why would ONVIF allow this? Are they just uninterested in policing or protecting their own standard?"

Alas, you would be correct and here it is from the Chairman himself.

** *** ***** *****, *****'* ******** declares **** "***** ** *** * policing ************", ****** ********** "** ** enabler" *** "****(*) *** ******** ** manage **** ** *** **** ******** way", ********* ******** ******** ******* ** test ***** *********** **********.

**** ** ******. ** ***** ***** a ******** **** *** ****** ******, it *** ** ****** ***** ****** and '******' ** ******** **** ******** people *** **** **, ******* ****** to ****** ******* *** *** ***** own *****.

**** ** ***** ** **** **** is ******* *****'* ******** *** *** a ************. ***** ******** **** **** on *** ***** *** **** ********* do ******* ***** ****.

Conspiracy *********

********** ********* **** ** ***** **** Axis ** ********** ***** ** *******. And **** *** ***** ******** / Axis ******** [**** ** ****** *********] makes **** ** **************** *********, ** does ******** *****.

***** *** ******* ** ** ***** him *** *********, "***, * ** going ** *********** *** ***** *** just **** *** **** **** ** it. **** ** *** *****?" *********, his ****** ***** *** ** ** emphasise **** **** ******** **** ******** its ************ ******** *** **********.

Observer ******* **************

** *** *****, *****'* ******** ********** the **** ** *** ******** ******, a***** *********** [**** ** ****** *********] ***** for $*** *** *** ****** ** the ***** *********** **** ***** (****: IPVM *** *** ***** ******** ******). However, *** **** **** ** ********** to *** *** **** ********* ** run, **** ******* ******* ** *********, often ************* ******* **-***** ********* ** the ******** ****** ***** **** (*** our**** ***** ****).

ONVIF's **************

***** *** ** ****** *** ***** and *********** ****** ** ** ***** people ** ***** ****. *** ***** ONVIF ********* **** ********, ** ** also ******* ********** ******* ** *********** problems **** *** ********* ********** ** its **** **** ******** ** ************* abusing ***** ***********.

Comments (41)

Your are right again. It's very disappointing when you see all these impressive avantages Onvif "S" can bring to installers and maintenance companies, multibrand decoders, thin clients ... all you can test by your self with Onvice device manager that IPMV already mentionned (I'm using it all the time to see who is really and who isn't really compliant) . A good vision but without strict rules and regulation, butnothing to replace it as a credible alternative ...

Marc, as a point of clarification to others, the ONVIF Device Manager (DM) is a different program than the ONVIF test tool (the focus of the post above).

ONVIF DM is quite useful, free, widely available and instantly displays ONVIF information from cameras but is not an official ONVIF application nor does it validate conformance.

By contrast, the ONVIF test tool requires ONVIF membership, and will attempt to validate conformance but is time consuming and does not provide basic information in a simple format.

Yes Thanks John I know. But for quick dummy testing and during training it's quite usefull at my level.

Could this be an opportunity for IPVM?

I think ONVIF needs to take the first step and be aggressive about companies who are publicly misrepresenting their conformance.

Here's an example from the first page of Google results for 'ONVIF conformance'. The company, Golbong, claims ONVIF 2.0 conformance "guaranteeing interoperability between network video products regardless of manufacturer." I can't find any conformance record or listing of them even as an ONVIF member.

It would not take much work for them to use Google, find people misrepresenting them and send them a form 'Cease and Desist' Letter. If they don't take it down within a month, create a warning page on the ONVIF site listing non conformant products.

I am not sure what we can do if ONVIF is going to essentially do nothing.

Speaking for the devil here, there are many protocols today, SMTP and TCP come to mind, that are not tightly controlled nor corporate IP, and yet vendors adhere. Why?

On the other hand, there can be significant dangers in exercising too tight of control on a nascent standard, witness wireless usb, which was stalled until moot by continual infighting...

As for Axis an conspiracy, could it really be the case that Axis is now trying to kill Frankenstein?

Rukmini, the difference between TCP and ONVIF is that ONVIF has a testing / conformance process that one must go through before being able to claim 'ONVIF conformance'.

So ONVIF already has the policy in place, it just weakly (or not at all) enforces it.

Also, TCP is ~30 years old where ONVIF is ~5, so there's a big difference in vintage / maturity there.

Rukmini, the difference between TCP and ONVIF is that ONVIF has a testing / conformance process that one must go through before being able to claim 'ONVIF conformance'.

Premise is assuming the conclusion; my question is why do some standards flourish without strong and centralized compliance?

Also, TCP is ~30 years old where ONVIF is ~5, so there's a big difference in vintage / maturity there.

Right, although it never had a hard compliance even 30 years ago.

Maybe JSON would be a current example, if your familiar with. Maybe the answer is that ONVIF is more like HDMI than JSON, due to the fact that when your making 'real hardware devices' like cameras and tv's, as opposed to virtual web services, you can't easily take fix it as you go approach.

Also though you clearly are disappointed with ONVIF's direction on this matter, do you have any opinion on the reason for them not wanting to be a policing organization?

Comparing JSON to ONVIF is like comparing a bicycle to an airplane. There's a lot, lot less going on in the JSON specification than ONVIF, so it's far easier to make it work without policing.

Can you clarify? I do not understand: "Do you have any opinion on the reason for access not wanting to be a policing organization?"

There's another big reason protocols like TCP and SNMP have succeeded: if they're not implemented properly, who's going to use it? Imagine if Cisco sold switches where TCP didn't work. Gear was based on standards (and proprietary variants, which mostly faded) from the beginning.

The same argument can be made the cameras, that people won't use them if they're not ONVIF conformant, but even the $30 non-conformant "ONVIF" cameras we tested were still usable via RTSP when ONVIF didn't work, which seemingly was implemented right. If it's a bigger manufacturer, chances are there's a direct driver (e.g. Arecont). So there's far less downside to a camera manufacturer faking ONVIF for marketing, but implementing RTSP.

Can you clarify?

Restated: Do you have a theory as to why ONVIF is taking this stance, besides the superficial "because they are not interested in policing their standard". Is there some unstated driver?

As you might agree, standards organizations usually talk tough, but then can often be lax in enforcement. In this case they seem to be taking the 'low' road purposefully. How is the vision defined at ONVIF? Is the chairman a 'cult of personality'?

I am not privy to the secrets of the ONVIF illumanti....

My guess is that it is a product of them being almost entirely a collection of manufacturers:

  • Because they are manufacturers, not integrators or end users, they do not feel the pain as immediately when things do not work so they tend to underappreciate the importance of policing.
  • Because they are manufacturers, they are reluctant to police / criticize other manufacturers as it could damage the 'coalition' and violates a standard practice in this industry of non confrontation amongst manufacturers

My guess is that it is a product of them being almost entirely a collection of manufacturers:

Maybe there's a littke more to it than that, look at HDMI, also run by collection of mfrs. (not the studios as often believed). Difference? HDMI charges a non-trivial .04 to .15 cents per connector per device. Mfrs would balk at paying anything per connector if interoperability was not insured.

HDMI is therefore selling a product and enforcement becomes a priority. Royalties pay for enforcement. No royalties, no enforcement. Your TV always works with your blu-ray and your ptz doesn't always work with your VMS.

Rukmini, the HDMI example of charging per connector is interesting. I am sure if ONVIF could / did charge per connector, they would have more funds to 'police' (though it might sour overall adoption).

That said, it still strikes me that they could take low cost steps, if simply through publicity and a few examples to motivate manufacturers not to cheat.

For instance, this is my rationale behind periodically publicizing the Reminder: Promotions Using IPVM Are Never Allowed.

Manufacturers could have paid maybe 50ยข to a $1.00 as a royalty per ONVIF device and that would have provided plenty for enforcement. Think if the thousands of cameras sold per day probably.

The name and logo for ONVIF should have been trademarked like USB and Bluetooth , though maybe it is, and trademark licensed only to compliant entities and products.

.... and the industry takes two steps backwards.

I have been trying to come up with a similar example to ONVIF in another industry, where market enthusiasm was so high, everyone seems to agree that it is a net good, and then it seemingly is left vulnerable to becoming irrelevant due to lack of policing.

I have no idea how much developing ONVIF has cost the industry, but I'll assume it hasn't been trivial. You would think the 'fathers' here would move to protect their investment through (even provisional) policing of the ranks.

I can think of one: kosher certification in the food industry.

Kosher standards is subject to extremely high levels of consumer enthusiasm, and consumers are willing to pay quite a hefty premium for kosher food, yet for a very long time, not only was there no central agency certifying food as kosher, there was (and is) multiple competing definitions as to what kosher actually means. Add uneducated consumers into the mix (the laws of kosher are confusing and require months or years of intense study), and you've got a recipe for well-meaning incompetence and outright fraud.

Between the late 15th century, with the establishment of the first independant kosher butcher- that is, a butcher not working under the auspices of a rabbi, synagogue, or Jewish communal organization and instead choosing to self certify as "kosher"- and the early twentieth century, when certifying organizations were first founded, the kosher consumer suffered fraud, scandals, bribery, high prices, scarcity, government investigations, organized crime involvement, and even a riot.

Eventually, several organizations established themselves to certify the kosher status of food. For a fee, a butcher or a restaurant owner could have one of these organizations affirm that they were adhering to all kosher laws. This required that the certifying agency inspect the product regularly, give insight during the product development process, quickly correct any problems that arose from honest mistakes in the production process, and swiftly and publicly withdraw their certification upon discovery of any dishonesty on the part of the food producer. It also required the certification agencies cultivate a reputation for honesty, product knowledge, and integrity. And of course all this would be worthless without the consumer demanding strict certification standards, refusing to purchase uncertified goods, and being willing to pay for the privilage. In all, kosher certification is an interesting look into a private and voluntary regulatory system that works well.

This book is a good introduction to the history of kosher supervision of mass produced food and the kosher certification industry.

I think the parallels between ONVIF certification and kosher certification of food are clear. There are too many upsides and absolutely no downsides to cheating, and customers demand it and are upset to find they've been cheated but other than shopping at a few well known vendors there's not much they can do to ensure compliance. A third party that will ensure compliance and certify ONVIF compliant products would fill a need in the market, if consumers can be pursuaded to pay for it and punish non conformant camera manufacturers.

"A third party that will ensure compliance and certify ONVIF compliant products would fill a need in the market, if consumers can be pursuaded to pay for it and punish non conformant camera manufacturers."

Ari, but why does not the ONVIF organization play that role? Unlike Kosher, there is a single governing body deciding what is 'ONVIF' conformance? They have the knowledge, it's their spec and their trademark, no?

They don't because they don't. I agree that they should, but there's no reason an industry association- ASIS?- can't step in to do what needs doing.

You mean the same ASIS who lives off manufacturer payments for exhibiting and advertising is going to police those manufacturers?

Let's say an industry association was even willing, who pays them and how are they going to enforce it? e.g., ASIS finds that CrappyCam is lying about their ONVIF conformance? What can they even do? It's not ASIS' trademark to even enforce?

A third party certification body wouldn't have to endorse a trademark, they'd just have to withdraw their endorsement. They could and should explain why- it isn't as ONVIF as we thought, the new firmwear breaks the WDR, widespread reports of failures after a year, whatever- but my kosher certification metaphor was intended to illustrate that there's nothing stopping an organization from endorsing products that conform to their standards, even if it isn't strictly speaking, any of their business.

Of course, everything has to be open and above board and not just transparent but publicized- kosher certification agencies are quite open to admit when they withdraw a certification due to, for example, a disagreement over fees (a business decision that should leave everyone with no hard feelings), and they'll publicize it in their journals and websites. This is to forestall accusations of bribery, corruption, and the general chicanery to which every organization is subject.

Maybe me and a bunch of trunkslammers I know should get together every fourth Wednesday and eat hot wings and drink beer and play with cameras, and publish our results in a blog or something. We can call ourselves the Chicken Wing Bench Test Club (CWBTC), and publish our results for free but charge manufacturers for the right to use our logo. Maybe another competing group, caling themselves the Nacho Eating Trunkslammers Society (NETS) can publish a competing listing of tested cameras, with somewhat different benchmarks, to keep us honest, and integrators can decide for themselves which set of standards they find most appropriate.

Should ONVIF police their own trademark? Absolutely, but the history of kosher certification shows that having the manufacturers certify themselves, or create an industry based certification group, is a bad idea because 1) inspection and testing is hard work that the manufacturers have little incentive to do well, and 2) it only takes one greedy or incompetent manufacturer to invalidate the work of the entire certification body even if the rest of the organization is trying as hard as it can.

I am late to the discussion Brian but a perfect example in another industry is the wifi alliance for wireless access points: Wi-Fi.org

...but a perfect example in another industry...

A perfect example of a comparable standards body or a perfect example of where ONVIF should aspire to be? Unlike ONVIF, the WiFi Alliance is very serious about their Logo being misused. They also have far more financial resources due to the fees. About the same number of members but WFA charges $15,000 per anum vs. $1,000 per anum. You also have to pay per device to an independent lab to have it certified. John might argue the spec itself is broader also, and that brings resultant costs.

perfect example of what they should be or model themselves as is what I was meant but did not say. To be honest until this IPVM article I assumed that ONVIF was simalar to Wifi.

Jason, thanks. The Wi-Fi alliance's approach is an interesting counter example.

Rukmini, I don't know enough about how they work to have an opinion.

As for ONVIF, higher member pricing and independent testing would certainly result in better performance / fewer issues. Would our industry pay? I don't know but some steps in that direction, combined with a genuine public effort to public their brand would certainly help.

It occurs to me that maybe the incentive to police conformance is small because the problem is small. Yes, at IPVM we find cameras which claim conformance but clearly are not, from companies who aren't even members. But we seek them out.

Does the average integrator routinely run into this? The average end user? Would the ONVIF response be different if say, Hikvision or Arecont (random examples, not implying any wrongdoing) were claiming conformance but not actually implementing the spec?

I would think the lack of across-the-board motion detection is a bigger issue at the moment than falsely conformant product, but the threat is definitely there as more of these cameras pop up.

Whatever the case, I guess the lesson is integrators, dealers, consultants (like Mr Silva) and installers never could or should rely on claimed conformance.

They will have to, if they are smart and don't want to be accused of reckless non-due dilligence, get statements from both ends of the device manufacturers being connected that this device will work connected to that device or system if the make and model is not specifically on a compatibility list, and not rely on both ends claiming ONVIF conformance version whatever.

Official ONVIF Response:

ONVIF is a member driven organization steering the physical security towards a goal of sharing one interface. Whilst ONVIF does not proactively monitor the marketplace for nefarious activity, it does respond to claims of non conformance and misuse of the ONVIF name and logo. That activity may not always be entirely transparent to the industry, as there may be legal avenues being pursued.

The process of handling disputes of conformance is documented here.

As you can see, we first of all encourage collaboration between members with a dispute and the manufacturer of the product. If that does not resolve the issue, a formal complaint can be lodged with the ONVIF office, where upon action will be taken by the ONVIF Executive Director and the committees.

So how does that jive with the Chairman's response to not policing compliance..?

In a non-transparent sorta way it jives...

Official ONVIF Response:

In the video the ONVIF Chairman references a new Observer level of membership ONVIF has created. This is the first member level not aimed at device manufacturers or system providers. We are inviting system specifiers, consultants, a&e's, the media and other influencial market players to become ONVIF Observer Level members so they too can help drive the standard forward. The succesful conclusion of situations where devices or companies are using claims of conformance or the ONVIF brand incorrectly is vital for the success of ONVIF moving forward. We expect the new level of membership to be key to greater consistency and clarity on what it means to have a ONVIF logo on a product.

There are always a few different approaches that can be taken to address the same problem. ONVIF's approach is one of collaboration and partnership with the industry and its members.

In all honesty that sounds like a non-answer answer. Or, are they saying people should apply to be able to report non or erroneous compliance with ONVIF speficiation and do the work themselves? Are they looking at reporting being a crowd-sourced effort? And if so, it doesn't answer the question about enforcement? The video implies there will be no enforcement or action taken against illegitimate claims of ONVIF conformance. And with no enforcement, counterfeiting per se can be done with impunity.

Look at UL, for example, they take steps to prevent counterfeiting for non-confirming and unauthorized UL labelled products.

"Enforcement

UL's enforcement strategy relies heavily on the involvement and support of the law enforcement agencies that can seize products, lay criminal charges and ultimately prosecute counterfeiters. The foundation of our partnerships with law enforcement agencies is UL's zero tolerance policy for counterfeiters. The policy states:

It is the policy of UL not to consent to the importation, exportation, or manipulation of merchandise that has been seized by U.S. Customs or any other international law enforcement agency for bearing counterfeit UL Certification Marks.

This policy is uniformly applied and is considered reasonable and necessary in order to protect the integrity of UL's Registered Marks.

UL does not compromise or negotiate with respect to this policy."

Granted Underwriters Laboratories is a much larger and established organization. But they probably wouldn't have gotten anywhere is their attittude from the begining was "we're not a policing organization".

Official ONVIF Response:

"The video implies there will be no enforcement or action taken against illegitimate claims of ONVIF conformance."

I can understand how you could conclude that, but I do want to reassure you that is not the case. There is a process for handling this within the ONVIF organization as outlined in the conformance policy. You could consider the discovery of this issues to be crowd sourced, but the enforcement action is handled by the ONVIF office at the direction of the committees.

...but the enforcement action is handled by the ONVIF office at the direction of the committees

Reassuring to hear.

Could you provide a rough tally to-date of reported illegitimate claims and corresponding enforcement action(s)? Just totals, no incident/vendor identifying information needed...

Und B Manf, that sounds a little more reassuring, but can you understand how we got here? The Chairman for ONVIF makes a statement sounding explicity contradictory to the statement you make about there actually being enforcement done by a committe. Can you cite any specific documents, web page information, or as Rukmini inquired too, cases where actual enforcement was at least attempted?

Please believe neither I nor anyone else here I think is trying to be argumentative. But we have on video, in the Chairman's own words, somehting that can easily be interpreted as meaning no enforcement. At that level, any reaosnable counter in my opinion would have to be some sort of offical retraction (did the Chairman just mispeak? Was it a language issue), or some sort of citation to the contrary. And while I do not intend to imply any intentional misdoing on your part, an anonymous Undisclosed post (which I respect, and do myself from time to time, so yes, Alex, I am a real person who occasionaly posts Undisclosed and am not an IPVM avatar) doesn't qualify strongly as an appropriate level counter.

Luis, to clarify, I asked him to post undisclosed because, like pretty much everyone in ONVIF, he is an employee at a manufacturer (not Axis) and this would have confused the issue. In this context, he is not representing a specific manufacturer but the ONVIF committee.

I agree that ONVIF would benefit from answering more specifically to the concerns and questions raised but the choice of undisclosed is not to hide anything, but to avoid confusion.

I can understand there can be reasons for posting undisclosed and that is why I went through lengths to explain that I was not trying to imply there was an improper intent, and it's good of you to speak on their behalf. But that is only good for the IPVM world here. The rest of the security world outside of IPVM needs and should get an official retraction, correction or clarification from the ONVIF committee because anyone who watches that video can get the wrong idea.

I don't think security manufacturers of the industry in general are really appreciating the situation they are in. All it will take is someone like a Google or Apple to sweep in offerring interoperability and compatibility between the main 3 area of security (surveillance, access and alarm), or an existing security manufacturer with the resources to do it and execute it right, and they will decimate eveyrone else. Maybe I'm being alarmist, I never claimed to be the smartest person around, so time will tell.

I'd wait on line buy a camera designed and built by Apple.

...an existing security manufacturer with the resources to do it and execute it right, and they will decimate eveyrone else...

Surely many have tried, even with no ONVIF, and many others are trying to do so with no decimation in sight...

I'd wait on line to buy a camera designed and built by Apple.

Not me Ari, but

I'd wait online to buy a camera designed and built by Apple.

Ha! Wordplay.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports